Check: HMC0210
IBM Hardware Management Console (HMC) STIG:
HMC0210
(in versions v2 r1 through v1 r5)
Title
Product engineering access to the Hardware Management Console must be disabled. (Cat I impact)
Discussion
The Hardware Management Console has a built-in feature that allows Product Engineers access to the console. With access authority, IBM Product Engineering can log on the Hardware Management Console with an exclusive user identification (ID) that provides tasks and operations for problem determination. Product Engineering access is provided by a reserved password and permanent user ID. You cannot view, discard, or change the password and user ID, but you can control their use for accessing the Hardware Management Console. User IDs and passwords that are hard-coded and cannot be modified are a violation of NIST 800-53 and multiple other compliance regulations. Failure to disable this access would allow unauthorized access and could lead to security violations on the HMC.
Check Content
Have the System Administrator or System Programmer validate that IBM Product Engineering access to the Hardware Management Console is disabled. This can be checked under the classic style user interface; this task is found under the Hardware Management Console Settings console action. Open the Customize Product Engineering Access task. The Customize Product Engineering Access window is displayed. Select the appropriate accesses for product engineering or remote product engineering. (Both should be disabled.) Click OK to save the changes and exit the task. If access to the Customize Product Engineering Access is not disabled, than this is a finding.
Fix Text
The System Administrator or System Programmer will set the Product Engineering Access control for product engineering or remote product engineering to a disabled status. This can be checked under the classic style user interface; this task is found under the Hardware Management Console Settings console action. Open the Customize Product Engineering Access task. The Customize Product Engineering Access window is displayed. Select the appropriate accesses for product engineering or remote product engineering. (Both should be disabled) Click OK to save the changes and exit the task.
Additional Identifiers
Rule ID: SV-256889r958726_rule
Vulnerability ID: V-256889
Group Title: SRG-OS-000324-GPOS-00125
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001762 |
Disable or remove organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure. |
| CCI-002235 |
Prevent non-privileged users from executing privileged functions. |