IBM Hardware Management Console (HMC) STIG

V1R5 2015-01-14       U_IBM_Hardware_Management_Console_V1R5_Manual-xccdf.xml
V1R4 2014-09-18       U_IBM_Hardware_Management_Console_V1R4_Manual-xccdf.xml
IBM Hardware Management Console is used to perform Initial Program Loads (IPLs), power on resets, shutdowns, and configuring of hardware components for system logical partitions.
Comparison
All 35
No Change 35
Updated 0
Added 0
Removed 0
V-24340 No Change
Findings ID: HLESC010 Rule ID: SV-29986r2_rule Severity: high CCI: CCI-002101

Discussion

The ESCD Application Console is used to add, change, and delete port configurations and dynamically switch paths between devices. If the ESCON Director Application Console is not located in a secured location, unauthorized personnel can bypass security, access the system, and alter the environment. This could impact the integrity and confidentiality of operations. NOTE: Many newer installations no longer support the ESCD Application Console. For installations not supporting the ESCD Application Console, this check is not applicable.System AdministratorSystems ProgrammerPECF-1, PECF-2, PEPF-1, PEPF-2

Checks

If the ESCD Application Console is present, verify the location of the ESCD Application Console, otherwise this check is not applicable.

If the ESCON Director Application console is not located in a secure location this is a finding.

Fix

Move the (ESCD) Console Application console to a secure location and implement access control procedures to ensure access by authorized personnel only.

An ESCD Console Application is used to provide data center personnel with an interface for displaying and
changing an ESCD'S connectivity attributes. It is also used to install, initialize, and service an ESCON Director.
Note: ESCD'S are slowly being phased out and are being replaced with FICON Directors.

V-24342 No Change
Findings ID: HLESC020 Rule ID: SV-29994r2_rule Severity: medium CCI: CCI-002227

Discussion

The ESCD Application Console is used to add, change, and delete port configurations and to dynamically switch paths between devices. Access to the ESCD Application Console is restricted to three classes of personnel: Administrators, service representatives and operators. The administrator sign-on controls passwords at all levels, the service representative sign-on allows access to maintenance procedures, and the operator sign-on allows for configuration changes and use of the Director utilities. Unrestricted use by unauthorized personnel could impact the integrity of the environment. This would result in a loss of secure operations and impact data operating environment integrity. NOTE: Many newer installations no longer support the ESCD Application Console. For installations not supporting the ESCD Application Console, this check is not applicable.System AdministratorSystems ProgrammerECLP-1

Checks

If the ESCD Application Console is present, have the ESCON System Administrator verify that sign-on access to the ESCD Application Console is restricted to authorized personnel by signing on without a valid userid and password, otherwise this check is not applicable.

If the ESCD Application Console sign-on access is not restricted, this is a finding.

Fix

Review access authorization to ESCD Application Console and ensure that all personnel are restricted to authorized levels of access.

The ESCD Application Console and its associated ESCON Director can be secured using passwords. Three levels of password controls have been established. Each password level controls different ESCD Application Console functions. Prior to making any changes or accessing utilities or maintenance procedures, a user is required to enter a password. A password administrator must use the ESCD Application Console to enable an authorized user access. Following are the three levels of password authority:
Administration (Level 1)
Restrict to systems programming personnel who serve as administrators. A Level 1 password allows the user to display, add, change, and delete passwords of all of the ESCON Director Level 1, Level 2, and Level 3 users. It does not allow the administrator to access maintenance procedures or utilities or to change connectivity attributes.
Maintenance (Level 2)
Restrict to service representatives who perform maintenance procedures. Level 2 users cannot view other users' passwords, change passwords, change connectivity attributes, or access utilities.
Operations (Level 3)
Restrict to system administrators responsible for changing connectivity attributes and accessing certain utilities. Level 3 users cannot view other users' passwords, change passwords, or perform maintenance procedures.
V-24343 No Change
Findings ID: HLESC030 Rule ID: SV-29995r2_rule Severity: high CCI: CCI-000169

Discussion

The ESCON Director Console Event Log is used to record all ESCON Director Changes. Failure to create an ESCON Director Application Console Event log results in the lack of monitoring and accountability of configuration changes. In addition, its use in the execution of a contingency plan could be compromised and security degraded. NOTE: Many newer installations no longer support the ESCON Director Console. For installations not supporting the ESCON Director Console, this check is not applicable.System AdministratorSystems ProgrammerECAT-1, ECAT-2

Checks

If the ESCON Director Console is present, verify on the ESCON Director Application Console that the Event log is in use, otherwise this check is not applicable.

If no Event log exists, this is a finding.

Fix

Ensure that an ESCON Director Application Console log is created and in use every time the system is switched on.

