Free DISA STIG and SRG Library | Vaulted

IBM Hardware Management Console (HMC) STIG

Version 1 Release 5
2015-01-20
U_IBM_Hardware_Management_Console_V1R5_Manual-xccdf.xml
IBM Hardware Management Console is used to perform Initial Program Loads (IPLs), power on resets, shutdowns, and configuring of hardware components for system logical partitions.

Vulnerabilities (35)

The Enterprise System Connection (ESCON) Director (ESCD) Application Console must be located in a secure location

Finding ID
HLESC010
Rule ID
SV-29986r2_rule
Severity
Cat I
CCE
(None)
Group Title
HLESC010
CCI
CCI-002101
Target Key
(None)
Documentable
No
Discussion

The ESCD Application Console is used to add, change, and delete port configurations and dynamically switch paths between devices. If the ESCON Director Application Console is not located in a secured location, unauthorized personnel can bypass security, access the system, and alter the environment. This could impact the integrity and confidentiality of operations. NOTE: Many newer installations no longer support the ESCD Application Console. For installations not supporting the ESCD Application Console, this check is not applicable.

Fix Text

Move the (ESCD) Console Application console to a secure location and implement access control procedures to ensure access by authorized personnel only. An ESCD Console Application is used to provide data center personnel with an interface for displaying and changing an ESCD'S connectivity attributes. It is also used to install, initialize, and service an ESCON Director. Note: ESCD'S are slowly being phased out and are being replaced with FICON Directors.

Check Content

If the ESCD Application Console is present, verify the location of the ESCD Application Console, otherwise this check is not applicable. If the ESCON Director Application console is not located in a secure location this is a finding.

Responsibility

System Administrator

IA Controls

PECF-1, PECF-2, PEPF-1, PEPF-2

Sign-on to the ESCD Application Console must be restricted to only authorized personnel.

Finding ID
HLESC020
Rule ID
SV-29994r2_rule
Severity
Cat II
CCE
(None)
Group Title
HLESC020
CCI
CCI-002235
Target Key
(None)
Documentable
No
Discussion

The ESCD Application Console is used to add, change, and delete port configurations and to dynamically switch paths between devices. Access to the ESCD Application Console is restricted to three classes of personnel: Administrators, service representatives and operators. The administrator sign-on controls passwords at all levels, the service representative sign-on allows access to maintenance procedures, and the operator sign-on allows for configuration changes and use of the Director utilities. Unrestricted use by unauthorized personnel could impact the integrity of the environment. This would result in a loss of secure operations and impact data operating environment integrity. NOTE: Many newer installations no longer support the ESCD Application Console. For installations not supporting the ESCD Application Console, this check is not applicable.

Fix Text

Review access authorization to ESCD Application Console and ensure that all personnel are restricted to authorized levels of access. The ESCD Application Console and its associated ESCON Director can be secured using passwords. Three levels of password controls have been established. Each password level controls different ESCD Application Console functions. Prior to making any changes or accessing utilities or maintenance procedures, a user is required to enter a password. A password administrator must use the ESCD Application Console to enable an authorized user access. Following are the three levels of password authority: Administration (Level 1) Restrict to systems programming personnel who serve as administrators. A Level 1 password allows the user to display, add, change, and delete passwords of all of the ESCON Director Level 1, Level 2, and Level 3 users. It does not allow the administrator to access maintenance procedures or utilities or to change connectivity attributes. Maintenance (Level 2) Restrict to service representatives who perform maintenance procedures. Level 2 users cannot view other users' passwords, change passwords, change connectivity attributes, or access utilities. Operations (Level 3) Restrict to system administrators responsible for changing connectivity attributes and accessing certain utilities. Level 3 users cannot view other users' passwords, change passwords, or perform maintenance procedures.

Check Content

If the ESCD Application Console is present, have the ESCON System Administrator verify that sign-on access to the ESCD Application Console is restricted to authorized personnel by signing on without a valid userid and password, otherwise this check is not applicable. If the ESCD Application Console sign-on access is not restricted, this is a finding.

Responsibility

System Administrator

IA Controls

ECLP-1

The ESCON Director Application Console Event log must be enabled.

Finding ID
HLESC030
Rule ID
SV-29995r2_rule
Severity
Cat I
CCE
(None)
Group Title
HLESC030
CCI
CCI-000169
Target Key
(None)
Documentable
No
Discussion

The ESCON Director Console Event Log is used to record all ESCON Director Changes. Failure to create an ESCON Director Application Console Event log results in the lack of monitoring and accountability of configuration changes. In addition, its use in the execution of a contingency plan could be compromised and security degraded. NOTE: Many newer installations no longer support the ESCON Director Console. For installations not supporting the ESCON Director Console, this check is not applicable.

Fix Text

Ensure that an ESCON Director Application Console log is created and in use every time the system is switched on. The ESCON Director maintains an audit trail at the ESCD console’s fixed disk. This audit trail logs the time, date, and password identification when changes have been made to the ESCON Director.

Check Content

If the ESCON Director Console is present, verify on the ESCON Director Application Console that the Event log is in use, otherwise this check is not applicable. If no Event log exists, this is a finding.

Responsibility

System Administrator

IA Controls

ECAT-1, ECAT-2

The Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel.

