IBM Hardware Management Console (HMC) STIG Policies

  • Version/Release: V1R2
  • Published: 2015-01-14
  • Released: 2015-01-20
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

Policy and Documentation Vulnerabilities for IBM Hardware Management Console (HMC).
a
Initial Program Load (IPL) Procedures must exists for each partition defined to the system.
PE-1 - Low - CCI-000904 - V-24841 - SV-30530r1_rule
RMF Control
PE-1
Severity
Low
CCI
CCI-000904
Version
HMCP0010
Vuln IDs
  • V-24841
Rule IDs
  • SV-30530r1_rule
If procedures for performing IPLs are not in place, it is extremely difficult to ensure overall operating system integrity.System AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerCOTR-1
Checks: C-30867r1_chk

Have the Systems Administrator validate that IPL Procedures Documentation exists for all partitions that are defined on the system. Using the Hardware Management Console, do the following: 1) Access CPC Images Group displays. (This will list the LPARs.) 2) Compare the partition names listed on the Partition Page to validate that IPL procedures exist for each entered on the Central Processor Complex Domain/LPAR Names. If IPL Procedures do not exist for each partition, this is a FINDING.

Fix: F-27488r1_fix

Create or refine procedures for performing IPLs for the LPARs/partitions defined on the system.

a
Power On Reset (POR) Procedures must be documented for each system.
PE-1 - Low - CCI-000904 - V-24842 - SV-30531r1_rule
RMF Control
PE-1
Severity
Low
CCI
CCI-000904
Version
HMCP0110
Vuln IDs
  • V-24842
Rule IDs
  • SV-30531r1_rule
If procedures for performing PORs are not in place, it is extremely difficult to ensure overall operating system integritySystem AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerCOTR-1
Checks: C-30869r1_chk

Review the POR procedures with the System Administrator. Review documentation for completeness and accuracy. If no documentation exists, this is a FINDING

Fix: F-27489r1_fix

Create or refine procedures for performing PORs.

a
System shutdown procedures documentation must exist for each partition defined to the system.
PE-1 - Low - CCI-000904 - V-24843 - SV-30532r1_rule
RMF Control
PE-1
Severity
Low
CCI
CCI-000904
Version
HMCP0120
Vuln IDs
  • V-24843
Rule IDs
  • SV-30532r1_rule
If procedures for performing system shutdowns are not in place, it is extremely difficult to ensure overall data and operating system integrity.System AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerCOTR-1
Checks: C-30870r1_chk

Have the System Administrator validate that System Shutdown Documentation exists for all partitions that are defined on the system. a) Using the Hardware Management Console, do the following: 1) Access CPC Images Group displays. (This will list the LPARs.) 2) Compare the partition names listed on the Partition Page to validate that System Shutdown procedures exist for each entered on the Central Processor Complex Domain/LPAR Names. If System Shutdown Procedures do not exist for each partition, this is a FINDING.

Fix: F-27490r1_fix

Create or refine procedures for performing system shutdowns for each partition.

b
Backup of critical data for the HMC and its components must be documented and tracked
CP-9 - Medium - CCI-000537 - V-24844 - SV-30533r1_rule
RMF Control
CP-9
Severity
Medium
CCI
CCI-000537
Version
HMCP0130
Vuln IDs
  • V-24844
Rule IDs
  • SV-30533r1_rule
If procedures for performing backup and recovery of critical data for the HMC is not in place, system recoverability may be jeopardized and overall security compromised.System AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerCOTR-1
Checks: C-30871r1_chk

Review the documentation for backup of critical data for a HMC with the System Administrator. Review documentation for completeness and accuracy. If no documentation exists, this is a FINDING.

Fix: F-27491r1_fix

Verify that procedures for backup of the critical data for the HMCs are properly documented. If not, create Backup Procedures documentation. CPC data should be backed-up when configuration or CPC- licensed internal code changes have been made or as a routine preventive maintenance procedure.