Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

IBM Hardware Management Console (HMC) STIG

  • Version/Release: V1R5
  • Published: 2015-01-14
  • Released: 2015-01-20
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

IBM Hardware Management Console is used to perform Initial Program Loads (IPLs), power on resets, shutdowns, and configuring of hardware components for system logical partitions.
c
The Enterprise System Connection (ESCON) Director (ESCD) Application Console must be located in a secure location
CA-9 - High - CCI-002101 - V-24340 - SV-29986r2_rule
RMF Control
CA-9
Severity
High
CCI
CCI-002101
Version
HLESC010
Vuln IDs
  • V-24340
Rule IDs
  • SV-29986r2_rule
The ESCD Application Console is used to add, change, and delete port configurations and dynamically switch paths between devices. If the ESCON Director Application Console is not located in a secured location, unauthorized personnel can bypass security, access the system, and alter the environment. This could impact the integrity and confidentiality of operations. NOTE: Many newer installations no longer support the ESCD Application Console. For installations not supporting the ESCD Application Console, this check is not applicable.System AdministratorSystems ProgrammerPECF-1, PECF-2, PEPF-1, PEPF-2
Checks: C-30356r3_chk

If the ESCD Application Console is present, verify the location of the ESCD Application Console, otherwise this check is not applicable. If the ESCON Director Application console is not located in a secure location this is a finding.

Fix: F-27118r1_fix

Move the (ESCD) Console Application console to a secure location and implement access control procedures to ensure access by authorized personnel only. An ESCD Console Application is used to provide data center personnel with an interface for displaying and changing an ESCD'S connectivity attributes. It is also used to install, initialize, and service an ESCON Director. Note: ESCD'S are slowly being phased out and are being replaced with FICON Directors.

b
Sign-on to the ESCD Application Console must be restricted to only authorized personnel.
AC-6 - Medium - CCI-002227 - V-24342 - SV-29994r2_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002227
Version
HLESC020
Vuln IDs
  • V-24342
Rule IDs
  • SV-29994r2_rule
The ESCD Application Console is used to add, change, and delete port configurations and to dynamically switch paths between devices. Access to the ESCD Application Console is restricted to three classes of personnel: Administrators, service representatives and operators. The administrator sign-on controls passwords at all levels, the service representative sign-on allows access to maintenance procedures, and the operator sign-on allows for configuration changes and use of the Director utilities. Unrestricted use by unauthorized personnel could impact the integrity of the environment. This would result in a loss of secure operations and impact data operating environment integrity. NOTE: Many newer installations no longer support the ESCD Application Console. For installations not supporting the ESCD Application Console, this check is not applicable.System AdministratorSystems ProgrammerECLP-1
Checks: C-2769r4_chk

If the ESCD Application Console is present, have the ESCON System Administrator verify that sign-on access to the ESCD Application Console is restricted to authorized personnel by signing on without a valid userid and password, otherwise this check is not applicable. If the ESCD Application Console sign-on access is not restricted, this is a finding.

Fix: F-2355r2_fix

Review access authorization to ESCD Application Console and ensure that all personnel are restricted to authorized levels of access. The ESCD Application Console and its associated ESCON Director can be secured using passwords. Three levels of password controls have been established. Each password level controls different ESCD Application Console functions. Prior to making any changes or accessing utilities or maintenance procedures, a user is required to enter a password. A password administrator must use the ESCD Application Console to enable an authorized user access. Following are the three levels of password authority: Administration (Level 1) Restrict to systems programming personnel who serve as administrators. A Level 1 password allows the user to display, add, change, and delete passwords of all of the ESCON Director Level 1, Level 2, and Level 3 users. It does not allow the administrator to access maintenance procedures or utilities or to change connectivity attributes. Maintenance (Level 2) Restrict to service representatives who perform maintenance procedures. Level 2 users cannot view other users' passwords, change passwords, change connectivity attributes, or access utilities. Operations (Level 3) Restrict to system administrators responsible for changing connectivity attributes and accessing certain utilities. Level 3 users cannot view other users' passwords, change passwords, or perform maintenance procedures.

c
The ESCON Director Application Console Event log must be enabled.
AU-12 - High - CCI-000169 - V-24343 - SV-29995r2_rule
RMF Control
AU-12
Severity
High
CCI
CCI-000169
Version
HLESC030
Vuln IDs
  • V-24343
Rule IDs
  • SV-29995r2_rule
The ESCON Director Console Event Log is used to record all ESCON Director Changes. Failure to create an ESCON Director Application Console Event log results in the lack of monitoring and accountability of configuration changes. In addition, its use in the execution of a contingency plan could be compromised and security degraded. NOTE: Many newer installations no longer support the ESCON Director Console. For installations not supporting the ESCON Director Console, this check is not applicable.System AdministratorSystems ProgrammerECAT-1, ECAT-2
Checks: C-2770r4_chk

If the ESCON Director Console is present, verify on the ESCON Director Application Console that the Event log is in use, otherwise this check is not applicable. If no Event log exists, this is a finding.

Fix: F-2356r1_fix

Ensure that an ESCON Director Application Console log is created and in use every time the system is switched on. The ESCON Director maintains an audit trail at the ESCD console’s fixed disk. This audit trail logs the time, date, and password identification when changes have been made to the ESCON Director.

b
The Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel.
AC-6 - Medium - CCI-002227 - V-24344 - SV-29998r2_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002227
Version
HLESC080
Vuln IDs
  • V-24344
Rule IDs
  • SV-29998r2_rule
The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could result in varying of ESCON Directors online or offline and applying configuration changes. Unrestricted use by unauthorized personnel could lead to bypass of security, unlimited access to the system, and an altering of the environment. This would result in a loss of secure operations and will impact data operating integrity of the environment. NOTE: Many newer installations no longer support the ESCON Director Application. For installations not supporting the ESCON Director Application, this check is not applicable.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerSystems ProgrammerECLP-1
Checks: C-679r3_chk

If the ESCON Director Application is present, verify that sign-on access to the DCAF Console is restricted to authorized personnel, otherwise, this check is not applicable. If sign-on access to the DCAF Console is not restricted, this is a finding.