Finding ID
HLESC080
Rule ID
SV-29998r2_rule
Severity
Cat II
CCE
(None)
Group Title
HLESC080
CCI
CCI-002235
Target Key
(None)
Documentable
No
Discussion

The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could result in varying of ESCON Directors online or offline and applying configuration changes. Unrestricted use by unauthorized personnel could lead to bypass of security, unlimited access to the system, and an altering of the environment. This would result in a loss of secure operations and will impact data operating integrity of the environment. NOTE: Many newer installations no longer support the ESCON Director Application. For installations not supporting the ESCON Director Application, this check is not applicable.

Fix Text

Review access authorization to DCAF Consoles. Ensure that all personnel are restricted to authorized levels of access. Remote access to the LAN may be provided through DCAF via a LAN or modem connection. DCAF passwords should be implemented to prevent unauthorized access.

Check Content

If the ESCON Director Application is present, verify that sign-on access to the DCAF Console is restricted to authorized personnel, otherwise, this check is not applicable. If sign-on access to the DCAF Console is not restricted, this is a finding.

Responsibility

Information Assurance Officer

IA Controls

ECLP-1

The Hardware Management Console must be located in a secure location.

Finding ID
HMC0010
Rule ID
SV-29999r1_rule
Severity
Cat I
CCE
(None)
Group Title
HMC0010
CCI
CCI-002916
Target Key
(None)
Documentable
No
Discussion

The Hardware Management Console is used to perform Initial Program Load (IPLs) and control the Processor Resource/System Manager (PR/SM). If the Hardware Management Console is not located in a secure location, unauthorized personnel can bypass security, access the system, and alter the environment. This can lead to loss of secure operations if not corrected immediately.

Fix Text

Move the Hardware Management Console to a secure location and implement access controls for authorized personnel.

Check Content

Verify the location of the Hardware Management Console. It should be located in a controlled area. Access to it should be restricted. If the Hardware Management Console is not located in a secure location this is a FINDING.

Responsibility

Information Assurance Officer

IA Controls

PECF-1, PECF-2, PEPF-1, PEPF-2

Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be restricted to an authorized vendor site.

Finding ID
HMC0030
Rule ID
SV-30007r2_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0030
CCI
CCI-002883
Target Key
(None)
Documentable
No
Discussion

Dial-out access from the Hardware Management Console could impact the integrity of the environment, by enabling the possible introduction of spyware or other malicious code. It is important to note that it should be properly configured to only go to an authorized vendor site. Note: This feature will be activated for Non-Classified Systems only. Also, many newer processors (e.g., zEC12/zBC12 processors) will not have modems. If there is no modem, this check is not applicable.

Fix Text

When this feature is turned on for non-classified systems, the site must verify that the remote site information is valid. The RSF, which is also commonly referred to as call home, is one of the key components that contributes to zero downtime on System z hardware. The Hardware Management Console RSF provides communication to an IBM support network, known as RETAIN for hardware problem reporting and service. When a Hardware Management Console enables RSF, the Hardware Management Console then becomes a call home server. The types of communication that are provided are: - Problem reporting and repair data. - Fix delivery to the service processor and Hardware Management Console. - Hardware inventory data. - System updates that are required to activate Capacity on Demand changes. The following call home security characteristics are in effect regardless of the connectivity method that is chosen: RSF requests are always initiated from the Hardware Management Console to IBM. An inbound connection is never initiated from the IBM Service Support System. All data that is transferred between the Hardware Management Console and the IBM Service Support System is encrypted in a high-grade Secure Sockets Layer (SSL) encryption. When initializing the SSL-encrypted connection, the Hardware Management Console validates the trusted host by its digital signature issued for the IBM Service Support system. Data sent to the IBM Service Support System consists solely of hardware problems and configuration data. No application or customer data is transmitted to IBM.

Check Content

Whenever dial-out hardware is present, have the System Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is enabled for any non-classified system. Note: This is accomplished by going to Hardware Management Console and selecting Customize Remote Services. Then verify that Enable Remote Services is active. If automatic dial-out access from the Hardware Management Console is enabled, have the Systems Administrator or Systems Programmer validate that remote phone number and remote service parameters values are valid authorized venders in the remote Service Panel of the Hardware Management Console. If all the above values are not correct, this is a finding.

Responsibility

System Administrator

IA Controls

EBRP-1, EBRU-1

Access to the Hardware Management Console must be restricted to only authorized personnel.

Finding ID
HMC0040
Rule ID
SV-30008r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0040
CCI
CCI-002235
Target Key
(None)
Documentable
No
Discussion

Access to the Hardware Management Console if not properly restricted to authorized personnel could lead to a bypass of security, access to the system, and an altering of the environment. This would result in a loss of secure operations and can cause an impact to data operating environment integrity.

Fix Text

The System Administrator will see that sign-on access to the Hardware Management Console is restricted to authorized personnel and that a DD2875 is on file for each user ID. Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities. The System Administrator must see that the list and users defined to the Hardware Management Console match.

Check Content

Verify that sign-on access to the Hardware Management Console is restricted to authorize personnel and that a DD2875 is on file for each user ID. Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles. If each user displayed by the System Administrator does not have a DD2875, then this is a FINDING.

Responsibility

System Administrator

IA Controls

ECLP-1, PECF-1, PECF-2, PRMP-1, PRMP-2

Automatic Call Answering to the Hardware Management Console must be disabled.

