17:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"IBM Hardware Management Console (HMC) STIG"}],["$","span",null,{"className":"bg-badge-archived-bg text-badge-archived-text rounded-full px-3 py-1 text-xs font-medium","children":"Archived"}],["$","$L21",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","5"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Jan 20, 2015"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"S-6716b96cd48327612716d82ef6931fd3e39ea519","children":"S-6716b96cd48327612716d82ef6931fd3e39ea519"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":35}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",10]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",24]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",1]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"IBM Hardware Management Console is used to perform Initial Program Loads (IPLs), power on resets, shutdowns, and configuring of hardware components for system logical partitions."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=IBM%20Hardware%20Management%20Console%20(HMC)%20STIG&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=IBM%20Hardware%20Management%20Console%20(HMC)%20STIG&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=IBM%20Hardware%20Management%20Console%20(HMC)%20STIG&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],false]}]]}],["$","$L22",null,{"checks":[{"id":"a6b8e430-cc93-4dc3-b4ff-9198e70f6683","vulnId":"V-24340","severity":"high","ruleTitle":"The Enterprise System Connection (ESCON) Director (ESCD) Application Console must be located in a secure location","description":"The ESCD Application Console is used to add, change, and delete port configurations and dynamically switch paths between devices. If the ESCON Director Application Console is not located in a secured location, unauthorized personnel can bypass security, access the system, and alter the environment. This could impact the integrity and confidentiality of operations. NOTE: Many newer installations no longer support the ESCD Application Console. For installations not supporting the ESCD Application Console, this check is not applicable.","checkContent":"If the ESCD Application Console is present, verify the location of the ESCD Application Console, otherwise this check is not applicable.

If the ESCON Director Application console is not located in a secure location this is a finding.","fixText":"Move the (ESCD) Console Application console to a secure location and implement access control procedures to ensure access by authorized personnel only.

An ESCD Console Application is used to provide data center personnel with an interface for displaying and
changing an ESCD'S connectivity attributes. It is also used to install, initialize, and service an ESCON Director.
Note: ESCD'S are slowly being phased out and are being replaced with FICON Directors.

"},{"id":"402ef2d3-e041-428e-aa44-9751dc3f8528","vulnId":"V-24342","severity":"medium","ruleTitle":"Sign-on to the ESCD Application Console must be restricted to only authorized personnel.","description":"The ESCD Application Console is used to add, change, and delete port configurations and to dynamically switch paths between devices. Access to the ESCD Application Console is restricted to three classes of personnel: Administrators, service representatives and operators. The administrator sign-on controls passwords at all levels, the service representative sign-on allows access to maintenance procedures, and the operator sign-on allows for configuration changes and use of the Director utilities. Unrestricted use by unauthorized personnel could impact the integrity of the environment. This would result in a loss of secure operations and impact data operating environment integrity. NOTE: Many newer installations no longer support the ESCD Application Console. For installations not supporting the ESCD Application Console, this check is not applicable.","checkContent":"If the ESCD Application Console is present, have the ESCON System Administrator verify that sign-on access to the ESCD Application Console is restricted to authorized personnel by signing on without a valid userid and password, otherwise this check is not applicable.

If the ESCD Application Console sign-on access is not restricted, this is a finding.","fixText":"$23"},{"id":"4394eac3-3ba9-42f0-96f1-44c9e56642b9","vulnId":"V-24343","severity":"high","ruleTitle":"The ESCON Director Application Console Event log must be enabled.","description":"The ESCON Director Console Event Log is used to record all ESCON Director Changes. Failure to create an ESCON Director Application Console Event log results in the lack of monitoring and accountability of configuration changes. In addition, its use in the execution of a contingency plan could be compromised and security degraded. NOTE: Many newer installations no longer support the ESCON Director Console. For installations not supporting the ESCON Director Console, this check is not applicable.","checkContent":"If the ESCON Director Console is present, verify on the ESCON Director Application Console that the Event log is in use, otherwise this check is not applicable.

If no Event log exists, this is a finding.

","fixText":"Ensure that an ESCON Director Application Console log is created and in use every time the system is switched on.

The ESCON Director maintains an audit trail at the ESCD console’s fixed disk. This audit trail logs the time, date, and password identification when changes have been made to the ESCON Director."},{"id":"8ee3051d-b74d-4241-a907-7da6a3374142","vulnId":"V-24344","severity":"medium","ruleTitle":"The Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel.","description":"The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could result in varying of ESCON Directors online or offline and applying configuration changes. Unrestricted use by unauthorized personnel could lead to bypass of security, unlimited access to the system, and an altering of the environment. This would result in a loss of secure operations and will impact data operating integrity of the environment. NOTE: Many newer installations no longer support the ESCON Director Application. For installations not supporting the ESCON Director Application, this check is not applicable.","checkContent":"If the ESCON Director Application is present, verify that sign-on access to the DCAF Console is restricted to authorized personnel, otherwise, this check is not applicable.