Fix: F-2361r1_fix

Review access authorization to DCAF Consoles. Ensure that all personnel are restricted to authorized levels of access. Remote access to the LAN may be provided through DCAF via a LAN or modem connection. DCAF passwords should be implemented to prevent unauthorized access.

c
The Hardware Management Console must be located in a secure location.
PE-3 - High - CCI-002916 - V-24345 - SV-29999r1_rule
RMF Control
PE-3
Severity
High
CCI
CCI-002916
Version
HMC0010
Vuln IDs
  • V-24345
Rule IDs
  • SV-29999r1_rule
The Hardware Management Console is used to perform Initial Program Load (IPLs) and control the Processor Resource/System Manager (PR/SM). If the Hardware Management Console is not located in a secure location, unauthorized personnel can bypass security, access the system, and alter the environment. This can lead to loss of secure operations if not corrected immediately.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerSystems ProgrammerPECF-1, PECF-2, PEPF-1, PEPF-2
Checks: C-2873r1_chk

Verify the location of the Hardware Management Console. It should be located in a controlled area. Access to it should be restricted. If the Hardware Management Console is not located in a secure location this is a FINDING.

Fix: F-2339r1_fix

Move the Hardware Management Console to a secure location and implement access controls for authorized personnel.

b
Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be restricted to an authorized vendor site.
MA-3 - Medium - CCI-002883 - V-24348 - SV-30007r2_rule
RMF Control
MA-3
Severity
Medium
CCI
CCI-002883
Version
HMC0030
Vuln IDs
  • V-24348
Rule IDs
  • SV-30007r2_rule
Dial-out access from the Hardware Management Console could impact the integrity of the environment, by enabling the possible introduction of spyware or other malicious code. It is important to note that it should be properly configured to only go to an authorized vendor site. Note: This feature will be activated for Non-Classified Systems only. Also, many newer processors (e.g., zEC12/zBC12 processors) will not have modems. If there is no modem, this check is not applicable.System AdministratorSecurity ManagerSystems ProgrammerEBRP-1, EBRU-1
Checks: C-29552r2_chk

Whenever dial-out hardware is present, have the System Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is enabled for any non-classified system. Note: This is accomplished by going to Hardware Management Console and selecting Customize Remote Services. Then verify that Enable Remote Services is active. If automatic dial-out access from the Hardware Management Console is enabled, have the Systems Administrator or Systems Programmer validate that remote phone number and remote service parameters values are valid authorized venders in the remote Service Panel of the Hardware Management Console. If all the above values are not correct, this is a finding.

Fix: F-26666r1_fix

When this feature is turned on for non-classified systems, the site must verify that the remote site information is valid. The RSF, which is also commonly referred to as call home, is one of the key components that contributes to zero downtime on System z hardware. The Hardware Management Console RSF provides communication to an IBM support network, known as RETAIN for hardware problem reporting and service. When a Hardware Management Console enables RSF, the Hardware Management Console then becomes a call home server. The types of communication that are provided are: - Problem reporting and repair data. - Fix delivery to the service processor and Hardware Management Console. - Hardware inventory data. - System updates that are required to activate Capacity on Demand changes. The following call home security characteristics are in effect regardless of the connectivity method that is chosen: RSF requests are always initiated from the Hardware Management Console to IBM. An inbound connection is never initiated from the IBM Service Support System. All data that is transferred between the Hardware Management Console and the IBM Service Support System is encrypted in a high-grade Secure Sockets Layer (SSL) encryption. When initializing the SSL-encrypted connection, the Hardware Management Console validates the trusted host by its digital signature issued for the IBM Service Support system. Data sent to the IBM Service Support System consists solely of hardware problems and configuration data. No application or customer data is transmitted to IBM.

b
Access to the Hardware Management Console must be restricted to only authorized personnel.
AC-6 - Medium - CCI-002227 - V-24349 - SV-30008r1_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002227
Version
HMC0040
Vuln IDs
  • V-24349
Rule IDs
  • SV-30008r1_rule
Access to the Hardware Management Console if not properly restricted to authorized personnel could lead to a bypass of security, access to the system, and an altering of the environment. This would result in a loss of secure operations and can cause an impact to data operating environment integrity.System AdministratorInformation Assurance ManagerSecurity ManagerECLP-1, PECF-1, PECF-2, PRMP-1, PRMP-2
Checks: C-30366r1_chk

Verify that sign-on access to the Hardware Management Console is restricted to authorize personnel and that a DD2875 is on file for each user ID. Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles. If each user displayed by the System Administrator does not have a DD2875, then this is a FINDING.