The ESCON Director maintains an audit trail at the ESCD console’s fixed disk. This audit trail logs the time, date, and password identification when changes have been made to the ESCON Director.
V-24344 No Change
Findings ID: HLESC080 Rule ID: SV-29998r2_rule Severity: medium CCI: CCI-002227

Discussion

The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could result in varying of ESCON Directors online or offline and applying configuration changes. Unrestricted use by unauthorized personnel could lead to bypass of security, unlimited access to the system, and an altering of the environment. This would result in a loss of secure operations and will impact data operating integrity of the environment. NOTE: Many newer installations no longer support the ESCON Director Application. For installations not supporting the ESCON Director Application, this check is not applicable.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerSystems ProgrammerECLP-1

Checks

If the ESCON Director Application is present, verify that sign-on access to the DCAF Console is restricted to authorized personnel, otherwise, this check is not applicable.

If sign-on access to the DCAF Console is not restricted, this is a finding.

Fix

Review access authorization to DCAF Consoles. Ensure that all personnel are restricted to authorized levels of access.

Remote access to the LAN may be provided through DCAF via a LAN or modem connection.
DCAF passwords should be implemented to prevent unauthorized access.
V-24345 No Change
Findings ID: HMC0010 Rule ID: SV-29999r1_rule Severity: high CCI: CCI-002916

Discussion

The Hardware Management Console is used to perform Initial Program Load (IPLs) and control the Processor Resource/System Manager (PR/SM). If the Hardware Management Console is not located in a secure location, unauthorized personnel can bypass security, access the system, and alter the environment. This can lead to loss of secure operations if not corrected immediately.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerSystems ProgrammerPECF-1, PECF-2, PEPF-1, PEPF-2

Checks

Verify the location of the Hardware Management Console.

It should be located in a controlled area.
Access to it should be restricted.

If the Hardware Management Console is not located in a secure location this is a FINDING.

Fix

Move the Hardware Management Console to a secure location and implement access controls for authorized personnel.
V-24348 No Change
Findings ID: HMC0030 Rule ID: SV-30007r2_rule Severity: medium CCI: CCI-002883

Discussion

Dial-out access from the Hardware Management Console could impact the integrity of the environment, by enabling the possible introduction of spyware or other malicious code. It is important to note that it should be properly configured to only go to an authorized vendor site. Note: This feature will be activated for Non-Classified Systems only. Also, many newer processors (e.g., zEC12/zBC12 processors) will not have modems. If there is no modem, this check is not applicable.System AdministratorSecurity ManagerSystems ProgrammerEBRP-1, EBRU-1

Checks

Whenever dial-out hardware is present, have the System Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is enabled for any non-classified system.

Note: This is accomplished by going to Hardware Management Console and selecting Customize Remote Services. Then verify that Enable Remote Services is active.

If automatic dial-out access from the Hardware Management Console is enabled, have the Systems Administrator or Systems Programmer validate that remote phone number and remote service parameters values are valid authorized venders in the remote Service Panel of the Hardware Management Console.

If all the above values are not correct, this is a finding.

Fix

When this feature is turned on for non-classified systems, the site must verify that the remote site information is valid.

The RSF, which is also commonly referred to as call home, is one of the key components that contributes to zero downtime on System z hardware.

The Hardware Management Console RSF provides communication to an IBM support network, known as RETAIN for hardware problem reporting and service.
When a Hardware Management Console enables RSF, the Hardware Management Console then becomes a call home server.
The types of communication that are provided are:

- Problem reporting and repair data.
- Fix delivery to the service processor and Hardware Management Console.
- Hardware inventory data.
- System updates that are required to activate Capacity on Demand changes.

The following call home security characteristics are in effect regardless of the connectivity method that is chosen:
RSF requests are always initiated from the Hardware Management Console to IBM. An inbound connection is never initiated from the IBM Service Support System.
All data that is transferred between the Hardware Management Console and the IBM Service Support System is encrypted in a high-grade Secure Sockets Layer (SSL) encryption.
When initializing the SSL-encrypted connection, the Hardware Management Console validates the trusted host by its digital signature issued for the IBM Service Support system. Data sent to the IBM Service Support System consists solely of hardware problems and configuration data. No application or customer data is transmitted to IBM.
V-24349 No Change
Findings ID: HMC0040 Rule ID: SV-30008r1_rule Severity: medium CCI: CCI-002227

Discussion

Access to the Hardware Management Console if not properly restricted to authorized personnel could lead to a bypass of security, access to the system, and an altering of the environment. This would result in a loss of secure operations and can cause an impact to data operating environment integrity.System AdministratorInformation Assurance ManagerSecurity ManagerECLP-1, PECF-1, PECF-2, PRMP-1, PRMP-2

Checks

Verify that sign-on access to the Hardware Management Console is restricted to authorize personnel and that a DD2875 is on file for each user ID.

Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities

To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles.

If each user displayed by the System Administrator does not have a DD2875, then this is a FINDING.

Fix

The System Administrator will see that sign-on access to the Hardware Management Console is restricted to authorized personnel and that a DD2875 is on file for each user ID.

Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities.