Finding ID
HMC0050
Rule ID
SV-30013r2_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0050
CCI
CCI-002235
Target Key
(None)
Documentable
No
Discussion

Automatic Call Answering to the Hardware Management Console allows unrestricted access by unauthorized personnel and could lead to a bypass of security, access to the system, and an altering of the environment. This would result in a loss of secure operations and impact the integrity of the operating environment, files, and programs. Note: Dial-in access to the Hardware Management Console is prohibited. Also, many newer processors (e.g., zEC12/zBC12 processors) will not have modems. If there is no modem, this check is not applicable.

Fix Text

The System Administrator must set dial-in facility to off. Do this by ensuring that both the Enable Remote Operations parameter and the Automatic Call Answering parameter are turned off. In Check Content: Enable Remote Operations is found under Customize Remote Services and Automatic Call Answering is found under Customize Auto Answer Settings.

Check Content

Have the System Administrator verify if either the Enable Remote Operations parameter or the Automatic Call Answering parameter are active on the Enable Hardware Management Console Services panel. The Enable Remote Operations is found under Customize Remote Services and Automatic Call Answering is found under Customize Auto Answer Settings. If either of the above options are active, then this is a FINDING.

Responsibility

System Administrator

IA Controls

EBRP-1, EBRU-1

The Hardware Management Console Event log must be active.

Finding ID
HMC0070
Rule ID
SV-30015r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0070
CCI
CCI-000169
Target Key
(None)
Documentable
No
Discussion

The Hardware Management Console controls the operation and availability of the Central Processor Complex (CPC). Failure to create and maintain the Hardware Management Console Event log could result in the lack of monitoring and accountability of CPC control activity.

Fix Text

The System Administrator will activate the Hardware Management Console Event log and ensure that all tracking parameters are set. This is done by selecting the View Console Events panel under Console Actions. From this panel you can display: Console Information on EC Changes Console Service History displays HMC Problems Console Tasks Displays Last 2000 tasks performed on console View Licenses View LIC (Licensed Internal Code) View Security Logs tracks an object’s operational state, status, or settings change or involves user access to tasks, actions, and objects.

Check Content

Verify on the Hardware Management Console that the Event log is in use. This is done by selecting the View Console Events panel under Console Actions. From this panel you can display: Console Information on EC Changes Console Service History displays HMC Problems Console Tasks Displays Last 2000 tasks performed on console View Licenses View LIC (Licensed Internal Code) View Security Logs tracks an object’s operational state, status, or settings change or involves user access to tasks, actions, and objects. If no Event log exists, this is a FINDING. If the Event log exists and is not collecting data, this is a FINDING.

Responsibility

System Administrator

IA Controls

ECAT-1, ECAT-2

The manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software.

Finding ID
HMC0080
Rule ID
SV-30021r1_rule
Severity
Cat I
CCE
(None)
Group Title
HMC0080
CCI
CCI-001989
Target Key
(None)
Documentable
No
Discussion

The changing of passwords from the HMC default values, blocks malicious users with knowledge of these default passwords, from creating a denial of service or from reconfiguring the HMC topology leading to a compromise of sensitive data. The system administrator will ensure that the manufacturer’s default passwords are changed for all HMC management software.

Fix Text

The System Administrator must logon to the HMC and validate that all Default Passwords have been changed. User ID Default Password OPERATOR PASSWORD ADVANCED PASSWORD SYSPROG PASSWORD ACSADMIN PASSWORD Default user IDs and passwords are established as part of a base HMC. The System Administrator must assign new user IDs and passwords for each user and remove the default user IDs as soon as the HMC is installed by using the User Profiles task or the Manage Users Wizard. Go to task Modify User, select user, select Modify and enter and confirm new password.

Check Content

Have the System Administrator logon to the HMC and validate that all default passwords have been changed. Go to task Modify User, select user, select Modify and enter and confirm new password. User ID Default Password • OPERATOR PASSWORD • ADVANCED PASSWORD • SYSPROG PASSWORD • ACSADMIN PASSWORD The System Administrator is to validate that each user has his/her own user ID and password and that sharing of user-IDs and passwords is not permitted. Default user IDs and passwords are established as part of a base HMC. The System Administrator must assign new user IDs and passwords for each user and remove the default user IDs as soon as the HMC is installed by using the User Profiles task or the Manage Users Wizard. If all the default passwords have not been changed, and each user is not assigned a separate user ID and password, then this is a FINDING

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

Predefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users.

Finding ID
HMC0090
Rule ID
SV-30022r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0090
CCI
CCI-000213
Target Key
(None)
Documentable
No
Discussion

Individual task roles with access to specific resources if not created and restricted, will allow unrestricted access to system functions. The following is an example of some managed resource categories: Tasks are functions that a user can perform, and the managed resource role defines where those tasks might be carried out. The Access Administrator assigns a user ID and user roles to each user of the Hardware Management Console. • OPERATOR OPERATOR • ADVANCED ADVANCED OPERATOR • ACSADMIN ACCESS ADMINISTRTOR • SYSPROG SYSTEM PROGRAMMER • SERVICE SRVICE REPRESENTATIVE Failure to establish this environment may lead to uncontrolled access to system resources.

Fix Text

The System Administrator must set up a list of Users Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities and these must match the users defined to the HMC. To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles.