If sign-on access to the DCAF Console is not restricted, this is a finding. ","fixText":"Review access authorization to DCAF Consoles. Ensure that all personnel are restricted to authorized levels of access.

Remote access to the LAN may be provided through DCAF via a LAN or modem connection.
DCAF passwords should be implemented to prevent unauthorized access.
"},{"id":"91bbcd24-d20f-4233-aabe-dc210f484f35","vulnId":"V-24345","severity":"high","ruleTitle":"The Hardware Management Console must be located in a secure location.","description":"The Hardware Management Console is used to perform Initial Program Load (IPLs) and control the Processor Resource/System Manager (PR/SM). If the Hardware Management Console is not located in a secure location, unauthorized personnel can bypass security, access the system, and alter the environment. This can lead to loss of secure operations if not corrected immediately.","checkContent":"Verify the location of the Hardware Management Console.

It should be located in a controlled area.
Access to it should be restricted.

If the Hardware Management Console is not located in a secure location this is a FINDING. ","fixText":"Move the Hardware Management Console to a secure location and implement access controls for authorized personnel."},{"id":"4b4a1efe-9637-4c98-966b-f8c507e27287","vulnId":"V-24348","severity":"medium","ruleTitle":"Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be restricted to an authorized vendor site.","description":"Dial-out access from the Hardware Management Console could impact the integrity of the environment, by enabling the possible introduction of spyware or other malicious code. It is important to note that it should be properly configured to only go to an authorized vendor site. Note: This feature will be activated for Non-Classified Systems only. Also, many newer processors (e.g., zEC12/zBC12 processors) will not have modems. If there is no modem, this check is not applicable.","checkContent":"Whenever dial-out hardware is present, have the System Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is enabled for any non-classified system.

Note: This is accomplished by going to Hardware Management Console and selecting Customize Remote Services. Then verify that Enable Remote Services is active.

If automatic dial-out access from the Hardware Management Console is enabled, have the Systems Administrator or Systems Programmer validate that remote phone number and remote service parameters values are valid authorized venders in the remote Service Panel of the Hardware Management Console.

If all the above values are not correct, this is a finding.","fixText":"$24"},{"id":"8d55ecc2-9317-4af0-b74d-138cd44f2f06","vulnId":"V-24349","severity":"medium","ruleTitle":"Access to the Hardware Management Console must be restricted to only authorized personnel.\r\n","description":"Access to the Hardware Management Console if not properly restricted to authorized personnel could lead to a bypass of security, access to the system, and an altering of the environment. This would result in a loss of secure operations and can cause an impact to data operating environment integrity.","checkContent":"Verify that sign-on access to the Hardware Management Console is restricted to authorize personnel and that a DD2875 is on file for each user ID.

Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities

To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles.

If each user displayed by the System Administrator does not have a DD2875, then this is a FINDING.

","fixText":"The System Administrator will see that sign-on access to the Hardware Management Console is restricted to authorized personnel and that a DD2875 is on file for each user ID.

Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities.

The System Administrator must see that the list and users defined to the Hardware Management Console match.
"},{"id":"f7ce1264-d8f8-478e-80ca-fee6b839ae5f","vulnId":"V-24350","severity":"medium","ruleTitle":"Automatic Call Answering to the Hardware Management Console must be disabled.","description":"Automatic Call Answering to the Hardware Management Console allows unrestricted access by unauthorized personnel and could lead to a bypass of security, access to the system, and an altering of the environment. This would result in a loss of secure operations and impact the integrity of the operating environment, files, and programs. Note: Dial-in access to the Hardware Management Console is prohibited. Also, many newer processors (e.g., zEC12/zBC12 processors) will not have modems. If there is no modem, this check is not applicable.","checkContent":"Have the System Administrator verify if either the Enable Remote Operations parameter or the Automatic Call Answering parameter are active on the Enable Hardware Management Console Services panel.

The Enable Remote Operations is found under Customize Remote Services and Automatic Call Answering is found under Customize Auto Answer Settings.

If either of the above options are active, then this is a FINDING.
","fixText":"The System Administrator must set dial-in facility to off. Do this by ensuring that both the Enable Remote Operations parameter and the Automatic Call Answering parameter are turned off.

In Check Content: Enable Remote Operations is found under Customize Remote Services and Automatic Call Answering is found under Customize Auto Answer Settings.