The System Administrator must see that the list and users defined to the Hardware Management Console match.
V-24350 No Change
Findings ID: HMC0050 Rule ID: SV-30013r2_rule Severity: medium CCI: CCI-002227

Discussion

Automatic Call Answering to the Hardware Management Console allows unrestricted access by unauthorized personnel and could lead to a bypass of security, access to the system, and an altering of the environment. This would result in a loss of secure operations and impact the integrity of the operating environment, files, and programs. Note: Dial-in access to the Hardware Management Console is prohibited. Also, many newer processors (e.g., zEC12/zBC12 processors) will not have modems. If there is no modem, this check is not applicable.System AdministratorSystems ProgrammerEBRP-1, EBRU-1

Checks

Have the System Administrator verify if either the Enable Remote Operations parameter or the Automatic Call Answering parameter are active on the Enable Hardware Management Console Services panel.

The Enable Remote Operations is found under Customize Remote Services and Automatic Call Answering is found under Customize Auto Answer Settings.

If either of the above options are active, then this is a FINDING.

Fix

The System Administrator must set dial-in facility to off. Do this by ensuring that both the Enable Remote Operations parameter and the Automatic Call Answering parameter are turned off.

In Check Content: Enable Remote Operations is found under Customize Remote Services and Automatic Call Answering is found under Customize Auto Answer Settings.

V-24352 No Change
Findings ID: HMC0070 Rule ID: SV-30015r1_rule Severity: medium CCI: CCI-000169

Discussion

The Hardware Management Console controls the operation and availability of the Central Processor Complex (CPC). Failure to create and maintain the Hardware Management Console Event log could result in the lack of monitoring and accountability of CPC control activity. System AdministratorSystems ProgrammerECAT-1, ECAT-2

Checks

Verify on the Hardware Management Console that the Event log is in use.

This is done by selecting the View Console Events panel under Console Actions.
From this panel you can display:

Console Information on EC Changes
Console Service History displays HMC Problems
Console Tasks Displays Last 2000 tasks performed on console
View Licenses View LIC (Licensed Internal Code)
View Security Logs tracks an object’s operational state, status, or settings change or involves user access to tasks, actions, and objects.

If no Event log exists, this is a FINDING.

If the Event log exists and is not collecting data, this is a FINDING.

Fix

The System Administrator will activate the Hardware Management Console Event log and ensure that all tracking parameters are set.

This is done by selecting the View Console Events panel under Console Actions.
From this panel you can display:

Console Information on EC Changes
Console Service History displays HMC Problems
Console Tasks Displays Last 2000 tasks performed on console
View Licenses View LIC (Licensed Internal Code)
View Security Logs tracks an object’s operational state, status, or settings change or involves user access to tasks, actions, and objects.
V-24353 No Change
Findings ID: HMC0080 Rule ID: SV-30021r1_rule Severity: high CCI: CCI-001989

Discussion

The changing of passwords from the HMC default values, blocks malicious users with knowledge of these default passwords, from creating a denial of service or from reconfiguring the HMC topology leading to a compromise of sensitive data. The system administrator will ensure that the manufacturer’s default passwords are changed for all HMC management software.System AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerIAIA-1, IAIA-2

Checks

Have the System Administrator logon to the HMC and validate that all default passwords have been changed.

Go to task Modify User, select user, select Modify and enter and confirm new password.

User ID Default Password
• OPERATOR PASSWORD
• ADVANCED PASSWORD
• SYSPROG PASSWORD
• ACSADMIN PASSWORD

The System Administrator is to validate that each user has his/her own user ID and password and that sharing of user-IDs and passwords is not permitted.

Default user IDs and passwords are established as part of a base HMC. The System Administrator must assign new user IDs and passwords for each user and remove the default user IDs as soon as the HMC is installed by using the User Profiles task or the Manage Users Wizard.

If all the default passwords have not been changed, and each user is not assigned a separate user ID and password, then this is a FINDING


Fix

The System Administrator must logon to the HMC and validate that all Default Passwords have been changed.

User ID Default Password
OPERATOR PASSWORD
ADVANCED PASSWORD
SYSPROG PASSWORD
ACSADMIN PASSWORD

Default user IDs and passwords are established as part of a base HMC. The System Administrator must assign new user IDs and passwords for each user and remove the default user IDs as soon as the HMC is installed by using the User Profiles task or the Manage Users Wizard.

Go to task Modify User, select user, select Modify and enter and confirm new password.
V-24354 No Change
Findings ID: HMC0090 Rule ID: SV-30022r1_rule Severity: medium CCI: CCI-000213

Discussion

Individual task roles with access to specific resources if not created and restricted, will allow unrestricted access to system functions. The following is an example of some managed resource categories: Tasks are functions that a user can perform, and the managed resource role defines where those tasks might be carried out. The Access Administrator assigns a user ID and user roles to each user of the Hardware Management Console.