Check Content

Have the System Administrator display the user profiles and demonstrate that valid users are defined to valid roles and that authorities are restricted to the site list of users. Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities. To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles. If the different roles are not properly displayed or are not properly restricted, then this is a FINDING.

Responsibility

System Administrator

IA Controls

ECLP-1

Individual user accounts with passwords must be maintained for the Hardware Management Console operating system and application.

Finding ID
HMC0100
Rule ID
SV-30023r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0100
CCI
CCI-000760
Target Key
(None)
Documentable
No
Discussion

Without identification and authentication, unauthorized users could reconfigure the Hardware Management Console or disrupt its operation by logging in to the system or application and execute unauthorized commands. The System Administrator will ensure individual user accounts with passwords are set up and maintained for the Hardware Management Console.

Fix Text

Have the System Administrator verify that all users of the Hardware Management Console are individually defined with USER IDs and passwords and that their roles and responsibilities are documented. Verify that a DD2875 exists for each USER ID.

Check Content

Have the System Administrator prove that individual USER IDs are specified for each user and DD2875 are on file for each user. If USERIDs are shared among multiple users and crresponding DD2875 forms do not exist for each user, then this is a FINDING.

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

The PASSWORD History Count value must be set to 10 or greater.

Finding ID
HMC0110
Rule ID
SV-30024r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0110
CCI
CCI-000200
Target Key
(None)
Documentable
No
Discussion

History Count specifies the number of previous passwords saved for each USERID and compares it with an intended new password. If there is a match with one of the previous passwords, or with the current password, it will reject the intended new password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.

Fix Text

Have the System Administrator go into the Password Profile and set the History Count to 10 or greater.

Check Content

Have the System Administrator display the Password Profile Task window on the Hardware Management Console and validate that the History Count is set to 10. If the History Count is less than 10, then this is a FINDING. .

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

The PASSWORD expiration day(s) value must be set to equal or less then 60 days.

Finding ID
HMC0120
Rule ID
SV-30026r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0120
CCI
CCI-000199
Target Key
(None)
Documentable
No
Discussion

Expiration Day(s) specifies the maximum number of days that each user's password is valid. When a user logs on to the Hardware Management Console it compares the system password interval value specified in the user profile and it uses the lower of the two values to determine if the user's, password has expired. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment.

Fix Text

Have the System Administrator go into the Password Profile and set the Expiration day(s) to equal or less then 60 days.

Check Content

Have the System Administrator display the Password Profile Task window on the Hardware Management Console and validate that the Expiration day(s) is set to equal or less then 60 days. If the Expiration day(s) is set to equal or less then 60 days, this is not a FINDING. If the Expiration day(s) is greater than 60 days, then this is a FINDING.

Responsibility

System Administrator

IA Controls

IAIA-1, IAIA-2

Maximum failed password attempts before disable delay must be set to 3 or less.

Finding ID
HMC0130
Rule ID
SV-30027r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0130
CCI
CCI-000044
Target Key
(None)
Documentable
No
Discussion

The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Management Console allows as 3 times, before setting a 60-minute delay to attempt to retry the password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. Note: The Hardware Management Console does not allow a revoke of a userID. A 60- minute delay time setting is being substituted.

Fix Text

The System Administrator will display the User Properties window on the Hardware Management Console for each user and verify that the maximum attempts before disable delay is set to 3 or less and will update them if this is not true. Maximum Failed Attempts and Disable Delay are found in User Profiles by selecting the user, selecting modify user and then selecting User Properties.

Check Content

Have the System Administrator display the maximum failed attempts on the user properties table on the Hardware Management Console before disable delay is invoked. Maximum Failed Attempts and Disable Delay are found in User Profiles by selecting the user, selecting modify user and then selecting User Properties. If the Maximum failed attempts before disable delay is invoked is set at greater than 3, then this is a FINDING.

Responsibility

System Administrator

IA Controls

ECLO-1, ECLO-2

The password values must be set to meet the requirements in accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above, and CJCSI 6510.01E (INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)).

Finding ID
HMC0140
Rule ID
SV-30028r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0140
CCI
CCI-001619
Target Key
(None)
Documentable
No
Discussion

In accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above and CJCSI 6510.01E (INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)).. The following recommendations concerning password requirements are mandatory and apply equally to both classified and unclassified systems: (1) Passwords are to be fourteen (14) characters. (2) Passwords are to be a mix of upper and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the Hardware Management Console control options introduces the possibility of exposure during the migration process or contingency plan activation.

Fix Text

Have the System Administrator validate that the settings in the Password Profiles Window meet the following specifications: Passwords are a minimum of fourteen (14) characters in length. Passwords are to be a mix of upper and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard. Each character of the password is to be unique, prohibiting the use of repeating characters. Passwords are to contain no consecutive characters (e.g., 12, AB, etc.).

Check Content

Have the System Administrator display the Password Profile Task window on the Hardware Management Console and check that: Passwords are to be a minimum of fourteen (14) characters in length. Passwords are to be a mix of upper- and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard. Each character of the password is to be unique, prohibiting the use of repeating characters. Passwords are to contain no consecutive characters (e.g., 12, AB, etc.). If the Password Profile does not have the specifications for the above options then this is a FINDING.

Responsibility

System Administrator

IA Controls

DCCS-1, DCCS-2, IAIA-1, IAIA-2

The terminal or workstation must lock out after a maximum of 15 minutes of inactivity, requiring the account password to resume.