"},{"id":"fcdbb625-a343-4499-a34e-9a4dd4a98c64","vulnId":"V-24352","severity":"medium","ruleTitle":"The Hardware Management Console Event log must be active.","description":"The Hardware Management Console controls the operation and availability of the Central Processor Complex (CPC). Failure to create and maintain the Hardware Management Console Event log could result in the lack of monitoring and accountability of CPC control activity. ","checkContent":"Verify on the Hardware Management Console that the Event log is in use.

This is done by selecting the View Console Events panel under Console Actions.
From this panel you can display:

Console Information on EC Changes
Console Service History displays HMC Problems
Console Tasks Displays Last 2000 tasks performed on console
View Licenses View LIC (Licensed Internal Code)
View Security Logs tracks an object’s operational state, status, or settings change or involves user access to tasks, actions, and objects.

If no Event log exists, this is a FINDING.

If the Event log exists and is not collecting data, this is a FINDING. ","fixText":"The System Administrator will activate the Hardware Management Console Event log and ensure that all tracking parameters are set.

This is done by selecting the View Console Events panel under Console Actions.
From this panel you can display:

Console Information on EC Changes
Console Service History displays HMC Problems
Console Tasks Displays Last 2000 tasks performed on console
View Licenses View LIC (Licensed Internal Code)
View Security Logs tracks an object’s operational state, status, or settings change or involves user access to tasks, actions, and objects.
"},{"id":"6cff61ea-1c5b-4e0e-8e72-eec58d5c4e31","vulnId":"V-24353","severity":"high","ruleTitle":"The manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software.","description":"The changing of passwords from the HMC default values, blocks malicious users with knowledge of these default passwords, from creating a denial of service or from reconfiguring the HMC topology leading to a compromise of sensitive data. The system administrator will ensure that the manufacturer’s default passwords are changed for all HMC management software.","checkContent":"Have the System Administrator logon to the HMC and validate that all default passwords have been changed.

Go to task Modify User, select user, select Modify and enter and confirm new password.

User ID\t\tDefault Password
•\tOPERATOR\t\tPASSWORD
•\tADVANCED\t\tPASSWORD
•\tSYSPROG\t\tPASSWORD
•\tACSADMIN\t\tPASSWORD

The System Administrator is to validate that each user has his/her own user ID and password and that sharing of user-IDs and passwords is not permitted.

Default user IDs and passwords are established as part of a base HMC. The System Administrator must assign new user IDs and passwords for each user and remove the default user IDs as soon as the HMC is installed by using the User Profiles task or the Manage Users Wizard.

If all the default passwords have not been changed, and each user is not assigned a separate user ID and password, then this is a FINDING

","fixText":"The System Administrator must logon to the HMC and validate that all Default Passwords have been changed.
\t
User ID\t\tDefault Password
OPERATOR\t\tPASSWORD
ADVANCED\t\tPASSWORD
SYSPROG\t\tPASSWORD
ACSADMIN\t\tPASSWORD

Default user IDs and passwords are established as part of a base HMC. The System Administrator must assign new user IDs and passwords for each user and remove the default user IDs as soon as the HMC is installed by using the User Profiles task or the Manage Users Wizard.

Go to task Modify User, select user, select Modify and enter and confirm new password.
"},{"id":"2090f410-b07c-4b40-82cc-6babfc0297ee","vulnId":"V-24354","severity":"medium","ruleTitle":"Predefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users.","description":"Individual task roles with access to specific resources if not created and restricted, will allow unrestricted access to system functions. The following is an example of some managed resource categories: Tasks are functions that a user can perform, and the managed resource role defines where those tasks might be carried out. The Access Administrator assigns a user ID and user roles to each user of the Hardware Management Console.

•\tOPERATOR OPERATOR
•\tADVANCED ADVANCED OPERATOR
•\tACSADMIN ACCESS ADMINISTRTOR
•\tSYSPROG SYSTEM PROGRAMMER
•\tSERVICE SRVICE REPRESENTATIVE
Failure to establish this environment may lead to uncontrolled access to system resources.
","checkContent":"Have the System Administrator display the user profiles and demonstrate that valid users are defined to valid roles and that authorities are restricted to the site list of users.

Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities.

To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles.

If the different roles are not properly displayed or are not properly restricted, then this is a FINDING.
","fixText":"The System Administrator must set up a list of Users

Note: Sites must have a list of valid HMC users, indicating their USER IDs, Date of DD2875, and roles and responsibilities
and these must match the users defined to the HMC.

To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles.

"},{"id":"020869cd-f00c-4c4f-8358-e43376b127a2","vulnId":"V-24355","severity":"medium","ruleTitle":"Individual user accounts with passwords must be maintained for the Hardware Management Console operating system and application.","description":"Without identification and authentication, unauthorized users could reconfigure the Hardware Management Console or disrupt its operation by logging in to the system or application and execute unauthorized commands. The System Administrator will ensure individual user accounts with passwords are set up and maintained for the Hardware Management Console. ","checkContent":"Have the System Administrator prove that individual USER IDs are specified for each user and DD2875 are on file for each user.