Fix: F-26667r1_fix

The System Administrator will see that sign-on access to the Hardware Management Console is restricted to authorized personnel and that a DD2875 is on file for each user ID. Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities. The System Administrator must see that the list and users defined to the Hardware Management Console match.

b
Automatic Call Answering to the Hardware Management Console must be disabled.
AC-6 - Medium - CCI-002227 - V-24350 - SV-30013r2_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002227
Version
HMC0050
Vuln IDs
  • V-24350
Rule IDs
  • SV-30013r2_rule
Automatic Call Answering to the Hardware Management Console allows unrestricted access by unauthorized personnel and could lead to a bypass of security, access to the system, and an altering of the environment. This would result in a loss of secure operations and impact the integrity of the operating environment, files, and programs. Note: Dial-in access to the Hardware Management Console is prohibited. Also, many newer processors (e.g., zEC12/zBC12 processors) will not have modems. If there is no modem, this check is not applicable.System AdministratorSystems ProgrammerEBRP-1, EBRU-1
Checks: C-29847r1_chk

Have the System Administrator verify if either the Enable Remote Operations parameter or the Automatic Call Answering parameter are active on the Enable Hardware Management Console Services panel. The Enable Remote Operations is found under Customize Remote Services and Automatic Call Answering is found under Customize Auto Answer Settings. If either of the above options are active, then this is a FINDING.

Fix: F-26737r2_fix

The System Administrator must set dial-in facility to off. Do this by ensuring that both the Enable Remote Operations parameter and the Automatic Call Answering parameter are turned off. In Check Content: Enable Remote Operations is found under Customize Remote Services and Automatic Call Answering is found under Customize Auto Answer Settings.

b
The Hardware Management Console Event log must be active.
AU-12 - Medium - CCI-000169 - V-24352 - SV-30015r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
HMC0070
Vuln IDs
  • V-24352
Rule IDs
  • SV-30015r1_rule
The Hardware Management Console controls the operation and availability of the Central Processor Complex (CPC). Failure to create and maintain the Hardware Management Console Event log could result in the lack of monitoring and accountability of CPC control activity. System AdministratorSystems ProgrammerECAT-1, ECAT-2
Checks: C-2924r1_chk

Verify on the Hardware Management Console that the Event log is in use. This is done by selecting the View Console Events panel under Console Actions. From this panel you can display: Console Information on EC Changes Console Service History displays HMC Problems Console Tasks Displays Last 2000 tasks performed on console View Licenses View LIC (Licensed Internal Code) View Security Logs tracks an object’s operational state, status, or settings change or involves user access to tasks, actions, and objects. If no Event log exists, this is a FINDING. If the Event log exists and is not collecting data, this is a FINDING.

Fix: F-2353r1_fix

The System Administrator will activate the Hardware Management Console Event log and ensure that all tracking parameters are set. This is done by selecting the View Console Events panel under Console Actions. From this panel you can display: Console Information on EC Changes Console Service History displays HMC Problems Console Tasks Displays Last 2000 tasks performed on console View Licenses View LIC (Licensed Internal Code) View Security Logs tracks an object’s operational state, status, or settings change or involves user access to tasks, actions, and objects.

c
The manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software.
IA-5 - High - CCI-001989 - V-24353 - SV-30021r1_rule
RMF Control
IA-5
Severity
High
CCI
CCI-001989
Version
HMC0080
Vuln IDs
  • V-24353
Rule IDs
  • SV-30021r1_rule
The changing of passwords from the HMC default values, blocks malicious users with knowledge of these default passwords, from creating a denial of service or from reconfiguring the HMC topology leading to a compromise of sensitive data. The system administrator will ensure that the manufacturer’s default passwords are changed for all HMC management software.System AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerIAIA-1, IAIA-2
Checks: C-29874r1_chk

Have the System Administrator logon to the HMC and validate that all default passwords have been changed. Go to task Modify User, select user, select Modify and enter and confirm new password. User ID Default Password • OPERATOR PASSWORD • ADVANCED PASSWORD • SYSPROG PASSWORD • ACSADMIN PASSWORD The System Administrator is to validate that each user has his/her own user ID and password and that sharing of user-IDs and passwords is not permitted. Default user IDs and passwords are established as part of a base HMC. The System Administrator must assign new user IDs and passwords for each user and remove the default user IDs as soon as the HMC is installed by using the User Profiles task or the Manage Users Wizard. If all the default passwords have not been changed, and each user is not assigned a separate user ID and password, then this is a FINDING

Fix: F-26761r1_fix

The System Administrator must logon to the HMC and validate that all Default Passwords have been changed. User ID Default Password OPERATOR PASSWORD ADVANCED PASSWORD SYSPROG PASSWORD ACSADMIN PASSWORD Default user IDs and passwords are established as part of a base HMC. The System Administrator must assign new user IDs and passwords for each user and remove the default user IDs as soon as the HMC is installed by using the User Profiles task or the Manage Users Wizard. Go to task Modify User, select user, select Modify and enter and confirm new password.

b
Predefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users.
AC-3 - Medium - CCI-000213 - V-24354 - SV-30022r1_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
HMC0090
Vuln IDs
  • V-24354
Rule IDs
  • SV-30022r1_rule
Individual task roles with access to specific resources if not created and restricted, will allow unrestricted access to system functions. The following is an example of some managed resource categories: Tasks are functions that a user can perform, and the managed resource role defines where those tasks might be carried out. The Access Administrator assigns a user ID and user roles to each user of the Hardware Management Console. • OPERATOR OPERATOR • ADVANCED ADVANCED OPERATOR • ACSADMIN ACCESS ADMINISTRTOR • SYSPROG SYSTEM PROGRAMMER • SERVICE SRVICE REPRESENTATIVE Failure to establish this environment may lead to uncontrolled access to system resources. System AdministratorSystems ProgrammerECLP-1
Checks: C-29860r1_chk

Have the System Administrator display the user profiles and demonstrate that valid users are defined to valid roles and that authorities are restricted to the site list of users. Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities. To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles. If the different roles are not properly displayed or are not properly restricted, then this is a FINDING.