Finding ID
HMC0150
Rule ID
SV-30029r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0150
CCI
CCI-000057
Target Key
(None)
Documentable
No
Discussion

If the system, workstation, or terminal does not lock the session after more than15 minutes of inactivity, requiring a password to resume operations, the system or individual data could be compromised by an alert intruder who could exploit the oversight.

Fix Text

The System Administrator will display the User Properties window and will ensure that the Verify timeout minutes are set to a maximum of 15.

Check Content

Have the System Administrator display the User Properties window on the Hardware Management Console and check that the timeout minutes are set to a maximum of 15. If the Verify Timeout minutes are set to more than 15, then this is a FINDING.

Responsibility

System Administrator

IA Controls

PESL-1

The Department of Defense (DoD) logon banner must be displayed prior to any login attempt.

Finding ID
HMC0160
Rule ID
SV-30030r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0160
CCI
CCI-000048
Target Key
(None)
Documentable
No
Discussion

Failure to display the required DoD logon banner prior to a login attempt may void legal proceedings resulting from unauthorized access to system resources and may leave the SA, IAO, IAM, and Installation Commander open to legal proceedings for not advising users that keystrokes are being audited.

Fix Text

The System Administrator will update the logon banner by going to the Create Welcome Text Task to read as follows: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Check Content

Have the reviewer verify that the logon banner reads as follows:on the Create Welcome Text window: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. If any item in above is untrue, this is a FINDING.

Responsibility

System Administrator

IA Controls

ECWM-1

A private web server must subscribe to certificates, issued from any DoD-authorized Certificate Authority, as an access control mechanism for web users.

Finding ID
HMC0170
Rule ID
SV-30031r2_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0170
CCI
CCI-001749
Target Key
(None)
Documentable
No
Discussion

If the Hardware Management Consoles (HMC) is network-connected, use SSL encryption techniques, through digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. To maintain data integrity the IBM Certificate distributed with the HMC's is to be replaced by a DoD-authorized Certificate. Note: This check applies only to network-connected HMCs.

Fix Text

The System Administrator must order a DoD PKI to replace the IBM Certificate and then the System Administrator must use the Hardware Management Console Certificate Management Task to install it. Note: This only applies to networked HMCs.

Check Content

The System Reviewer will have the System Administrator use the Hardware Management Console Certificate Management Task to validate that the private key and certificate shipped with any network-connected HMC from IBM was replaced with an approved DoD- authorized Certificate. Note: This check applies only to network-connected HMCs. Note: DoD certificates should display the following Information 'OU=PKI.OU=DoD.O=U.S. Government.C=US' If private web server does not subscribe to certificates issued from any DoD-authorized Certificate Authority as an access control mechanism for web users, then this is a FINDING.

Responsibility

System Administrator

IA Controls

IATS-1, IATS-2

Hardware Management Console audit record content data must be backed up.

Finding ID
HMC0180
Rule ID
SV-30032r3_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0180
CCI
CCI-001348
Target Key
(None)
Documentable
No
Discussion

The Hardware Management Console has the ability to backup and display the following data: 1) Critical console data 2) Critical hard disk information 3) Backup of critical CPC data and 4) Security Logs. Failure to backup and archive the listed data could make auditing of system incidents and history unavailable and could impact recovery for failed components.

Fix Text

The System Administrator will see that a log exists to verify that backups are being performed. This list will have the date and reason for the backup. Backup security logs. This task will archive a security log for the console. The backup critical console data backs up the data that is stored on your Hardware Management Console hard disk and is critical to support Hardware Management Console operations. You should back up the Hardware Management Console data after changes have been made to the Hardware Management Console or to the information associated with the processor cluster. Information associated with processor cluster changes is usually information that you are able to modify or add to the Hardware Management Console hard disk. Association of an activation profile to an object, the definition of a group, hardware configuration data, and receiving internal code changes are examples of modifying and adding information, respectively. Use this task after customizing your processor cluster in any way. A backup copy of hard disk information may be restored to your Hardware Management Console following the repair or replacement of the fixed disk.

Check Content

Have the System Administrator produce a log by date validating that backups are being performed for Security logs and Critical console data on a routine scheduled basis (e.g., daily, weekly, monthly, quarterly, annually) and copies are rotated to off site storage. Compare the list of backups made to a physical inventory of storage media to verify that HMC backups are being retained as expected. If backups are either not being made, or there are obvious gaps in storage and retention of the backups, this is a finding.

Responsibility

System Administrator

IA Controls

COSW-1, ECTB-1

Hardware Management Console management must be accomplished by using the out-of-band or direct connection method.

Finding ID
HMC0200
Rule ID
SV-30043r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0200
CCI
CCI-001453
Target Key
(None)
Documentable
No
Discussion

Removing the management traffic from the production network diminishes the security profile of the Hardware Management Console servers by allowing all the management ports to be closed on the production network. The System Administrator will ensure that Hardware Management Console management is accomplished using the out-of-band or direct connection method.

Fix Text

The System Administrator will work with the NSO to see that the Hardware Management Console management is set up with encryption on an out-of band network.

Check Content

The System Administrator will validate that the Hardware Management Console management connection will use TCP/IP with encryption on an out-of-band network. If the Hardware Management Console management connection does not use TCP/IP with encryption on an out-of-band network then this is a FINDING.