If USERIDs are shared among multiple users and crresponding DD2875 forms do not exist for each user, then this is a FINDING.
","fixText":"Have the System Administrator verify that all users of the Hardware Management Console are individually defined with USER IDs and passwords and that their roles and responsibilities are documented. Verify that a DD2875 exists for each USER ID. "},{"id":"3571ef19-f6a6-44e4-b511-caa8375b6e0d","vulnId":"V-24356","severity":"medium","ruleTitle":"The PASSWORD History Count value must be set to 10 or greater.","description":"History Count specifies the number of previous passwords saved for each USERID and compares it with an intended new password. If there is a match with one of the previous passwords, or with the current password, it will reject the intended new password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. ","checkContent":"Have the System Administrator display the Password Profile Task window on the Hardware Management Console and validate that the History Count is set to 10.

If the History Count is less than 10, then this is a FINDING.
.","fixText":"Have the System Administrator go into the Password Profile and set the History Count to 10 or greater."},{"id":"1f1b8ec0-bd6e-42a0-9f50-f86400cf9bd5","vulnId":"V-24358","severity":"medium","ruleTitle":"The PASSWORD expiration day(s) value must be set to equal or less then 60 days.","description":"Expiration Day(s) specifies the maximum number of days that each user's password is valid. When a user logs on to the Hardware Management Console it compares the system password interval value specified in the user profile and it uses the lower of the two values to determine if the user's, password has expired. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. ","checkContent":"Have the System Administrator display the Password Profile Task window on the Hardware Management Console and validate that the Expiration day(s) is set to equal or less then 60 days.

If the Expiration day(s) is set to equal or less then 60 days, this is not a FINDING.

If the Expiration day(s) is greater than 60 days, then this is a FINDING.

","fixText":"Have the System Administrator go into the Password Profile and set the Expiration day(s) to equal or less then 60 days."},{"id":"a84fdc0b-0583-4cd6-b89a-38fbb5ba91ad","vulnId":"V-24359","severity":"medium","ruleTitle":"Maximum failed password attempts before disable delay must be set to 3 or less.","description":"The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Management Console allows as 3 times, before setting a 60-minute delay to attempt to retry the password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. Note: The Hardware Management Console does not allow a revoke of a userID. A 60- minute delay time setting is being substituted.","checkContent":"Have the System Administrator display the maximum failed attempts on the user properties table on the Hardware Management Console before disable delay is invoked.

Maximum Failed Attempts and Disable Delay are found in User Profiles by selecting the user, selecting modify user and then selecting User Properties.

If the Maximum failed attempts before disable delay is invoked is set at greater than 3, then this is a FINDING.

","fixText":"The System Administrator will display the User Properties window on the Hardware Management Console for each user and verify that the maximum attempts before disable delay is set to 3 or less and will update them if this is not true.

Maximum Failed Attempts and Disable Delay are found in User Profiles by selecting the user, selecting modify user and then selecting User Properties.
"},{"id":"b7a51d14-0f13-4f89-83ae-ade703386636","vulnId":"V-24360","severity":"medium","ruleTitle":"The password values must be set to meet the requirements in accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above, and CJCSI 6510.01E (INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)).","description":"In accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above and CJCSI 6510.01E (INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)).. The following recommendations concerning password requirements are mandatory and apply equally to both classified and unclassified systems: (1) Passwords are to be fourteen (14) characters. (2) Passwords are to be a mix of upper and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the Hardware Management Console control options introduces the possibility of exposure during the migration process or contingency plan activation.","checkContent":"Have the System Administrator display the Password Profile Task window on the Hardware Management Console and check that:

Passwords are to be a minimum of fourteen (14) characters in length.

Passwords are to be a mix of upper- and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard.

Each character of the password is to be unique, prohibiting the use of repeating characters.

Passwords are to contain no consecutive characters (e.g., 12, AB, etc.).

If the Password Profile does not have the specifications for the above options then this is a FINDING.
","fixText":"Have the System Administrator validate that the settings in the Password Profiles Window meet the following specifications:

Passwords are a minimum of fourteen (14) characters in length.

Passwords are to be a mix of upper and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard.

Each character of the password is to be unique, prohibiting the use of repeating characters.

Passwords are to contain no consecutive characters (e.g., 12, AB, etc.).
"},{"id":"c7ad8b3c-7bf2-4828-8f13-e0428a8e2511","vulnId":"V-24361","severity":"medium","ruleTitle":"The terminal or workstation must lock out after a maximum of 15 minutes of inactivity, requiring the account password to resume.","description":"If the system, workstation, or terminal does not lock the session after more than15 minutes of inactivity, requiring a password to resume operations, the system or individual data could be compromised by an alert intruder who could exploit the oversight.","checkContent":"Have the System Administrator display the User Properties window on the Hardware Management Console and check that the timeout minutes are set to a maximum of 15.