Fix: F-26744r1_fix

The System Administrator must set up a list of Users Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities and these must match the users defined to the HMC. To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles.

b
Individual user accounts with passwords must be maintained for the Hardware Management Console operating system and application.
IA-1 - Medium - CCI-000760 - V-24355 - SV-30023r1_rule
RMF Control
IA-1
Severity
Medium
CCI
CCI-000760
Version
HMC0100
Vuln IDs
  • V-24355
Rule IDs
  • SV-30023r1_rule
Without identification and authentication, unauthorized users could reconfigure the Hardware Management Console or disrupt its operation by logging in to the system or application and execute unauthorized commands. The System Administrator will ensure individual user accounts with passwords are set up and maintained for the Hardware Management Console. System AdministratorSystems ProgrammerIAIA-1, IAIA-2
Checks: C-29861r1_chk

Have the System Administrator prove that individual USER IDs are specified for each user and DD2875 are on file for each user. If USERIDs are shared among multiple users and crresponding DD2875 forms do not exist for each user, then this is a FINDING.

Fix: F-26745r1_fix

Have the System Administrator verify that all users of the Hardware Management Console are individually defined with USER IDs and passwords and that their roles and responsibilities are documented. Verify that a DD2875 exists for each USER ID.

b
The PASSWORD History Count value must be set to 10 or greater.
IA-5 - Medium - CCI-000200 - V-24356 - SV-30024r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
HMC0110
Vuln IDs
  • V-24356
Rule IDs
  • SV-30024r1_rule
History Count specifies the number of previous passwords saved for each USERID and compares it with an intended new password. If there is a match with one of the previous passwords, or with the current password, it will reject the intended new password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. System AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerIAIA-1, IAIA-2
Checks: C-29848r1_chk

Have the System Administrator display the Password Profile Task window on the Hardware Management Console and validate that the History Count is set to 10. If the History Count is less than 10, then this is a FINDING. .

Fix: F-26738r1_fix

Have the System Administrator go into the Password Profile and set the History Count to 10 or greater.

b
The PASSWORD expiration day(s) value must be set to equal or less then 60 days.
IA-5 - Medium - CCI-000199 - V-24358 - SV-30026r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
HMC0120
Vuln IDs
  • V-24358
Rule IDs
  • SV-30026r1_rule
Expiration Day(s) specifies the maximum number of days that each user's password is valid. When a user logs on to the Hardware Management Console it compares the system password interval value specified in the user profile and it uses the lower of the two values to determine if the user's, password has expired. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. System AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerIAIA-1, IAIA-2
Checks: C-29852r1_chk

Have the System Administrator display the Password Profile Task window on the Hardware Management Console and validate that the Expiration day(s) is set to equal or less then 60 days. If the Expiration day(s) is set to equal or less then 60 days, this is not a FINDING. If the Expiration day(s) is greater than 60 days, then this is a FINDING.

Fix: F-26739r1_fix

Have the System Administrator go into the Password Profile and set the Expiration day(s) to equal or less then 60 days.

b
Maximum failed password attempts before disable delay must be set to 3 or less.
AC-7 - Medium - CCI-000044 - V-24359 - SV-30027r1_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
HMC0130
Vuln IDs
  • V-24359
Rule IDs
  • SV-30027r1_rule
The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Management Console allows as 3 times, before setting a 60-minute delay to attempt to retry the password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. Note: The Hardware Management Console does not allow a revoke of a userID. A 60- minute delay time setting is being substituted.System AdministratorSystems ProgrammerECLO-1, ECLO-2
Checks: C-29862r1_chk

Have the System Administrator display the maximum failed attempts on the user properties table on the Hardware Management Console before disable delay is invoked. Maximum Failed Attempts and Disable Delay are found in User Profiles by selecting the user, selecting modify user and then selecting User Properties. If the Maximum failed attempts before disable delay is invoked is set at greater than 3, then this is a FINDING.

Fix: F-26746r1_fix

The System Administrator will display the User Properties window on the Hardware Management Console for each user and verify that the maximum attempts before disable delay is set to 3 or less and will update them if this is not true. Maximum Failed Attempts and Disable Delay are found in User Profiles by selecting the user, selecting modify user and then selecting User Properties.

b
The password values must be set to meet the requirements in accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above, and CJCSI 6510.01E (INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)).
IA-5 - Medium - CCI-000192 - V-24360 - SV-30028r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
HMC0140
Vuln IDs
  • V-24360
Rule IDs
  • SV-30028r1_rule
In accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above and CJCSI 6510.01E (INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)).. The following recommendations concerning password requirements are mandatory and apply equally to both classified and unclassified systems: (1) Passwords are to be fourteen (14) characters. (2) Passwords are to be a mix of upper and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the Hardware Management Console control options introduces the possibility of exposure during the migration process or contingency plan activation.System AdministratorSystems ProgrammerDCCS-1, DCCS-2, IAIA-1, IAIA-2
Checks: C-29863r1_chk

Have the System Administrator display the Password Profile Task window on the Hardware Management Console and check that: Passwords are to be a minimum of fourteen (14) characters in length. Passwords are to be a mix of upper- and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard. Each character of the password is to be unique, prohibiting the use of repeating characters. Passwords are to contain no consecutive characters (e.g., 12, AB, etc.). If the Password Profile does not have the specifications for the above options then this is a FINDING.