• OPERATOR OPERATOR
• ADVANCED ADVANCED OPERATOR
• ACSADMIN ACCESS ADMINISTRTOR
• SYSPROG SYSTEM PROGRAMMER
• SERVICE SRVICE REPRESENTATIVE
Failure to establish this environment may lead to uncontrolled access to system resources.
System AdministratorSystems ProgrammerECLP-1

Checks

Have the System Administrator display the user profiles and demonstrate that valid users are defined to valid roles and that authorities are restricted to the site list of users.

Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities.

To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles.

If the different roles are not properly displayed or are not properly restricted, then this is a FINDING.

Fix

The System Administrator must set up a list of Users

Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities
and these must match the users defined to the HMC.

To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles.

V-24355 No Change
Findings ID: HMC0100 Rule ID: SV-30023r1_rule Severity: medium CCI: CCI-000760

Discussion

Without identification and authentication, unauthorized users could reconfigure the Hardware Management Console or disrupt its operation by logging in to the system or application and execute unauthorized commands. The System Administrator will ensure individual user accounts with passwords are set up and maintained for the Hardware Management Console. System AdministratorSystems ProgrammerIAIA-1, IAIA-2

Checks

Have the System Administrator prove that individual USER IDs are specified for each user and DD2875 are on file for each user.

If USERIDs are shared among multiple users and crresponding DD2875 forms do not exist for each user, then this is a FINDING.

Fix

Have the System Administrator verify that all users of the Hardware Management Console are individually defined with USER IDs and passwords and that their roles and responsibilities are documented. Verify that a DD2875 exists for each USER ID.
V-24356 No Change
Findings ID: HMC0110 Rule ID: SV-30024r1_rule Severity: medium CCI: CCI-000200

Discussion

History Count specifies the number of previous passwords saved for each USERID and compares it with an intended new password. If there is a match with one of the previous passwords, or with the current password, it will reject the intended new password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. System AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerIAIA-1, IAIA-2

Checks

Have the System Administrator display the Password Profile Task window on the Hardware Management Console and validate that the History Count is set to 10.

If the History Count is less than 10, then this is a FINDING.
.

Fix

Have the System Administrator go into the Password Profile and set the History Count to 10 or greater.
V-24358 No Change
Findings ID: HMC0120 Rule ID: SV-30026r1_rule Severity: medium CCI: CCI-000199

Discussion

Expiration Day(s) specifies the maximum number of days that each user's password is valid. When a user logs on to the Hardware Management Console it compares the system password interval value specified in the user profile and it uses the lower of the two values to determine if the user's, password has expired. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. System AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerIAIA-1, IAIA-2

Checks

Have the System Administrator display the Password Profile Task window on the Hardware Management Console and validate that the Expiration day(s) is set to equal or less then 60 days.

If the Expiration day(s) is set to equal or less then 60 days, this is not a FINDING.

If the Expiration day(s) is greater than 60 days, then this is a FINDING.


Fix

Have the System Administrator go into the Password Profile and set the Expiration day(s) to equal or less then 60 days.
V-24359 No Change
Findings ID: HMC0130 Rule ID: SV-30027r1_rule Severity: medium CCI: CCI-000044

Discussion

The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Management Console allows as 3 times, before setting a 60-minute delay to attempt to retry the password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. Note: The Hardware Management Console does not allow a revoke of a userID. A 60- minute delay time setting is being substituted.System AdministratorSystems ProgrammerECLO-1, ECLO-2

Checks

Have the System Administrator display the maximum failed attempts on the user properties table on the Hardware Management Console before disable delay is invoked.

Maximum Failed Attempts and Disable Delay are found in User Profiles by selecting the user, selecting modify user and then selecting User Properties.

If the Maximum failed attempts before disable delay is invoked is set at greater than 3, then this is a FINDING.


Fix

The System Administrator will display the User Properties window on the Hardware Management Console for each user and verify that the maximum attempts before disable delay is set to 3 or less and will update them if this is not true.

Maximum Failed Attempts and Disable Delay are found in User Profiles by selecting the user, selecting modify user and then selecting User Properties.
V-24360 No Change
Findings ID: HMC0140 Rule ID: SV-30028r1_rule Severity: medium CCI: CCI-000192

Discussion

In accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above and CJCSI 6510.01E (INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)).. The following recommendations concerning password requirements are mandatory and apply equally to both classified and unclassified systems: (1) Passwords are to be fourteen (14) characters. (2) Passwords are to be a mix of upper and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the Hardware Management Console control options introduces the possibility of exposure during the migration process or contingency plan activation.System AdministratorSystems ProgrammerDCCS-1, DCCS-2, IAIA-1, IAIA-2

Checks

Have the System Administrator display the Password Profile Task window on the Hardware Management Console and check that:

Passwords are to be a minimum of fourteen (14) characters in length.

Passwords are to be a mix of upper- and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard.

Each character of the password is to be unique, prohibiting the use of repeating characters.

Passwords are to contain no consecutive characters (e.g., 12, AB, etc.).

If the Password Profile does not have the specifications for the above options then this is a FINDING.

Fix

Have the System Administrator validate that the settings in the Password Profiles Window meet the following specifications:

Passwords are a minimum of fourteen (14) characters in length.