Responsibility

System Administrator

IA Controls

DCBP-1

Unauthorized partitions must not exist on the system complex.

Finding ID
HLP0010
Rule ID
SV-30052r1_rule
Severity
Cat II
CCE
(None)
Group Title
HLP0010
CCI
CCI-002101
Target Key
(None)
Documentable
No
Discussion

The running of unauthorized Logical Partitions (LPARs) could allow a “Trojan horse” version of the operating environment to be introduced into the system complex. This could impact the integrity of the system complex and the confidentiality of the data that resides in it.

Fix Text

Review the LPARs on the system and remove any unauthorized LPARs. If a deviation exists, the system administrator will provide written justification for the deviation. This will be displayed by using the Change LPAR Control Panel.

Check Content

Using the Hardware Management Console, do the following: Access the Change LPAR Control Panel. (This will list the LPARs.) Compare the partition names listed on the Partition Page to the names entered on the Central Processor Complex Domain/LPAR Names table. Note: Each site should maintain a list of valid LPARS that are configured on thier system , what operating system, and the purpose of each LPAR. If unauthorized partitions exist on the system complex and the deviation is not documented, this is a FINDING.

Responsibility

System Administrator

IA Controls

ECSC-1

On Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS.

Finding ID
HLP0020
Rule ID
SV-30053r1_rule
Severity
Cat II
CCE
(None)
Group Title
HLP0020
CCI
CCI-000213
Target Key
(None)
Documentable
No
Discussion

Unrestricted control over the IOCDS files could result in unauthorized updates and impact the configuration of the environment by allowing unauthorized access to a restricted resource. This could severely damage the integrity of the environment and the system resources.

Fix Text

Review the Security Definition parameters specified under Processor Resource/Systems Manager (PR/SM). Verify and implement the correct settings.

Check Content

Using the Hardware Management Console, verify that a logical partition cannot read or write to any IOCDS. Use the Security Definitions Page panel to do this by checking to see if the Input/Output (I/O) Configuration Control option has been turned on. NOTE: The default is applicable to only classified systems. Confirm whether or not the I/O Configuration Control option is checked. If the Logical Partition is not restricted with read/write access to only its own IOCDS, this is a FINDING.

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2

Processor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands.

Finding ID
HLP0030
Rule ID
SV-30055r1_rule
Severity
Cat II
CCE
(None)
Group Title
HLP0030
CCI
CCI-000226
Target Key
(None)
Documentable
No
Discussion

Unrestricted control over the issuing of system commands by a Logical Partition could result in unauthorized data access and inadvertent updates. This could result in severe damage to system resources.

Fix Text

Review the Security Definition parameters specified under PR/SM, and turn off the Cross Partition Control option.

Check Content

Using the Hardware Management Console, verify that the Logical Partitions cannot issue control program commands to another Logical Partition. Use the PR/SM panel, known as the Security Definitions Page, to do this. The Cross Partition Control option must be turned off. NOTE: The default is that the Cross Partition Control option is turned off. If Processor Resource/Systems Manager (PR/SM) allows unrestricted issuing of control program commands then this is a FINDING

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2

Classified Logical Partition (LPAR) channel paths must be restricted.

Finding ID
HLP0040
Rule ID
SV-30056r1_rule
Severity
Cat I
CCE
(None)
Group Title
HLP0040
CCI
CCI-000213
Target Key
(None)
Documentable
No
Discussion

Restricted LPAR channel paths are necessary to ensure data integrity. Unrestricted LPAR channel path access could result in a compromise of data integrity. When a classified LPAR exists on a mainframe which requires total isolation, all paths to that LPAR must be restricted.

Fix Text

Have the System Administrator or Systems Programmer for classified systems use the Hardware Management Console to verify that the LPAR channel paths are reserved from the rest of the LPARs. Use the Security Definitions Panel to verify this. The Logical Partition Isolation option must be turned on for classified systems.

Check Content

Have the System Administrator or Systems Programmer on classified systems use the Hardware Management Console to verify that the LPAR channel paths are reserved from the rest of the LPARs. Use the Security Definitions Panel to verify this. The Logical Partition Isolation option must be turned on. If the Classified LPAR channel paths are not restricted then this is a FINDING.

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2

On Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data.

Finding ID
HLP0050
Rule ID
SV-30057r1_rule
Severity
Cat II
CCE
(None)
Group Title
HLP0050
CCI
CCI-000213
Target Key
(None)
Documentable
No
Discussion

Allowing unrestricted access to all Logical Partition data could result in the possibility of unauthorized access and updating of data. This could also impact the integrity of the processing environment.

Fix Text

Have the Systems Administrator or Systems Programmer use the Hardware Management Console, to verify that the classified Logical Partition system data cannot be viewed by other Logical Partitions. Use the Security Definitions Panel to do this. The Global Performance Data Control option must be turned off.

Check Content

Have the Systems Administrator or Systems Programmer use the Hardware Management Console; to verify that the classified Logical Partition system data cannot be viewed by other Logical Partitions. Use the Security Definitions Panel to do this. The Global Performance Data Control option must be turned off. NOTE: The default is that the Global Performance Data Control option is turned off. If the PR/SM allows access to system complex data then, this is a FINDING.

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2

Central processors must be restricted for classified/restricted Logical Partitions (LPARs).