Fix: F-26747r1_fix

Have the System Administrator validate that the settings in the Password Profiles Window meet the following specifications: Passwords are a minimum of fourteen (14) characters in length. Passwords are to be a mix of upper and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard. Each character of the password is to be unique, prohibiting the use of repeating characters. Passwords are to contain no consecutive characters (e.g., 12, AB, etc.).

b
The terminal or workstation must lock out after a maximum of 15 minutes of inactivity, requiring the account password to resume.
AC-11 - Medium - CCI-000057 - V-24361 - SV-30029r1_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
HMC0150
Vuln IDs
  • V-24361
Rule IDs
  • SV-30029r1_rule
If the system, workstation, or terminal does not lock the session after more than15 minutes of inactivity, requiring a password to resume operations, the system or individual data could be compromised by an alert intruder who could exploit the oversight.System AdministratorSystems ProgrammerPESL-1
Checks: C-29864r1_chk

Have the System Administrator display the User Properties window on the Hardware Management Console and check that the timeout minutes are set to a maximum of 15. If the Verify Timeout minutes are set to more than 15, then this is a FINDING.

Fix: F-26748r1_fix

The System Administrator will display the User Properties window and will ensure that the Verify timeout minutes are set to a maximum of 15.

b
The Department of Defense (DoD) logon banner must be displayed prior to any login attempt.
AC-8 - Medium - CCI-000048 - V-24362 - SV-30030r1_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
HMC0160
Vuln IDs
  • V-24362
Rule IDs
  • SV-30030r1_rule
Failure to display the required DoD logon banner prior to a login attempt may void legal proceedings resulting from unauthorized access to system resources and may leave the SA, IAO, IAM, and Installation Commander open to legal proceedings for not advising users that keystrokes are being audited.System AdministratorInformation Assurance OfficerSystems ProgrammerECWM-1
Checks: C-29865r1_chk

Have the reviewer verify that the logon banner reads as follows:on the Create Welcome Text window: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. If any item in above is untrue, this is a FINDING.

Fix: F-26749r1_fix

The System Administrator will update the logon banner by going to the Create Welcome Text Task to read as follows: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

b
A private web server must subscribe to certificates, issued from any DoD-authorized Certificate Authority, as an access control mechanism for web users.
CM-5 - Medium - CCI-001749 - V-24363 - SV-30031r2_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001749
Version
HMC0170
Vuln IDs
  • V-24363
Rule IDs
  • SV-30031r2_rule
If the Hardware Management Consoles (HMC) is network-connected, use SSL encryption techniques, through digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. To maintain data integrity the IBM Certificate distributed with the HMC's is to be replaced by a DoD-authorized Certificate. Note: This check applies only to network-connected HMCs.System AdministratorSystems ProgrammerIATS-1, IATS-2
Checks: C-29866r2_chk

The System Reviewer will have the System Administrator use the Hardware Management Console Certificate Management Task to validate that the private key and certificate shipped with any network-connected HMC from IBM was replaced with an approved DoD- authorized Certificate. Note: This check applies only to network-connected HMCs. Note: DoD certificates should display the following Information 'OU=PKI.OU=DoD.O=U.S. Government.C=US' If private web server does not subscribe to certificates issued from any DoD-authorized Certificate Authority as an access control mechanism for web users, then this is a FINDING.

Fix: F-26767r2_fix

The System Administrator must order a DoD PKI to replace the IBM Certificate and then the System Administrator must use the Hardware Management Console Certificate Management Task to install it. Note: This only applies to networked HMCs.

b
Hardware Management Console audit record content data must be backed up.
AU-9 - Medium - CCI-001348 - V-24364 - SV-30032r3_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
HMC0180
Vuln IDs
  • V-24364
Rule IDs
  • SV-30032r3_rule
The Hardware Management Console has the ability to backup and display the following data: 1) Critical console data 2) Critical hard disk information 3) Backup of critical CPC data and 4) Security Logs. Failure to backup and archive the listed data could make auditing of system incidents and history unavailable and could impact recovery for failed components. System AdministratorSystems ProgrammerCOSW-1, ECTB-1
Checks: C-29885r6_chk

Have the System Administrator produce a log by date validating that backups are being performed for Security logs and Critical console data on a routine scheduled basis (e.g., daily, weekly, monthly, quarterly, annually) and copies are rotated to off site storage. Compare the list of backups made to a physical inventory of storage media to verify that HMC backups are being retained as expected. If backups are either not being made, or there are obvious gaps in storage and retention of the backups, this is a finding.

Fix: F-26781r3_fix

The System Administrator will see that a log exists to verify that backups are being performed. This list will have the date and reason for the backup. Backup security logs. This task will archive a security log for the console. The backup critical console data backs up the data that is stored on your Hardware Management Console hard disk and is critical to support Hardware Management Console operations. You should back up the Hardware Management Console data after changes have been made to the Hardware Management Console or to the information associated with the processor cluster. Information associated with processor cluster changes is usually information that you are able to modify or add to the Hardware Management Console hard disk. Association of an activation profile to an object, the definition of a group, hardware configuration data, and receiving internal code changes are examples of modifying and adding information, respectively. Use this task after customizing your processor cluster in any way. A backup copy of hard disk information may be restored to your Hardware Management Console following the repair or replacement of the fixed disk.

b
Hardware Management Console management must be accomplished by using the out-of-band or direct connection method.
AC-17 - Medium - CCI-001453 - V-24373 - SV-30043r1_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
HMC0200
Vuln IDs
  • V-24373
Rule IDs
  • SV-30043r1_rule
Removing the management traffic from the production network diminishes the security profile of the Hardware Management Console servers by allowing all the management ports to be closed on the production network. The System Administrator will ensure that Hardware Management Console management is accomplished using the out-of-band or direct connection method.System AdministratorNetwork Security OfficerSystems ProgrammerDCBP-1
Checks: C-29896r1_chk

The System Administrator will validate that the Hardware Management Console management connection will use TCP/IP with encryption on an out-of-band network. If the Hardware Management Console management connection does not use TCP/IP with encryption on an out-of-band network then this is a FINDING.