Passwords are to be a mix of upper and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard.

Each character of the password is to be unique, prohibiting the use of repeating characters.

Passwords are to contain no consecutive characters (e.g., 12, AB, etc.).
V-24361 No Change
Findings ID: HMC0150 Rule ID: SV-30029r1_rule Severity: medium CCI: CCI-000057

Discussion

If the system, workstation, or terminal does not lock the session after more than15 minutes of inactivity, requiring a password to resume operations, the system or individual data could be compromised by an alert intruder who could exploit the oversight.System AdministratorSystems ProgrammerPESL-1

Checks

Have the System Administrator display the User Properties window on the Hardware Management Console and check that the timeout minutes are set to a maximum of 15.

If the Verify Timeout minutes are set to more than 15, then this is a FINDING.

Fix

The System Administrator will display the User Properties window and will ensure that the Verify timeout minutes are set to a maximum of 15.
V-24362 No Change
Findings ID: HMC0160 Rule ID: SV-30030r1_rule Severity: medium CCI: CCI-000048

Discussion

Failure to display the required DoD logon banner prior to a login attempt may void legal proceedings resulting from unauthorized access to system resources and may leave the SA, IAO, IAM, and Installation Commander open to legal proceedings for not advising users that keystrokes are being audited.System AdministratorInformation Assurance OfficerSystems ProgrammerECWM-1

Checks

Have the reviewer verify that the logon banner reads as follows:on the Create Welcome Text window:



STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

If any item in above is untrue, this is a FINDING.

Fix

The System Administrator will update the logon banner by going to the Create Welcome Text Task to read as follows:

STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
V-24363 No Change
Findings ID: HMC0170 Rule ID: SV-30031r2_rule Severity: medium CCI: CCI-001749

Discussion

If the Hardware Management Consoles (HMC) is network-connected, use SSL encryption techniques, through digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. To maintain data integrity the IBM Certificate distributed with the HMC's is to be replaced by a DoD-authorized Certificate. Note: This check applies only to network-connected HMCs.System AdministratorSystems ProgrammerIATS-1, IATS-2

Checks

The System Reviewer will have the System Administrator use the Hardware Management Console Certificate Management Task to validate that the private key and certificate shipped with any network-connected HMC from IBM was replaced with an approved DoD- authorized Certificate.

Note: This check applies only to network-connected HMCs.

Note: DoD certificates should display the following Information 'OU=PKI.OU=DoD.O=U.S. Government.C=US'

If private web server does not subscribe to certificates issued from any DoD-authorized Certificate Authority as an access control mechanism for web users, then this is a FINDING.

Fix

The System Administrator must order a DoD PKI to replace the IBM Certificate and then the System Administrator must use the Hardware Management Console Certificate Management Task to install it.

Note: This only applies to networked HMCs.
V-24364 No Change
Findings ID: HMC0180 Rule ID: SV-30032r3_rule Severity: medium CCI: CCI-001348

Discussion

The Hardware Management Console has the ability to backup and display the following data: 1) Critical console data 2) Critical hard disk information 3) Backup of critical CPC data and 4) Security Logs. Failure to backup and archive the listed data could make auditing of system incidents and history unavailable and could impact recovery for failed components. System AdministratorSystems ProgrammerCOSW-1, ECTB-1

Checks

Have the System Administrator produce a log by date validating that backups are being performed for Security logs and Critical console data on a routine scheduled basis (e.g., daily, weekly, monthly, quarterly, annually) and copies are rotated to off site storage. Compare the list of backups made to a physical inventory of storage media to verify that HMC backups are being retained as expected. If backups are either not being made, or there are obvious gaps in storage and retention of the backups, this is a finding.

Fix

The System Administrator will see that a log exists to verify that backups are being performed. This list will have the date and reason for the backup.

Backup security logs. This task will archive a security log for the console.

The backup critical console data backs up the data that is stored on your Hardware Management Console hard disk and is critical to support Hardware Management Console operations. You should back up the Hardware Management Console data after changes have been made to the Hardware Management Console or to the information associated with the processor cluster. Information associated with processor cluster changes is usually information that you are able to modify or add to the Hardware Management Console hard disk. Association of an activation profile to an object, the definition of a group, hardware configuration data, and receiving internal code changes are examples of modifying and adding information, respectively. Use this task after customizing your processor cluster in any way. A backup copy of hard disk information may be restored to your Hardware Management Console following the repair or replacement of the fixed disk.
V-24373 No Change
Findings ID: HMC0200 Rule ID: SV-30043r1_rule Severity: medium CCI: CCI-001453

Discussion

Removing the management traffic from the production network diminishes the security profile of the Hardware Management Console servers by allowing all the management ports to be closed on the production network. The System Administrator will ensure that Hardware Management Console management is accomplished using the out-of-band or direct connection method.System AdministratorNetwork Security OfficerSystems ProgrammerDCBP-1

Checks

The System Administrator will validate that the Hardware Management Console management connection will use TCP/IP with encryption on an out-of-band network.