If the Verify Timeout minutes are set to more than 15, then this is a FINDING.
","fixText":"The System Administrator will display the User Properties window and will ensure that the Verify timeout minutes are set to a maximum of 15. "},{"id":"37d293e6-bde1-485a-ad58-51fc749a1b04","vulnId":"V-24362","severity":"medium","ruleTitle":"The Department of Defense (DoD) logon banner must be displayed prior to any login attempt.","description":"Failure to display the required DoD logon banner prior to a login attempt may void legal proceedings resulting from unauthorized access to system resources and may leave the SA, IAO, IAM, and Installation Commander open to legal proceedings for not advising users that keystrokes are being audited.","checkContent":"$25","fixText":"$26"},{"id":"b0f1fec3-7ffa-4d55-bdbd-56f76f533000","vulnId":"V-24363","severity":"medium","ruleTitle":"A private web server must subscribe to certificates, issued from any DoD-authorized Certificate Authority, as an access control mechanism for web users. ","description":"If the Hardware Management Consoles (HMC) is network-connected, use SSL encryption techniques, through digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. To maintain data integrity the IBM Certificate distributed with the HMC's is to be replaced by a DoD-authorized Certificate. Note: This check applies only to network-connected HMCs.","checkContent":"The System Reviewer will have the System Administrator use the Hardware Management Console Certificate Management Task to validate that the private key and certificate shipped with any network-connected HMC from IBM was replaced with an approved DoD- authorized Certificate.

Note: This check applies only to network-connected HMCs.

Note: DoD certificates should display the following Information 'OU=PKI.OU=DoD.O=U.S. Government.C=US'

If private web server does not subscribe to certificates issued from any DoD-authorized Certificate Authority as an access control mechanism for web users, then this is a FINDING.","fixText":"The System Administrator must order a DoD PKI to replace the IBM Certificate and then the System Administrator must use the Hardware Management Console Certificate Management Task to install it.

Note: This only applies to networked HMCs. "},{"id":"4793d7b2-ac34-4cad-980c-14a46a4b349c","vulnId":"V-24364","severity":"medium","ruleTitle":"Hardware Management Console audit record content data must be backed up.","description":"The Hardware Management Console has the ability to backup and display the following data: 1) Critical console data 2) Critical hard disk information 3) Backup of critical CPC data and 4) Security Logs. Failure to backup and archive the listed data could make auditing of system incidents and history unavailable and could impact recovery for failed components. ","checkContent":"Have the System Administrator produce a log by date validating that backups are being performed for Security logs and Critical console data on a routine scheduled basis (e.g., daily, weekly, monthly, quarterly, annually) and copies are rotated to off site storage. Compare the list of backups made to a physical inventory of storage media to verify that HMC backups are being retained as expected. If backups are either not being made, or there are obvious gaps in storage and retention of the backups, this is a finding.","fixText":"$27"},{"id":"e1ec475f-f331-4e02-9ab5-f0bfd93040e1","vulnId":"V-24373","severity":"medium","ruleTitle":"Hardware Management Console management must be accomplished by using the out-of-band or direct connection method.","description":"Removing the management traffic from the production network diminishes the security profile of the Hardware Management Console servers by allowing all the management ports to be closed on the production network. The System Administrator will ensure that Hardware Management Console management is accomplished using the out-of-band or direct connection method.","checkContent":"The System Administrator will validate that the Hardware Management Console management connection will use TCP/IP with encryption on an out-of-band network.

If the Hardware Management Console management connection does not use TCP/IP with encryption on an out-of-band network then this is a FINDING.","fixText":"The System Administrator will work with the NSO to see that the Hardware Management Console management is set up with encryption on an out-of band network. "},{"id":"48344311-ce3d-42e8-bbac-2f740f6d2902","vulnId":"V-24378","severity":"medium","ruleTitle":"Unauthorized partitions must not exist on the system complex.","description":"The running of unauthorized Logical Partitions (LPARs) could allow a “Trojan horse” version of the operating environment to be introduced into the system complex. This could impact the integrity of the system complex and the confidentiality of the data that resides in it.","checkContent":"Using the Hardware Management Console, do the following:

Access the Change LPAR Control Panel. (This will list the LPARs.)

Compare the partition names listed on the Partition Page to the names entered on the Central Processor Complex Domain/LPAR Names table.
Note: Each site should maintain a list of valid LPARS that are configured on thier system , what operating system, and the purpose of each LPAR.
If unauthorized partitions exist on the system complex and the deviation is not documented, this is a FINDING. ","fixText":"Review the LPARs on the system and remove any unauthorized LPARs. If a deviation exists, the system administrator will provide written justification for the deviation.