Fix: F-26797r1_fix

The System Administrator will work with the NSO to see that the Hardware Management Console management is set up with encryption on an out-of band network.

b
Unauthorized partitions must not exist on the system complex.
CA-9 - Medium - CCI-002101 - V-24378 - SV-30052r1_rule
RMF Control
CA-9
Severity
Medium
CCI
CCI-002101
Version
HLP0010
Vuln IDs
  • V-24378
Rule IDs
  • SV-30052r1_rule
The running of unauthorized Logical Partitions (LPARs) could allow a “Trojan horse” version of the operating environment to be introduced into the system complex. This could impact the integrity of the system complex and the confidentiality of the data that resides in it.System AdministratorSystems ProgrammerECSC-1
Checks: C-2925r1_chk

Using the Hardware Management Console, do the following: Access the Change LPAR Control Panel. (This will list the LPARs.) Compare the partition names listed on the Partition Page to the names entered on the Central Processor Complex Domain/LPAR Names table. Note: Each site should maintain a list of valid LPARS that are configured on thier system , what operating system, and the purpose of each LPAR. If unauthorized partitions exist on the system complex and the deviation is not documented, this is a FINDING.

Fix: F-2345r1_fix

Review the LPARs on the system and remove any unauthorized LPARs. If a deviation exists, the system administrator will provide written justification for the deviation. This will be displayed by using the Change LPAR Control Panel.

b
On Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS.
AC-3 - Medium - CCI-000213 - V-24379 - SV-30053r1_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
HLP0020
Vuln IDs
  • V-24379
Rule IDs
  • SV-30053r1_rule
Unrestricted control over the IOCDS files could result in unauthorized updates and impact the configuration of the environment by allowing unauthorized access to a restricted resource. This could severely damage the integrity of the environment and the system resources.System AdministratorSystems ProgrammerECCD-1, ECCD-2
Checks: C-3266r1_chk

Using the Hardware Management Console, verify that a logical partition cannot read or write to any IOCDS. Use the Security Definitions Page panel to do this by checking to see if the Input/Output (I/O) Configuration Control option has been turned on. NOTE: The default is applicable to only classified systems. Confirm whether or not the I/O Configuration Control option is checked. If the Logical Partition is not restricted with read/write access to only its own IOCDS, this is a FINDING.

Fix: F-2346r1_fix

Review the Security Definition parameters specified under Processor Resource/Systems Manager (PR/SM). Verify and implement the correct settings.

b
Processor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands.
AC-6 - Medium - CCI-000226 - V-24380 - SV-30055r1_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-000226
Version
HLP0030
Vuln IDs
  • V-24380
Rule IDs
  • SV-30055r1_rule
Unrestricted control over the issuing of system commands by a Logical Partition could result in unauthorized data access and inadvertent updates. This could result in severe damage to system resources.System AdministratorSystems ProgrammerECCD-1, ECCD-2
Checks: C-3642r1_chk

Using the Hardware Management Console, verify that the Logical Partitions cannot issue control program commands to another Logical Partition. Use the PR/SM panel, known as the Security Definitions Page, to do this. The Cross Partition Control option must be turned off. NOTE: The default is that the Cross Partition Control option is turned off. If Processor Resource/Systems Manager (PR/SM) allows unrestricted issuing of control program commands then this is a FINDING

Fix: F-2347r1_fix

Review the Security Definition parameters specified under PR/SM, and turn off the Cross Partition Control option.

c
Classified Logical Partition (LPAR) channel paths must be restricted.
AC-3 - High - CCI-000213 - V-24381 - SV-30056r1_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
HLP0040
Vuln IDs
  • V-24381
Rule IDs
  • SV-30056r1_rule
Restricted LPAR channel paths are necessary to ensure data integrity. Unrestricted LPAR channel path access could result in a compromise of data integrity. When a classified LPAR exists on a mainframe which requires total isolation, all paths to that LPAR must be restricted.System AdministratorSystems ProgrammerECCD-1, ECCD-2
Checks: C-3268r1_chk

Have the System Administrator or Systems Programmer on classified systems use the Hardware Management Console to verify that the LPAR channel paths are reserved from the rest of the LPARs. Use the Security Definitions Panel to verify this. The Logical Partition Isolation option must be turned on. If the Classified LPAR channel paths are not restricted then this is a FINDING.

Fix: F-2348r1_fix

Have the System Administrator or Systems Programmer for classified systems use the Hardware Management Console to verify that the LPAR channel paths are reserved from the rest of the LPARs. Use the Security Definitions Panel to verify this. The Logical Partition Isolation option must be turned on for classified systems.

b
On Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data.
AC-3 - Medium - CCI-000213 - V-24382 - SV-30057r1_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
HLP0050
Vuln IDs
  • V-24382
Rule IDs
  • SV-30057r1_rule
Allowing unrestricted access to all Logical Partition data could result in the possibility of unauthorized access and updating of data. This could also impact the integrity of the processing environment.System AdministratorSystems ProgrammerECCD-1, ECCD-2
Checks: C-3644r1_chk

Have the Systems Administrator or Systems Programmer use the Hardware Management Console; to verify that the classified Logical Partition system data cannot be viewed by other Logical Partitions. Use the Security Definitions Panel to do this. The Global Performance Data Control option must be turned off. NOTE: The default is that the Global Performance Data Control option is turned off. If the PR/SM allows access to system complex data then, this is a FINDING.