Finding ID
HLP0060
Rule ID
SV-30058r1_rule
Severity
Cat I
CCE
(None)
Group Title
HLP0060
CCI
CCI-000213
Target Key
(None)
Documentable
No
Discussion

Allowing unrestricted access to classified processors for all LPARs could cause the corruption and loss of classified data sets, which could compromise classified processing.

Fix Text

Review the Processor Page under PR/SM and turn on the Dedicated Central Processor option for classified or restricted LPARs. For unclassified LPARs, this option should not be turned on, unless determined by the site.

Check Content

Have the system administrator or systems programmer use the Hardware Management Console; to verify that the LPAR processors are dedicated for exclusive use by classified LPARs. Use the Processor Page to do this. The Dedicated Central Processors option must be turned on. If Central processors are not restricted for classified/restricted LPARs, this is a FINDING.

Responsibility

System Administrator

IA Controls

ECCD-1, ECCD-2

Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be disabled for all classified systems.

Finding ID
HMC0035
Rule ID
SV-30081r1_rule
Severity
Cat I
CCE
(None)
Group Title
HMC0035
CCI
CCI-001762
Target Key
(None)
Documentable
No
Discussion

This feature will not be activated for any classified systems. Allowing dial-out access from the Hardware Management Console could impact the integrity of the environment by enabling the possible introduction of spyware or other malicious code.

Fix Text

Have the Systems Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is not activated for any classified systems. Note: This can be accomplished by going to the Customize Remote Service Panel on the Hardware Management Console and verifying that enable remote service is not enabled.

Check Content

Have the Systems Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is not activated for any classified systems. Note: This can be accomplished by going to the Customize Remote Service Panel on the Hardware Management Console and verifying that enable remote service is not enabled. If this is a classified system and enable remote service is enabled, then this is a FINDING.

Responsibility

System Administrator

IA Controls

EBRP-1, EBRU-1

DCAF Console access must require a password to be entered by each user.

Finding ID
HLESC085
Rule ID
SV-31292r2_rule
Severity
Cat II
CCE
(None)
Group Title
HLESC085
CCI
CCI-000764
Target Key
(None)
Documentable
No
Discussion

The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could result in varying of ESCON Directors online or offline and applying configuration changes. Unrestricted use by unauthorized personnel could lead to bypass of security, unlimited access to the system, and an altering of the environment. This would result in a loss of secure operations and will impact data operating integrity of the environment. NOTE: Many newer installations no longer support the ESCON Director Application. For installations not supporting the ESCON Director Application, this check is not applicable.

Fix Text

Have the System Administrator review access authorization to DCAF Consoles. Ensure that all personnel are required to enter a password. Remote access to the LAN may be provided through DCAF via a LAN or modem connection. DCAF passwords should be implemented to prevent unauthorized access.

Check Content

If the ESCON Director Application is present, have the System Administrator attempt to sign on to the DCAF Console and validate that a password is required, otherwise, this check is not applicable. If sign-on access to the DCAF Console does not require a password this is a finding.

Responsibility

System Administrator

IA Controls

ECCD-1, IAIA-1, IAIA-2

Access to the Hardware Management Console (HMC) must be restricted by assigning users proper roles and responsibilities.

Finding ID
HMC0045
Rule ID
SV-31555r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0045
CCI
CCI-000225
Target Key
(None)
Documentable
No
Discussion

Access to the HMC if not properly controlled and restricted by assigning users proper roles and responsibilities, could allow modification to areas outside the need-to-know and abilities of the individual resulting in a bypass of security and an altering of the environment. This would result in a loss of secure operations and can cause an impact to data operating environment integrity.

Fix Text

Have the System Administrator using the list user IDs and responsibilities, validate that each user is properly specified in the HMC based on his/her roles and responsibilities. Note: Sites must have a list of valid HMC users, indicating their USERID, Date of DD2785, roles and responsibilities To display user roles choose User Profiles and then select the user for modification. View Task Roles and Manager Roles.

Check Content

Have the System Administrator verify to the reviewer that the Roles and Responsibilities assigned are assigned to the proper individuals by their areas of responsibility. Note: Sites must have a list of valid HMC users, indicating their USERID, Date of DD2875, and roles and responsibilities. Have the System Administrator verify to the reviewer that the Roles and Responsibilities assigned are assigned to the proper individuals by their areas of responsibility. To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles. If the HMC user-IDs displayed by the System Administrator are not properly assigned by Roles and Responsibilities, then this is a FINDING.

Responsibility

System Administrator

IA Controls

ECAN-1, ECLP-1, PRMP-1, PRMP-2

Audit records content must contain valid information to allow for proper incident reporting.

Finding ID
HMC0185
Rule ID
SV-31556r1_rule
Severity
Cat II
CCE
(None)
Group Title
HMC0185
CCI
CCI-001487
Target Key
(None)
Documentable
No
Discussion

The content of audit data must validate that the information contains: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts Failure to not contain this information may hamper attempts to trace events and not allow proper tracking of incidents during a forensic investigation

Fix Text

Have the System Administrator check the content of audit records. Use the View Console Events task to view security logs and validate that it has the following information: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts

Check Content

Have the System Administrator validate the audit records contain valid information to allow for a proper incident tracking. Use the View Console Events task to display contents of security logs. Use the View Console Events task to view security logs and validate that it has the following information: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts

Responsibility

System Administrator

IA Controls

ECAR-1, ECAR-2

Product engineering access to the Hardware Management Console must be disabled.

