UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IBM Hardware Management Console (HMC) Security Technical Implementation Guide


Overview

Date Finding Count (35)
2024-06-24 CAT I (High): 10 CAT II (Med): 24 CAT III (Low): 1
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-256859 High The ESCON Director Application Console Event log must be enabled.
V-256857 High The Enterprise System Connection (ESCON) Director (ESCD) Application Console must be located in a secure location
V-256870 High Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be disabled for all classified systems.
V-256875 High The manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software.
V-256889 High Product engineering access to the Hardware Management Console must be disabled.
V-256868 High The Hardware Management Console must be located in a secure location.
V-256865 High Classified Logical Partition (LPAR) channel paths must be restricted.
V-256867 High Central processors must be restricted for classified/restricted Logical Partitions (LPARs).
V-256891 High Connection to the Internet for IBM remote support must be in compliance with mitigations specified in the Ports and Protocols and Services Management (PPSM) requirements.
V-256890 High Connection to the Internet for IBM remote support must be in compliance with the Remote Access STIGs.
V-256879 Medium The PASSWORD expiration day(s) value must be set to equal or less then 60 days.
V-256878 Medium The PASSWORD History Count value must be set to 10 or greater.
V-256858 Medium Sign-on to the ESCD Application Console must be restricted to only authorized personnel.
V-256873 Medium Automatic Call Answering to the Hardware Management Console must be disabled.
V-256872 Medium Access to the Hardware Management Console (HMC) must be restricted by assigning users proper roles and responsibilities.
V-256871 Medium Access to the Hardware Management Console must be restricted to only authorized personnel.
V-256877 Medium Individual user accounts with passwords must be maintained for the Hardware Management Console operating system and application.
V-256876 Medium Predefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users.
V-256874 Medium The Hardware Management Console Event log must be active.
V-256882 Medium The password values must be set to meet the requirements in accordance with DODI 8500.2 for DoD information systems processing sensitive information and above, and CJCSI 6510.01E (INFORMATION ASSURANCE [IA] AND COMPUTER NETWORK DEFENSE [CND]).
V-256883 Medium The terminal or workstation must lock out after a maximum of 15 minutes of inactivity, requiring the account password to resume.
V-256880 Medium Maximum failed password attempts before disable delay must be set to 3 or less.
V-256886 Medium Hardware Management Console audit record content data must be backed up.
V-256887 Medium Audit records content must contain valid information to allow for proper incident reporting.
V-256884 Medium The Department of Defense (DoD) logon banner must be displayed prior to any login attempt.
V-256885 Medium A private web server must subscribe to certificates, issued from any DOD-authorized Certificate Authority (CA), as an access control mechanism for web users.
V-256888 Medium Hardware Management Console management must be accomplished by using the out-of-band or direct connection method.
V-256869 Medium Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be restricted to an authorized vendor site.
V-256860 Medium The Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel.
V-256861 Medium DCAF Console access must require a password to be entered by each user.
V-256862 Medium Unauthorized partitions must not exist on the system complex.
V-256863 Medium On Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS.
V-256864 Medium Processor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands.
V-256866 Medium On Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data.
V-256881 Low A maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your password