If the Hardware Management Console management connection does not use TCP/IP with encryption on an out-of-band network then this is a FINDING.

Fix

The System Administrator will work with the NSO to see that the Hardware Management Console management is set up with encryption on an out-of band network.
V-24378 No Change
Findings ID: HLP0010 Rule ID: SV-30052r1_rule Severity: medium CCI: CCI-002101

Discussion

The running of unauthorized Logical Partitions (LPARs) could allow a “Trojan horse” version of the operating environment to be introduced into the system complex. This could impact the integrity of the system complex and the confidentiality of the data that resides in it.System AdministratorSystems ProgrammerECSC-1

Checks

Using the Hardware Management Console, do the following:

Access the Change LPAR Control Panel. (This will list the LPARs.)

Compare the partition names listed on the Partition Page to the names entered on the Central Processor Complex Domain/LPAR Names table.
Note: Each site should maintain a list of valid LPARS that are configured on thier system , what operating system, and the purpose of each LPAR.
If unauthorized partitions exist on the system complex and the deviation is not documented, this is a FINDING.

Fix

Review the LPARs on the system and remove any unauthorized LPARs. If a deviation exists, the system administrator will provide written justification for the deviation.

This will be displayed by using the Change LPAR Control Panel.
V-24379 No Change
Findings ID: HLP0020 Rule ID: SV-30053r1_rule Severity: medium CCI: CCI-000213

Discussion

Unrestricted control over the IOCDS files could result in unauthorized updates and impact the configuration of the environment by allowing unauthorized access to a restricted resource. This could severely damage the integrity of the environment and the system resources.System AdministratorSystems ProgrammerECCD-1, ECCD-2

Checks

Using the Hardware Management Console, verify that a logical partition cannot read or write to any IOCDS. Use the Security Definitions Page panel to do this by checking to see if the Input/Output (I/O) Configuration Control option has been turned on.

NOTE: The default is applicable to only classified systems.

Confirm whether or not the I/O Configuration Control option is checked.

If the Logical Partition is not restricted with read/write access to only its own IOCDS, this is a FINDING.

Fix

Review the Security Definition parameters specified under Processor Resource/Systems Manager (PR/SM).
Verify and implement the correct settings.
V-24380 No Change
Findings ID: HLP0030 Rule ID: SV-30055r1_rule Severity: medium CCI: CCI-000226

Discussion

Unrestricted control over the issuing of system commands by a Logical Partition could result in unauthorized data access and inadvertent updates. This could result in severe damage to system resources.System AdministratorSystems ProgrammerECCD-1, ECCD-2

Checks

Using the Hardware Management Console, verify that the Logical Partitions cannot issue control program commands to another Logical Partition. Use the PR/SM panel, known as the Security Definitions Page, to do this. The Cross Partition Control option must be turned off.

NOTE: The default is that the Cross Partition Control option is turned off.

If Processor Resource/Systems Manager (PR/SM) allows unrestricted issuing of control program commands then this is a FINDING

Fix

Review the Security Definition parameters specified under PR/SM, and turn off the Cross Partition Control option.
V-24381 No Change
Findings ID: HLP0040 Rule ID: SV-30056r1_rule Severity: high CCI: CCI-000213

Discussion

Restricted LPAR channel paths are necessary to ensure data integrity. Unrestricted LPAR channel path access could result in a compromise of data integrity. When a classified LPAR exists on a mainframe which requires total isolation, all paths to that LPAR must be restricted.System AdministratorSystems ProgrammerECCD-1, ECCD-2

Checks

Have the System Administrator or Systems Programmer on classified systems use the Hardware Management Console to verify that the LPAR channel paths are reserved from the rest of the LPARs.

Use the Security Definitions Panel to verify this. The Logical Partition Isolation option must be turned on.

If the Classified LPAR channel paths are not restricted then this is a FINDING.

Fix

Have the System Administrator or Systems Programmer for classified systems use the Hardware Management Console to verify that the LPAR channel paths are reserved from the rest of the LPARs. Use the Security Definitions Panel to verify this. The Logical Partition Isolation option must be turned on for classified systems.
V-24382 No Change
Findings ID: HLP0050 Rule ID: SV-30057r1_rule Severity: medium CCI: CCI-000213

Discussion

Allowing unrestricted access to all Logical Partition data could result in the possibility of unauthorized access and updating of data. This could also impact the integrity of the processing environment.System AdministratorSystems ProgrammerECCD-1, ECCD-2

Checks

Have the Systems Administrator or Systems Programmer use the Hardware Management Console; to verify that the classified Logical Partition system data cannot be viewed by other Logical Partitions.

Use the Security Definitions Panel to do this. The Global Performance Data Control option must be turned off.

NOTE: The default is that the Global Performance Data Control option is turned off.

If the PR/SM allows access to system complex data then, this is a FINDING.

Fix

Have the Systems Administrator or Systems Programmer use the Hardware Management Console, to verify that the classified Logical Partition system data cannot be viewed by other Logical Partitions.

