STIGQter: STIG Summary: IBM Hardware Management Console (HMC) STIG Version: 1 Release: 5 Benchmark Date: 20 Jan 2015:

Sign-on to the ESCD Application Console must be restricted to only authorized personnel.

DISA Rule

SV-29994r3_rule

Vulnerability Number

V-24342

Group Title

HLESC020

Rule Version

HLESC020

Severity

CAT II

CCI(s)

• CCI-002227 - The organization restricts privileged accounts on the information system to organization-defined personnel or roles.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Review access authorization to ESCD Application Console and ensure that all personnel are restricted to authorized levels of access.

The ESCD Application Console and its associated ESCON Director can be secured using passwords. Three levels of password controls have been established. Each password level controls different ESCD Application Console functions. Prior to making any changes or accessing utilities or maintenance procedures, a user is required to enter a password. A password administrator must use the ESCD Application Console to enable an authorized user access. Following are the three levels of password authority:
Administration (Level 1)
Restrict to systems programming personnel who serve as administrators. A Level 1 password allows the user to display, add, change, and delete passwords of all of the ESCON Director Level 1, Level 2, and Level 3 users. It does not allow the administrator to access maintenance procedures or utilities or to change connectivity attributes.
Maintenance (Level 2)
Restrict to service representatives who perform maintenance procedures. Level 2 users cannot view other users' passwords, change passwords, change connectivity attributes, or access utilities.
Operations (Level 3)
Restrict to system administrators responsible for changing connectivity attributes and accessing certain utilities. Level 3 users cannot view other users' passwords, change passwords, or perform maintenance procedures.

Check Contents

If the ESCD Application Console is present, have the ESCON System Administrator verify that sign-on access to the ESCD Application Console is restricted to authorized personnel by signing on without a valid userid and password, otherwise this check is not applicable.

If the ESCD Application Console sign-on access is not restricted, this is a finding.

Vulnerability Number

V-24342

Documentable

False

Rule Version

HLESC020

Severity Override Guidance

If the ESCD Application Console is present, have the ESCON System Administrator verify that sign-on access to the ESCD Application Console is restricted to authorized personnel by signing on without a valid userid and password, otherwise this check is not applicable.

If the ESCD Application Console sign-on access is not restricted, this is a finding.

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

1891

Comments