STIGQter STIGQter: STIG Summary: IBM Hardware Management Console (HMC) STIG Version: 1 Release: 5 Benchmark Date: 20 Jan 2015: Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be restricted to an authorized vendor site.

DISA Rule

SV-30007r3_rule

Vulnerability Number

V-24348

Group Title

HMC0030

Rule Version

HMC0030

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

When this feature is turned on for non-classified systems, the site must verify that the remote site information is valid.

The RSF, which is also commonly referred to as call home, is one of the key components that contributes to zero downtime on System z hardware.

The Hardware Management Console RSF provides communication to an IBM support network, known as RETAIN for hardware problem reporting and service.
When a Hardware Management Console enables RSF, the Hardware Management Console then becomes a call home server.
The types of communication that are provided are:

- Problem reporting and repair data.
- Fix delivery to the service processor and Hardware Management Console.
- Hardware inventory data.
- System updates that are required to activate Capacity on Demand changes.

The following call home security characteristics are in effect regardless of the connectivity method that is chosen:
RSF requests are always initiated from the Hardware Management Console to IBM. An inbound connection is never initiated from the IBM Service Support System.
All data that is transferred between the Hardware Management Console and the IBM Service Support System is encrypted in a high-grade Secure Sockets Layer (SSL) encryption.
When initializing the SSL-encrypted connection, the Hardware Management Console validates the trusted host by its digital signature issued for the IBM Service Support system. Data sent to the IBM Service Support System consists solely of hardware problems and configuration data. No application or customer data is transmitted to IBM.

Check Contents

Whenever dial-out hardware is present, have the System Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is enabled for any non-classified system.

Note: This is accomplished by going to Hardware Management Console and selecting Customize Remote Services. Then verify that Enable Remote Services is active.

If automatic dial-out access from the Hardware Management Console is enabled, have the Systems Administrator or Systems Programmer validate that remote phone number and remote service parameters values are valid authorized venders in the remote Service Panel of the Hardware Management Console.

If all the above values are not correct, this is a finding.

Vulnerability Number

V-24348

Documentable

False

Rule Version

HMC0030

Severity Override Guidance

Whenever dial-out hardware is present, have the System Administrator or Systems Programmer validate that dial-out access from the Hardware Management Console is enabled for any non-classified system.

Note: This is accomplished by going to Hardware Management Console and selecting Customize Remote Services. Then verify that Enable Remote Services is active.

If automatic dial-out access from the Hardware Management Console is enabled, have the Systems Administrator or Systems Programmer validate that remote phone number and remote service parameters values are valid authorized venders in the remote Service Panel of the Hardware Management Console.

If all the above values are not correct, this is a finding.

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

1891

Comments