Use the Security Definitions Panel to do this. The Global Performance Data Control option must be turned off.
V-24383 No Change
Findings ID: HLP0060 Rule ID: SV-30058r1_rule Severity: high CCI: CCI-000213

Discussion

Allowing unrestricted access to classified processors for all LPARs could cause the corruption and loss of classified data sets, which could compromise classified processing.System AdministratorSystems ProgrammerECCD-1, ECCD-2

Checks

Have the system administrator or systems programmer use the Hardware Management Console; to verify that the LPAR processors are dedicated for exclusive use by classified LPARs.

Use the Processor Page to do this. The Dedicated Central Processors option must be turned on.

If Central processors are not restricted for classified/restricted LPARs, this is a FINDING.

Fix

Review the Processor Page under PR/SM and turn on the Dedicated Central Processor option for classified or restricted LPARs. For unclassified LPARs, this option should not be turned on, unless determined by the site.
V-24398 No Change
Findings ID: HMC0035 Rule ID: SV-30081r1_rule Severity: high CCI: CCI-001762

Discussion

This feature will not be activated for any classified systems. Allowing dial-out access from the Hardware Management Console could impact the integrity of the environment by enabling the possible introduction of spyware or other malicious code. System AdministratorSystems ProgrammerEBRP-1, EBRU-1

Checks

Have the Systems Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is not activated for any classified systems.

Note: This can be accomplished by going to the Customize Remote Service Panel on the Hardware Management Console and verifying that enable remote service is not enabled.

If this is a classified system and enable remote service is enabled, then this is a FINDING.

Fix

Have the Systems Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is not activated for any classified systems.
Note: This can be accomplished by going to the Customize Remote Service Panel on the Hardware Management Console and verifying that enable remote service is not enabled.
V-25247 No Change
Findings ID: HLESC085 Rule ID: SV-31292r2_rule Severity: medium CCI: CCI-000764

Discussion

The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could result in varying of ESCON Directors online or offline and applying configuration changes. Unrestricted use by unauthorized personnel could lead to bypass of security, unlimited access to the system, and an altering of the environment. This would result in a loss of secure operations and will impact data operating integrity of the environment. NOTE: Many newer installations no longer support the ESCON Director Application. For installations not supporting the ESCON Director Application, this check is not applicable.System AdministratorSystems ProgrammerECCD-1, IAIA-1, IAIA-2

Checks

If the ESCON Director Application is present, have the System Administrator attempt to sign on to the DCAF Console and validate that a password is required, otherwise, this check is not applicable.

If sign-on access to the DCAF Console does not require a password this is a finding.

Fix

Have the System Administrator review access authorization to DCAF Consoles. Ensure that all personnel are required to enter a password.

Remote access to the LAN may be provided through DCAF via a LAN or modem connection.
DCAF passwords should be implemented to prevent unauthorized access.

V-25386 No Change
Findings ID: HMC0045 Rule ID: SV-31555r1_rule Severity: medium CCI: CCI-000225

Discussion

Access to the HMC if not properly controlled and restricted by assigning users proper roles and responsibilities, could allow modification to areas outside the need-to-know and abilities of the individual resulting in a bypass of security and an altering of the environment. This would result in a loss of secure operations and can cause an impact to data operating environment integrity.System AdministratorECAN-1, ECLP-1, PRMP-1, PRMP-2

Checks

Have the System Administrator verify to the reviewer that the Roles and Responsibilities assigned are assigned to the proper individuals by their areas of responsibility.

Note: Sites must have a list of valid HMC users, indicating their USERID, Date of DD2875, and roles and responsibilities.

Have the System Administrator verify to the reviewer that the Roles and Responsibilities assigned are assigned to the proper individuals by their areas of responsibility.

To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles.

If the HMC user-IDs displayed by the System Administrator are not properly assigned by Roles and Responsibilities, then this is a FINDING.

Fix

Have the System Administrator using the list user IDs and responsibilities, validate that each user is properly specified in the HMC based on his/her roles and responsibilities.

Note: Sites must have a list of valid HMC users, indicating their USERID, Date of DD2785, roles and responsibilities

To display user roles choose User Profiles and then select the user for modification. View Task Roles and Manager Roles.
V-25387 No Change
Findings ID: HMC0185 Rule ID: SV-31556r1_rule Severity: medium CCI: CCI-000130

Discussion

The content of audit data must validate that the information contains:

User IDs
Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)
Date and time of the event
Type of event
Success or failure of event
Successful and unsuccessful logons
Denial of access resulting from excessive number of logon attempts
Failure to not contain this information may hamper attempts to trace events and not allow proper tracking of incidents during a forensic investigation
System AdministratorECAR-1, ECAR-2

Checks

Have the System Administrator validate the audit records contain valid information to allow for a proper incident tracking. Use the View Console Events task to display contents of security logs.