This will be displayed by using the Change LPAR Control Panel."},{"id":"68c1e78e-75e9-4990-b7d6-f57cef29f025","vulnId":"V-24379","severity":"medium","ruleTitle":"On Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS.","description":"Unrestricted control over the IOCDS files could result in unauthorized updates and impact the configuration of the environment by allowing unauthorized access to a restricted resource. This could severely damage the integrity of the environment and the system resources.","checkContent":"Using the Hardware Management Console, verify that a logical partition cannot read or write to any IOCDS. Use the Security Definitions Page panel to do this by checking to see if the Input/Output (I/O) Configuration Control option has been turned on.

NOTE:\tThe default is applicable to only classified systems.

Confirm whether or not the I/O Configuration Control option is checked.

If the Logical Partition is not restricted with read/write access to only its own IOCDS, this is a FINDING.
","fixText":"Review the Security Definition parameters specified under Processor Resource/Systems Manager (PR/SM).
Verify and implement the correct settings.
"},{"id":"7215c4a5-8bd7-4ccc-b272-ce6f673f5b6a","vulnId":"V-24380","severity":"medium","ruleTitle":"Processor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands.","description":"Unrestricted control over the issuing of system commands by a Logical Partition could result in unauthorized data access and inadvertent updates. This could result in severe damage to system resources.","checkContent":"Using the Hardware Management Console, verify that the Logical Partitions cannot issue control program commands to another Logical Partition. Use the PR/SM panel, known as the Security Definitions Page, to do this. The Cross Partition Control option must be turned off.

NOTE: The default is that the Cross Partition Control option is turned off.

If Processor Resource/Systems Manager (PR/SM) allows unrestricted issuing of control program commands then this is a FINDING","fixText":"Review the Security Definition parameters specified under PR/SM, and turn off the Cross Partition Control option."},{"id":"4303d406-611e-42f9-855f-e803fb7247f5","vulnId":"V-24381","severity":"high","ruleTitle":"Classified Logical Partition (LPAR) channel paths must be restricted.","description":"Restricted LPAR channel paths are necessary to ensure data integrity. Unrestricted LPAR channel path access could result in a compromise of data integrity. When a classified LPAR exists on a mainframe which requires total isolation, all paths to that LPAR must be restricted.","checkContent":"Have the System Administrator or Systems Programmer on classified systems use the Hardware Management Console to verify that the LPAR channel paths are reserved from the rest of the LPARs.

Use the Security Definitions Panel to verify this. The Logical Partition Isolation option must be turned on.

If the Classified LPAR channel paths are not restricted then this is a FINDING.","fixText":"Have the System Administrator or Systems Programmer for classified systems use the Hardware Management Console to verify that the LPAR channel paths are reserved from the rest of the LPARs. Use the Security Definitions Panel to verify this. The Logical Partition Isolation option must be turned on for classified systems."},{"id":"a108ef97-be80-455c-8ece-32c4ebeb150c","vulnId":"V-24382","severity":"medium","ruleTitle":"On Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data.\r\n\r\n","description":"Allowing unrestricted access to all Logical Partition data could result in the possibility of unauthorized access and updating of data. This could also impact the integrity of the processing environment.","checkContent":"Have the Systems Administrator or Systems Programmer use the Hardware Management Console; to verify that the classified Logical Partition system data cannot be viewed by other Logical Partitions.

Use the Security Definitions Panel to do this. The Global Performance Data Control option must be turned off.

NOTE:\tThe default is that the Global Performance Data Control option is turned off.

If the PR/SM allows access to system complex data then, this is a FINDING.
","fixText":"Have the Systems Administrator or Systems Programmer use the Hardware Management Console, to verify that the classified Logical Partition system data cannot be viewed by other Logical Partitions.

Use the Security Definitions Panel to do this. The Global Performance Data Control option must be turned off.
"},{"id":"fe3146bd-9c45-427a-bc5b-2bbb642258c8","vulnId":"V-24383","severity":"high","ruleTitle":"Central processors must be restricted for classified/restricted Logical Partitions (LPARs).","description":"Allowing unrestricted access to classified processors for all LPARs could cause the corruption and loss of classified data sets, which could compromise classified processing.","checkContent":"Have the system administrator or systems programmer use the Hardware Management Console; to verify that the LPAR processors are dedicated for exclusive use by classified LPARs.

Use the Processor Page to do this. The Dedicated Central Processors option must be turned on.

