Check: HMC0210
IBM Hardware Management Console (HMC) STIG:
HMC0210
(in version v1 r5)
Title
Product engineering access to the Hardware Management Console must be disabled. (Cat I impact)
Discussion
The Hardware Management Console has a built-in feature that allows Product Engineers access to the console. With access authority, IBM Product Engineering can log on the Hardware Management Console with an exclusive user identification (ID) that provides tasks and operations for problem determination. Product Engineering access is provided by a reserved password and permanent user ID. You cannot view, discard, or change the password and user ID, but you can control their use for accessing the Hardware Management Console. User IDs and passwords that are hard-coded and cannot be modified are a violation of NIST 800-53 and multiple other compliance regulations. Failure to disable this access would allow unauthorized access and could lead to security violations on the HMC.
Check Content
Have the System Administrator or System Programmer validate that IBM Product Engineering access to the Hardware Management Console is disabled. This can be checked under the classic style user interface; this task is found under the Hardware Management Console Settings console action. Open the Customize Product Engineering Access task. The Customize Product Engineering Access window is displayed. Select the appropriate accesses for product engineering or remote product engineering. (Both should be disabled.) Click OK to save the changes and exit the task. If access to the Customize Product Engineering Access is not disabled, than this is a finding.
Fix Text
The System Administrator or System Programmer will set the Product Engineering Access control for product engineering or remote product engineering to a disabled status. This can be checked under the classic style user interface; this task is found under the Hardware Management Console Settings console action. Open the Customize Product Engineering Access task. The Customize Product Engineering Access window is displayed. Select the appropriate accesses for product engineering or remote product engineering. (Both should be disabled) Click OK to save the changes and exit the task.
Additional Identifiers
Rule ID: SV-31558r2_rule
Vulnerability ID: V-25388
Group Title: HMC0210
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001762 |
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure. |
Controls
Number | Title |
---|---|
CM-7 (1) |
Periodic Review |