Use the View Console Events task to view security logs and validate that it has the following information:

User IDs
Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)
Date and time of the event
Type of event
Success or failure of event
Successful and unsuccessful logons
Denial of access resulting from excessive number of logon attempts

Fix

Have the System Administrator check the content of audit records.

Use the View Console Events task to view security logs and validate that it has the following information:

User IDs
Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)
Date and time of the event
Type of event
Success or failure of event
Successful and unsuccessful logons
Denial of access resulting from excessive number of logon attempts
V-25388 No Change
Findings ID: HMC0210 Rule ID: SV-31558r1_rule Severity: high CCI: CCI-001762

Discussion

The Hardware Management Console has a built-in feature that allows Product Engineers access to the console. With access authority, IBM Product Engineering can log on the Hardware Management Console with an exclusive user identification (ID) that provides tasks and operations for problem determination. Product Engineering access is provided by a reserved password and permanent user ID. You cannot view, discard, or change the password and user ID, but you can control their use for accessing the Hardware Management Console. User IDs and passwords that are hard-coded and cannot be modified are a violation of NIST 800-53 and multiple other compliance regulations. Failure to disable this access would allow unauthorized access and could lead to security violations on the HMC.System AdministratorSystems Programmer

Checks

Have the System Administrator or System Programmer validate that IBM Product Engineering access to the Hardware Management Console is disabled.

This can be checked under the classic style user interface; this task is found under the Hardware Management Console Settings console action.
Open the Customize Product Engineering Access task. The Customize Product Engineering Access window is displayed.
Select the appropriate accesses for product engineering or remote product engineering. (Both should be disabled.)
Click OK to save the changes and exit the task.

If access to the Customize Product Engineering Access is not disabled, than this is a finding.

Fix

The System Administrator or System Programmer will set the
Product Engineering Access control for product engineering or remote product engineering to a disabled status.

This can be checked under the classic style user interface; this task is found under the Hardware Management Console Settings console action.
Open the Customize Product Engineering Access task. The Customize Product Engineering Access window is displayed.
Select the appropriate accesses for product engineering or remote product engineering. (Both should be disabled)
Click OK to save the changes and exit the task.

V-25400 No Change
Findings ID: HMC0220 Rule ID: SV-31580r1_rule Severity: high CCI: CCI-002310

Discussion

Failure to securely connect to remote sites can leave systems open to multiple attacks and security violations through the network. Failure to securely implement remote support connections can lead to unauthorized access or denial of service attacks on the Hardware Management Console.System AdministratorNetwork Security OfficerEBRP-1, EBRU-1

Checks

Have the Network Security Engineer or system Programmer check, that the remote Internet connection for IBM RSF support has met the requirements of the Remote Access STIGs. For controls that are a part of IBM’s closed system that cannot be updated or changed by customers, review provided documentation, such as found in the HMC Broadband Support manuals or a letter of Attestation provided by IBM assuring compliance. If the security measures in the Remote Access STIGs are not fully compliant and there is no supporting documentation or Letter of attestation on file with the IAM/IAO this is a finding.

Fix

The Network Security Officer or System Programmer should make any changes required for IBM RSF to meet the requirements stipulated in the Remote Access STIGs. Also any documentation or letters of Attestation should be placed on file with the IAM/IAO. The letter of attestation must be signed by an authorized representative of IBM. The letter should contain certification that the security measures identified in the Remote Access STIGs are in compliance.
V-25404 No Change
Findings ID: HMC0135 Rule ID: SV-31588r1_rule Severity: low CCI: CCI-002238

Discussion

The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Management Console allows as 3 times, before setting a 60-minute delay to attempt to retry the password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. Note: The Hardware Management Console does not allow a revoke of a user ID.A 60-minute delay time setting is being substituted.System AdministratorSystems ProgrammerECLO-1, ECLO-2

Checks

Have the System Administrator display the Disable delay in minutes.

Disable Delay is found in User Profiles by selecting the user, selecting modify user and then selecting User Properties.

If this is les than 60 minutes then this is a finding.

Note: Hardware Management Console does not have the ability to revoke a user ID, so a 60-minute delay has been imposed instead.

Fix

The System Administrator will display the User Properties window on the Hardware Management Console for each user and verify that the disable delay is set to 60 or more.

Maximum Failed Attempts and Disable Delay are found in User Profiles by selecting the user, selecting modify user and then selecting User Properties.

V-25405 No Change
Findings ID: HMC0225 Rule ID: SV-31589r1_rule Severity: high CCI: CCI-002310

Discussion

Failure to securely connect to remote sites can leave systems open to multiple attacks and security violations through the network. Failure to securely implement remote support connections can lead to unauthorized access or denial of service attacks on theHardware Management Console.System AdministratorNetwork Security OfficerEBRP-1, EBRU-1

Checks

Have the Network Security Engineer check, that the remote Internet connection for IBM RSF support has met the mitigations outlined in Vulnerability Analysis for port 443/SSL in the PPSM requirements.

Fix

Have the Network Security Officer validate that the Internet connection meets the specifications in the PPSM requirements.