Fix: F-2349r1_fix

Have the Systems Administrator or Systems Programmer use the Hardware Management Console, to verify that the classified Logical Partition system data cannot be viewed by other Logical Partitions. Use the Security Definitions Panel to do this. The Global Performance Data Control option must be turned off.

c
Central processors must be restricted for classified/restricted Logical Partitions (LPARs).
AC-3 - High - CCI-000213 - V-24383 - SV-30058r1_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
HLP0060
Vuln IDs
  • V-24383
Rule IDs
  • SV-30058r1_rule
Allowing unrestricted access to classified processors for all LPARs could cause the corruption and loss of classified data sets, which could compromise classified processing.System AdministratorSystems ProgrammerECCD-1, ECCD-2
Checks: C-3270r1_chk

Have the system administrator or systems programmer use the Hardware Management Console; to verify that the LPAR processors are dedicated for exclusive use by classified LPARs. Use the Processor Page to do this. The Dedicated Central Processors option must be turned on. If Central processors are not restricted for classified/restricted LPARs, this is a FINDING.

Fix: F-2350r1_fix

Review the Processor Page under PR/SM and turn on the Dedicated Central Processor option for classified or restricted LPARs. For unclassified LPARs, this option should not be turned on, unless determined by the site.

c
Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be disabled for all classified systems.
CM-7 - High - CCI-001762 - V-24398 - SV-30081r1_rule
RMF Control
CM-7
Severity
High
CCI
CCI-001762
Version
HMC0035
Vuln IDs
  • V-24398
Rule IDs
  • SV-30081r1_rule
This feature will not be activated for any classified systems. Allowing dial-out access from the Hardware Management Console could impact the integrity of the environment by enabling the possible introduction of spyware or other malicious code. System AdministratorSystems ProgrammerEBRP-1, EBRU-1
Checks: C-30381r1_chk

Have the Systems Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is not activated for any classified systems. Note: This can be accomplished by going to the Customize Remote Service Panel on the Hardware Management Console and verifying that enable remote service is not enabled. If this is a classified system and enable remote service is enabled, then this is a FINDING.

Fix: F-27161r1_fix

Have the Systems Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is not activated for any classified systems. Note: This can be accomplished by going to the Customize Remote Service Panel on the Hardware Management Console and verifying that enable remote service is not enabled.

b
DCAF Console access must require a password to be entered by each user.
IA-2 - Medium - CCI-000764 - V-25247 - SV-31292r2_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
HLESC085
Vuln IDs
  • V-25247
Rule IDs
  • SV-31292r2_rule
The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could result in varying of ESCON Directors online or offline and applying configuration changes. Unrestricted use by unauthorized personnel could lead to bypass of security, unlimited access to the system, and an altering of the environment. This would result in a loss of secure operations and will impact data operating integrity of the environment. NOTE: Many newer installations no longer support the ESCON Director Application. For installations not supporting the ESCON Director Application, this check is not applicable.System AdministratorSystems ProgrammerECCD-1, IAIA-1, IAIA-2
Checks: C-31682r3_chk

If the ESCON Director Application is present, have the System Administrator attempt to sign on to the DCAF Console and validate that a password is required, otherwise, this check is not applicable. If sign-on access to the DCAF Console does not require a password this is a finding.

Fix: F-28169r1_fix

Have the System Administrator review access authorization to DCAF Consoles. Ensure that all personnel are required to enter a password. Remote access to the LAN may be provided through DCAF via a LAN or modem connection. DCAF passwords should be implemented to prevent unauthorized access.

b
Access to the Hardware Management Console (HMC) must be restricted by assigning users proper roles and responsibilities.
AC-6 - Medium - CCI-000225 - V-25386 - SV-31555r1_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-000225
Version
HMC0045
Vuln IDs
  • V-25386
Rule IDs
  • SV-31555r1_rule
Access to the HMC if not properly controlled and restricted by assigning users proper roles and responsibilities, could allow modification to areas outside the need-to-know and abilities of the individual resulting in a bypass of security and an altering of the environment. This would result in a loss of secure operations and can cause an impact to data operating environment integrity.System AdministratorECAN-1, ECLP-1, PRMP-1, PRMP-2
Checks: C-31828r1_chk

Have the System Administrator verify to the reviewer that the Roles and Responsibilities assigned are assigned to the proper individuals by their areas of responsibility. Note: Sites must have a list of valid HMC users, indicating their USERID, Date of DD2875, and roles and responsibilities. Have the System Administrator verify to the reviewer that the Roles and Responsibilities assigned are assigned to the proper individuals by their areas of responsibility. To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles. If the HMC user-IDs displayed by the System Administrator are not properly assigned by Roles and Responsibilities, then this is a FINDING.

Fix: F-28328r1_fix

Have the System Administrator using the list user IDs and responsibilities, validate that each user is properly specified in the HMC based on his/her roles and responsibilities. Note: Sites must have a list of valid HMC users, indicating their USERID, Date of DD2785, roles and responsibilities To display user roles choose User Profiles and then select the user for modification. View Task Roles and Manager Roles.

b
Audit records content must contain valid information to allow for proper incident reporting.
AU-3 - Medium - CCI-000130 - V-25387 - SV-31556r1_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
HMC0185
Vuln IDs
  • V-25387
Rule IDs
  • SV-31556r1_rule
The content of audit data must validate that the information contains: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts Failure to not contain this information may hamper attempts to trace events and not allow proper tracking of incidents during a forensic investigation System AdministratorECAR-1, ECAR-2
Checks: C-31829r1_chk

Have the System Administrator validate the audit records contain valid information to allow for a proper incident tracking. Use the View Console Events task to display contents of security logs. Use the View Console Events task to view security logs and validate that it has the following information: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts

Fix: F-28329r1_fix

Have the System Administrator check the content of audit records. Use the View Console Events task to view security logs and validate that it has the following information: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts

c
Product engineering access to the Hardware Management Console must be disabled.
CM-7 - High - CCI-001762 - V-25388 - SV-31558r1_rule
RMF Control
CM-7
Severity
High
CCI
CCI-001762
Version
HMC0210
Vuln IDs
  • V-25388
Rule IDs
  • SV-31558r1_rule
The Hardware Management Console has a built-in feature that allows Product Engineers access to the console. With access authority, IBM Product Engineering can log on the Hardware Management Console with an exclusive user identification (ID) that provides tasks and operations for problem determination. Product Engineering access is provided by a reserved password and permanent user ID. You cannot view, discard, or change the password and user ID, but you can control their use for accessing the Hardware Management Console. User IDs and passwords that are hard-coded and cannot be modified are a violation of NIST 800-53 and multiple other compliance regulations. Failure to disable this access would allow unauthorized access and could lead to security violations on the HMC.System AdministratorSystems Programmer
Checks: C-31830r1_chk

Have the System Administrator or System Programmer validate that IBM Product Engineering access to the Hardware Management Console is disabled. This can be checked under the classic style user interface; this task is found under the Hardware Management Console Settings console action. Open the Customize Product Engineering Access task. The Customize Product Engineering Access window is displayed. Select the appropriate accesses for product engineering or remote product engineering. (Both should be disabled.) Click OK to save the changes and exit the task. If access to the Customize Product Engineering Access is not disabled, than this is a finding.

Fix: F-28330r1_fix

The System Administrator or System Programmer will set the Product Engineering Access control for product engineering or remote product engineering to a disabled status. This can be checked under the classic style user interface; this task is found under the Hardware Management Console Settings console action. Open the Customize Product Engineering Access task. The Customize Product Engineering Access window is displayed. Select the appropriate accesses for product engineering or remote product engineering. (Both should be disabled) Click OK to save the changes and exit the task.

c
Connection to the Internet for IBM remote support must be in compliance with the Remote Access STIGs.
AC-17 - High - CCI-002310 - V-25400 - SV-31580r1_rule
RMF Control
AC-17
Severity
High
CCI
CCI-002310
Version
HMC0220
Vuln IDs
  • V-25400
Rule IDs
  • SV-31580r1_rule
Failure to securely connect to remote sites can leave systems open to multiple attacks and security violations through the network. Failure to securely implement remote support connections can lead to unauthorized access or denial of service attacks on the Hardware Management Console.System AdministratorNetwork Security OfficerEBRP-1, EBRU-1
Checks: C-54017r2_chk

Have the Network Security Engineer or system Programmer check, that the remote Internet connection for IBM RSF support has met the requirements of the Remote Access STIGs. For controls that are a part of IBM’s closed system that cannot be updated or changed by customers, review provided documentation, such as found in the HMC Broadband Support manuals or a letter of Attestation provided by IBM assuring compliance. If the security measures in the Remote Access STIGs are not fully compliant and there is no supporting documentation or Letter of attestation on file with the IAM/IAO this is a finding.

Fix: F-56715r2_fix

The Network Security Officer or System Programmer should make any changes required for IBM RSF to meet the requirements stipulated in the Remote Access STIGs. Also any documentation or letters of Attestation should be placed on file with the IAM/IAO. The letter of attestation must be signed by an authorized representative of IBM. The letter should contain certification that the security measures identified in the Remote Access STIGs are in compliance.

a
A maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your password
AC-7 - Low - CCI-002238 - V-25404 - SV-31588r1_rule
RMF Control
AC-7
Severity
Low
CCI
CCI-002238
Version
HMC0135
Vuln IDs
  • V-25404
Rule IDs
  • SV-31588r1_rule
The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Management Console allows as 3 times, before setting a 60-minute delay to attempt to retry the password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. Note: The Hardware Management Console does not allow a revoke of a user ID.A 60-minute delay time setting is being substituted.System AdministratorSystems ProgrammerECLO-1, ECLO-2
Checks: C-31864r1_chk

Have the System Administrator display the Disable delay in minutes. Disable Delay is found in User Profiles by selecting the user, selecting modify user and then selecting User Properties. If this is les than 60 minutes then this is a finding. Note: Hardware Management Console does not have the ability to revoke a user ID, so a 60-minute delay has been imposed instead.

Fix: F-28357r1_fix

The System Administrator will display the User Properties window on the Hardware Management Console for each user and verify that the disable delay is set to 60 or more. Maximum Failed Attempts and Disable Delay are found in User Profiles by selecting the user, selecting modify user and then selecting User Properties.

c
Connection to the Internet for IBM remote support must be in compliance with mitigations specified in the Ports and Protocols and Services Management (PPSM) requirements.
AC-17 - High - CCI-002310 - V-25405 - SV-31589r1_rule
RMF Control
AC-17
Severity
High
CCI
CCI-002310
Version
HMC0225
Vuln IDs
  • V-25405
Rule IDs
  • SV-31589r1_rule
Failure to securely connect to remote sites can leave systems open to multiple attacks and security violations through the network. Failure to securely implement remote support connections can lead to unauthorized access or denial of service attacks on theHardware Management Console.System AdministratorNetwork Security OfficerEBRP-1, EBRU-1
Checks: C-31953r1_chk

Have the Network Security Engineer check, that the remote Internet connection for IBM RSF support has met the mitigations outlined in Vulnerability Analysis for port 443/SSL in the PPSM requirements.

Fix: F-28361r1_fix

Have the Network Security Officer validate that the Internet connection meets the specifications in the PPSM requirements.