STIGQter STIGQter: STIG Summary: IBM Hardware Management Console (HMC) STIG

Version: 1

Release: 5 Benchmark Date: 20 Jan 2015

CheckedNameTitle
SV-29986r3_ruleThe Enterprise System Connection (ESCON) Director (ESCD) Application Console must be located in a secure location
SV-29994r3_ruleSign-on to the ESCD Application Console must be restricted to only authorized personnel.
SV-29995r3_ruleThe ESCON Director Application Console Event log must be enabled.
SV-29998r3_ruleThe Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel.
SV-29999r2_ruleThe Hardware Management Console must be located in a secure location.
SV-30007r3_ruleDial-out access from the Hardware Management Console Remote Support Facility (RSF) must be restricted to an authorized vendor site.
SV-30008r2_ruleAccess to the Hardware Management Console must be restricted to only authorized personnel.
SV-30013r3_ruleAutomatic Call Answering to the Hardware Management Console must be disabled.
SV-30015r2_ruleThe Hardware Management Console Event log must be active.
SV-30021r2_ruleThe manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software.
SV-30022r2_rulePredefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users.
SV-30023r2_ruleIndividual user accounts with passwords must be maintained for the Hardware Management Console operating system and application.
SV-30024r2_ruleThe PASSWORD History Count value must be set to 10 or greater.
SV-30026r2_ruleThe PASSWORD expiration day(s) value must be set to equal or less then 60 days.
SV-30027r2_ruleMaximum failed password attempts before disable delay must be set to 3 or less.
SV-30028r2_ruleThe password values must be set to meet the requirements in accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above, and CJCSI 6510.01E (INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)).
SV-30029r2_ruleThe terminal or workstation must lock out after a maximum of 15 minutes of inactivity, requiring the account password to resume.
SV-30030r2_ruleThe Department of Defense (DoD) logon banner must be displayed prior to any login attempt.
SV-30031r3_ruleA private web server must subscribe to certificates, issued from any DoD-authorized Certificate Authority, as an access control mechanism for web users.
SV-30032r4_ruleHardware Management Console audit record content data must be backed up.
SV-30043r2_ruleHardware Management Console management must be accomplished by using the out-of-band or direct connection method.
SV-30052r2_ruleUnauthorized partitions must not exist on the system complex.
SV-30053r2_ruleOn Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS.
SV-30055r2_ruleProcessor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands.
SV-30056r2_ruleClassified Logical Partition (LPAR) channel paths must be restricted.
SV-30057r2_ruleOn Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data.
SV-30058r2_ruleCentral processors must be restricted for classified/restricted Logical Partitions (LPARs).
SV-30081r2_ruleDial-out access from the Hardware Management Console Remote Support Facility (RSF) must be disabled for all classified systems.
SV-31292r3_ruleDCAF Console access must require a password to be entered by each user.
SV-31555r2_ruleAccess to the Hardware Management Console (HMC) must be restricted by assigning users proper roles and responsibilities.
SV-31556r2_ruleAudit records content must contain valid information to allow for proper incident reporting.
SV-31558r2_ruleProduct engineering access to the Hardware Management Console must be disabled.
SV-31580r2_ruleConnection to the Internet for IBM remote support must be in compliance with the Remote Access STIGs.
SV-31588r2_ruleA maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your password
SV-31589r2_ruleConnection to the Internet for IBM remote support must be in compliance with mitigations specified in the Ports and Protocols and Services Management (PPSM) requirements.