UCF STIG Viewer Logo

IBM Hardware Management Console (HMC) STIG


Overview

Date Finding Count (35)
2017-09-28 CAT I (High): 10 CAT II (Med): 24 CAT III (Low): 1
STIG Description
IBM Hardware Management Console is used to perform Initial Program Loads (IPLs), power on resets, shutdowns, and configuring of hardware components for system logical partitions.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-24343 High The ESCON Director Application Console Event log must be enabled.
V-24340 High The Enterprise System Connection (ESCON) Director (ESCD) Application Console must be located in a secure location
V-25388 High Product engineering access to the Hardware Management Console must be disabled.
V-24345 High The Hardware Management Console must be located in a secure location.
V-25400 High Connection to the Internet for IBM remote support must be in compliance with the Remote Access STIGs.
V-25405 High Connection to the Internet for IBM remote support must be in compliance with mitigations specified in the Ports and Protocols and Services Management (PPSM) requirements.
V-24383 High Central processors must be restricted for classified/restricted Logical Partitions (LPARs).
V-24381 High Classified Logical Partition (LPAR) channel paths must be restricted.
V-24353 High The manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software.
V-24398 High Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be disabled for all classified systems.
V-24342 Medium Sign-on to the ESCD Application Console must be restricted to only authorized personnel.
V-24344 Medium The Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel.
V-24364 Medium Hardware Management Console audit record content data must be backed up.
V-25386 Medium Access to the Hardware Management Console (HMC) must be restricted by assigning users proper roles and responsibilities.
V-25387 Medium Audit records content must contain valid information to allow for proper incident reporting.
V-24361 Medium The terminal or workstation must lock out after a maximum of 15 minutes of inactivity, requiring the account password to resume.
V-24360 Medium The password values must be set to meet the requirements in accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above, and CJCSI 6510.01E (INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)).
V-24363 Medium A private web server must subscribe to certificates, issued from any DoD-authorized Certificate Authority, as an access control mechanism for web users.
V-24362 Medium The Department of Defense (DoD) logon banner must be displayed prior to any login attempt.
V-24348 Medium Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be restricted to an authorized vendor site.
V-24382 Medium On Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data.
V-24380 Medium Processor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands.
V-24349 Medium Access to the Hardware Management Console must be restricted to only authorized personnel.
V-24350 Medium Automatic Call Answering to the Hardware Management Console must be disabled.
V-24378 Medium Unauthorized partitions must not exist on the system complex.
V-24354 Medium Predefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users.
V-24355 Medium Individual user accounts with passwords must be maintained for the Hardware Management Console operating system and application.
V-24356 Medium The PASSWORD History Count value must be set to 10 or greater.
V-24358 Medium The PASSWORD expiration day(s) value must be set to equal or less then 60 days.
V-24359 Medium Maximum failed password attempts before disable delay must be set to 3 or less.
V-24373 Medium Hardware Management Console management must be accomplished by using the out-of-band or direct connection method.
V-24352 Medium The Hardware Management Console Event log must be active.
V-25247 Medium DCAF Console access must require a password to be entered by each user.
V-24379 Medium On Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS.
V-25404 Low A maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your password