If Central processors are not restricted for classified/restricted LPARs, this is a FINDING. ","fixText":"Review the Processor Page under PR/SM and turn on the Dedicated Central Processor option for classified or restricted LPARs. For unclassified LPARs, this option should not be turned on, unless determined by the site."},{"id":"fac66909-72fa-4551-ac56-d661a0421878","vulnId":"V-24398","severity":"high","ruleTitle":"Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be disabled for all classified systems. ","description":"This feature will not be activated for any classified systems. Allowing dial-out access from the Hardware Management Console could impact the integrity of the environment by enabling the possible introduction of spyware or other malicious code. ","checkContent":"Have the Systems Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is not activated for any classified systems.

Note: This can be accomplished by going to the Customize Remote Service Panel on the Hardware Management Console and verifying that enable remote service is not enabled.

If this is a classified system and enable remote service is enabled, then this is a FINDING.","fixText":"Have the Systems Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is not activated for any classified systems.
Note: This can be accomplished by going to the Customize Remote Service Panel on the Hardware Management Console and verifying that enable remote service is not enabled.
"},{"id":"a5440a21-dacb-42e2-a2ed-8fa3d4c4ddfe","vulnId":"V-25247","severity":"medium","ruleTitle":"DCAF Console access must require a password to be entered by each user.\r\n","description":"The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could result in varying of ESCON Directors online or offline and applying configuration changes. Unrestricted use by unauthorized personnel could lead to bypass of security, unlimited access to the system, and an altering of the environment. This would result in a loss of secure operations and will impact data operating integrity of the environment. NOTE: Many newer installations no longer support the ESCON Director Application. For installations not supporting the ESCON Director Application, this check is not applicable.","checkContent":"If the ESCON Director Application is present, have the System Administrator attempt to sign on to the DCAF Console and validate that a password is required, otherwise, this check is not applicable.

If sign-on access to the DCAF Console does not require a password this is a finding.
","fixText":"Have the System Administrator review access authorization to DCAF Consoles. Ensure that all personnel are required to enter a password.

Remote access to the LAN may be provided through DCAF via a LAN or modem connection.
DCAF passwords should be implemented to prevent unauthorized access.

"},{"id":"4b95c3a8-8aa1-4f24-a040-f0ca18a019a6","vulnId":"V-25386","severity":"medium","ruleTitle":"Access to the Hardware Management Console (HMC) must be restricted by assigning users proper roles and responsibilities.","description":"Access to the HMC if not properly controlled and restricted by assigning users proper roles and responsibilities, could allow modification to areas outside the need-to-know and abilities of the individual resulting in a bypass of security and an altering of the environment. This would result in a loss of secure operations and can cause an impact to data operating environment integrity.","checkContent":"Have the System Administrator verify to the reviewer that the Roles and Responsibilities assigned are assigned to the proper individuals by their areas of responsibility.

Note: Sites must have a list of valid HMC users, indicating their USERID, Date of DD2875, and roles and responsibilities.

Have the System Administrator verify to the reviewer that the Roles and Responsibilities assigned are assigned to the proper individuals by their areas of responsibility.

To display user roles chose User Profiles and then select the user for modification. View Task Roles and Manager Resources Roles.

If the HMC user-IDs displayed by the System Administrator are not properly assigned by Roles and Responsibilities, then this is a FINDING.
","fixText":"Have the System Administrator using the list user IDs and responsibilities, validate that each user is properly specified in the HMC based on his/her roles and responsibilities.

Note: Sites must have a list of valid HMC users, indicating their USERID, Date of DD2785, roles and responsibilities

To display user roles choose User Profiles and then select the user for modification. View Task Roles and Manager Roles.
"},{"id":"dfa097b0-555f-4cad-ac8a-2e80078a7532","vulnId":"V-25387","severity":"medium","ruleTitle":"Audit records content must contain valid information to allow for proper incident reporting.","description":"The content of audit data must validate that the information contains:

User IDs
Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)
Date and time of the event
Type of event
Success or failure of event
Successful and unsuccessful logons
Denial of access resulting from excessive number of logon attempts
Failure to not contain this information may hamper attempts to trace events and not allow proper tracking of incidents during a forensic investigation
","checkContent":"Have the System Administrator validate the audit records contain valid information to allow for a proper incident tracking. Use the View Console Events task to display contents of security logs.

Use the View Console Events task to view security logs and validate that it has the following information:

User IDs
Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)
Date and time of the event
Type of event
Success or failure of event
Successful and unsuccessful logons
Denial of access resulting from excessive number of logon attempts
","fixText":"Have the System Administrator check the content of audit records.