Finding ID
HMC0210
Rule ID
SV-31558r1_rule
Severity
Cat I
CCE
(None)
Group Title
HMC0210
CCI
CCI-001762
Target Key
(None)
Documentable
No
Discussion

The Hardware Management Console has a built-in feature that allows Product Engineers access to the console. With access authority, IBM Product Engineering can log on the Hardware Management Console with an exclusive user identification (ID) that provides tasks and operations for problem determination. Product Engineering access is provided by a reserved password and permanent user ID. You cannot view, discard, or change the password and user ID, but you can control their use for accessing the Hardware Management Console. User IDs and passwords that are hard-coded and cannot be modified are a violation of NIST 800-53 and multiple other compliance regulations. Failure to disable this access would allow unauthorized access and could lead to security violations on the HMC.

Fix Text

The System Administrator or System Programmer will set the Product Engineering Access control for product engineering or remote product engineering to a disabled status. This can be checked under the classic style user interface; this task is found under the Hardware Management Console Settings console action. Open the Customize Product Engineering Access task. The Customize Product Engineering Access window is displayed. Select the appropriate accesses for product engineering or remote product engineering. (Both should be disabled) Click OK to save the changes and exit the task.

Check Content

Have the System Administrator or System Programmer validate that IBM Product Engineering access to the Hardware Management Console is disabled. This can be checked under the classic style user interface; this task is found under the Hardware Management Console Settings console action. Open the Customize Product Engineering Access task. The Customize Product Engineering Access window is displayed. Select the appropriate accesses for product engineering or remote product engineering. (Both should be disabled.) Click OK to save the changes and exit the task. If access to the Customize Product Engineering Access is not disabled, than this is a finding.

Responsibility

System Administrator

Connection to the Internet for IBM remote support must be in compliance with the Remote Access STIGs.

Finding ID
HMC0220
Rule ID
SV-31580r1_rule
Severity
Cat I
CCE
(None)
Group Title
HMC0220
CCI
CCI-002310
Target Key
(None)
Documentable
No
Discussion

Failure to securely connect to remote sites can leave systems open to multiple attacks and security violations through the network. Failure to securely implement remote support connections can lead to unauthorized access or denial of service attacks on the Hardware Management Console.

Fix Text

The Network Security Officer or System Programmer should make any changes required for IBM RSF to meet the requirements stipulated in the Remote Access STIGs. Also any documentation or letters of Attestation should be placed on file with the IAM/IAO. The letter of attestation must be signed by an authorized representative of IBM. The letter should contain certification that the security measures identified in the Remote Access STIGs are in compliance.

Check Content

Have the Network Security Engineer or system Programmer check, that the remote Internet connection for IBM RSF support has met the requirements of the Remote Access STIGs. For controls that are a part of IBM’s closed system that cannot be updated or changed by customers, review provided documentation, such as found in the HMC Broadband Support manuals or a letter of Attestation provided by IBM assuring compliance. If the security measures in the Remote Access STIGs are not fully compliant and there is no supporting documentation or Letter of attestation on file with the IAM/IAO this is a finding.

Responsibility

System Administrator

IA Controls

EBRP-1, EBRU-1

A maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your password

Finding ID
HMC0135
Rule ID
SV-31588r1_rule
Severity
Cat III
CCE
(None)
Group Title
HMC0135
CCI
CCI-002238
Target Key
(None)
Documentable
No
Discussion

The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Management Console allows as 3 times, before setting a 60-minute delay to attempt to retry the password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. Note: The Hardware Management Console does not allow a revoke of a user ID.A 60-minute delay time setting is being substituted.

Fix Text

The System Administrator will display the User Properties window on the Hardware Management Console for each user and verify that the disable delay is set to 60 or more. Maximum Failed Attempts and Disable Delay are found in User Profiles by selecting the user, selecting modify user and then selecting User Properties.

Check Content

Have the System Administrator display the Disable delay in minutes. Disable Delay is found in User Profiles by selecting the user, selecting modify user and then selecting User Properties. If this is les than 60 minutes then this is a finding. Note: Hardware Management Console does not have the ability to revoke a user ID, so a 60-minute delay has been imposed instead.

Responsibility

System Administrator

IA Controls

ECLO-1, ECLO-2

Connection to the Internet for IBM remote support must be in compliance with mitigations specified in the Ports and Protocols and Services Management (PPSM) requirements.

Finding ID
HMC0225
Rule ID
SV-31589r1_rule
Severity
Cat I
CCE
(None)
Group Title
HMC0225
CCI
CCI-002310
Target Key
(None)
Documentable
No
Discussion

Failure to securely connect to remote sites can leave systems open to multiple attacks and security violations through the network. Failure to securely implement remote support connections can lead to unauthorized access or denial of service attacks on theHardware Management Console.

Fix Text

Have the Network Security Officer validate that the Internet connection meets the specifications in the PPSM requirements.

Check Content

Have the Network Security Engineer check, that the remote Internet connection for IBM RSF support has met the mitigations outlined in Vulnerability Analysis for port 443/SSL in the PPSM requirements.

Responsibility

System Administrator

IA Controls

EBRP-1, EBRU-1