Check: HMC0080
IBM Hardware Management Console (HMC) STIG:
HMC0080
(in version v1 r5)
Title
The manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software. (Cat I impact)
Discussion
The changing of passwords from the HMC default values, blocks malicious users with knowledge of these default passwords, from creating a denial of service or from reconfiguring the HMC topology leading to a compromise of sensitive data. The system administrator will ensure that the manufacturer’s default passwords are changed for all HMC management software.
Check Content
Have the System Administrator logon to the HMC and validate that all default passwords have been changed. Go to task Modify User, select user, select Modify and enter and confirm new password. User ID Default Password • OPERATOR PASSWORD • ADVANCED PASSWORD • SYSPROG PASSWORD • ACSADMIN PASSWORD The System Administrator is to validate that each user has his/her own user ID and password and that sharing of user-IDs and passwords is not permitted. Default user IDs and passwords are established as part of a base HMC. The System Administrator must assign new user IDs and passwords for each user and remove the default user IDs as soon as the HMC is installed by using the User Profiles task or the Manage Users Wizard. If all the default passwords have not been changed, and each user is not assigned a separate user ID and password, then this is a FINDING
Fix Text
The System Administrator must logon to the HMC and validate that all Default Passwords have been changed. User ID Default Password OPERATOR PASSWORD ADVANCED PASSWORD SYSPROG PASSWORD ACSADMIN PASSWORD Default user IDs and passwords are established as part of a base HMC. The System Administrator must assign new user IDs and passwords for each user and remove the default user IDs as soon as the HMC is installed by using the User Profiles task or the Manage Users Wizard. Go to task Modify User, select user, select Modify and enter and confirm new password.
Additional Identifiers
Rule ID: SV-30021r2_rule
Vulnerability ID: V-24353
Group Title: HMC0080
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001989 |
The organization manages information system authenticators by changing default content of authenticators prior to information system installation. |
Controls
Number | Title |
---|---|
IA-5 |
Authenticator Management |