Use the View Console Events task to view security logs and validate that it has the following information:

User IDs
Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc)
Date and time of the event
Type of event
Success or failure of event
Successful and unsuccessful logons
Denial of access resulting from excessive number of logon attempts
"},{"id":"42242b05-9af1-46a8-ae20-9c46fcc7ba42","vulnId":"V-25388","severity":"high","ruleTitle":"Product engineering access to the Hardware Management Console must be disabled.","description":"The Hardware Management Console has a built-in feature that allows Product Engineers access to the console. With access authority, IBM Product Engineering can log on the Hardware Management Console with an exclusive user identification (ID) that provides tasks and operations for problem determination. Product Engineering access is provided by a reserved password and permanent user ID. You cannot view, discard, or change the password and user ID, but you can control their use for accessing the Hardware Management Console. User IDs and passwords that are hard-coded and cannot be modified are a violation of NIST 800-53 and multiple other compliance regulations. Failure to disable this access would allow unauthorized access and could lead to security violations on the HMC.","checkContent":"Have the System Administrator or System Programmer validate that IBM Product Engineering access to the Hardware Management Console is disabled.

This can be checked under the classic style user interface; this task is found under the Hardware Management Console Settings console action.
Open the Customize Product Engineering Access task. The Customize Product Engineering Access window is displayed.
Select the appropriate accesses for product engineering or remote product engineering. (Both should be disabled.)
Click OK to save the changes and exit the task.

If access to the Customize Product Engineering Access is not disabled, than this is a finding.
","fixText":"The System Administrator or System Programmer will set the
Product Engineering Access control for product engineering or remote product engineering to a disabled status.

This can be checked under the classic style user interface; this task is found under the Hardware Management Console Settings console action.
Open the Customize Product Engineering Access task. The Customize Product Engineering Access window is displayed.
Select the appropriate accesses for product engineering or remote product engineering. (Both should be disabled)
Click OK to save the changes and exit the task.

"},{"id":"67feba61-458b-4ea8-89e3-844425bdc766","vulnId":"V-25400","severity":"high","ruleTitle":"Connection to the Internet for IBM remote support must be in compliance with the Remote Access STIGs.","description":"Failure to securely connect to remote sites can leave systems open to multiple attacks and security violations through the network. Failure to securely implement remote support connections can lead to unauthorized access or denial of service attacks on the Hardware Management Console.","checkContent":"Have the Network Security Engineer or system Programmer check, that the remote Internet connection for IBM RSF support has met the requirements of the Remote Access STIGs. For controls that are a part of IBM’s closed system that cannot be updated or changed by customers, review provided documentation, such as found in the HMC Broadband Support manuals or a letter of Attestation provided by IBM assuring compliance. If the security measures in the Remote Access STIGs are not fully compliant and there is no supporting documentation or Letter of attestation on file with the IAM/IAO this is a finding.","fixText":"The Network Security Officer or System Programmer should make any changes required for IBM RSF to meet the requirements stipulated in the Remote Access STIGs. Also any documentation or letters of Attestation should be placed on file with the IAM/IAO. The letter of attestation must be signed by an authorized representative of IBM. The letter should contain certification that the security measures identified in the Remote Access STIGs are in compliance. "},{"id":"f47bbe06-bbba-4ef2-a5fb-90c7d024f57d","vulnId":"V-25404","severity":"low","ruleTitle":"A maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your password","description":"The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Management Console allows as 3 times, before setting a 60-minute delay to attempt to retry the password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. Note: The Hardware Management Console does not allow a revoke of a user ID.A 60-minute delay time setting is being substituted.","checkContent":"Have the System Administrator display the Disable delay in minutes.

Disable Delay is found in User Profiles by selecting the user, selecting modify user and then selecting User Properties.

If this is les than 60 minutes then this is a finding.

Note: Hardware Management Console does not have the ability to revoke a user ID, so a 60-minute delay has been imposed instead.
","fixText":"The System Administrator will display the User Properties window on the Hardware Management Console for each user and verify that the disable delay is set to 60 or more.

Maximum Failed Attempts and Disable Delay are found in User Profiles by selecting the user, selecting modify user and then selecting User Properties.

"},{"id":"b638b2db-191a-45aa-8a7b-4956b0391bed","vulnId":"V-25405","severity":"high","ruleTitle":"Connection to the Internet for IBM remote support must be in compliance with mitigations specified in the Ports and Protocols and Services Management (PPSM) requirements.","description":"Failure to securely connect to remote sites can leave systems open to multiple attacks and security violations through the network. Failure to securely implement remote support connections can lead to unauthorized access or denial of service attacks on theHardware Management Console.","checkContent":"Have the Network Security Engineer check, that the remote Internet connection for IBM RSF support has met the mitigations outlined in Vulnerability Analysis for port 443/SSL in the PPSM requirements.
","fixText":"Have the Network Security Officer validate that the Internet connection meets the specifications in the PPSM requirements.
"}]}]]}]

IBM Hardware Management Console (HMC) STIG

Checks (35)