Check: HLESC020
IBM Hardware Management Console (HMC) STIG:
HLESC020
(in version v1 r5)
Title
Sign-on to the ESCD Application Console must be restricted to only authorized personnel. (Cat II impact)
Discussion
The ESCD Application Console is used to add, change, and delete port configurations and to dynamically switch paths between devices. Access to the ESCD Application Console is restricted to three classes of personnel: Administrators, service representatives and operators. The administrator sign-on controls passwords at all levels, the service representative sign-on allows access to maintenance procedures, and the operator sign-on allows for configuration changes and use of the Director utilities. Unrestricted use by unauthorized personnel could impact the integrity of the environment. This would result in a loss of secure operations and impact data operating environment integrity. NOTE: Many newer installations no longer support the ESCD Application Console. For installations not supporting the ESCD Application Console, this check is not applicable.
Check Content
If the ESCD Application Console is present, have the ESCON System Administrator verify that sign-on access to the ESCD Application Console is restricted to authorized personnel by signing on without a valid userid and password, otherwise this check is not applicable. If the ESCD Application Console sign-on access is not restricted, this is a finding.
Fix Text
Review access authorization to ESCD Application Console and ensure that all personnel are restricted to authorized levels of access. The ESCD Application Console and its associated ESCON Director can be secured using passwords. Three levels of password controls have been established. Each password level controls different ESCD Application Console functions. Prior to making any changes or accessing utilities or maintenance procedures, a user is required to enter a password. A password administrator must use the ESCD Application Console to enable an authorized user access. Following are the three levels of password authority: Administration (Level 1) Restrict to systems programming personnel who serve as administrators. A Level 1 password allows the user to display, add, change, and delete passwords of all of the ESCON Director Level 1, Level 2, and Level 3 users. It does not allow the administrator to access maintenance procedures or utilities or to change connectivity attributes. Maintenance (Level 2) Restrict to service representatives who perform maintenance procedures. Level 2 users cannot view other users' passwords, change passwords, change connectivity attributes, or access utilities. Operations (Level 3) Restrict to system administrators responsible for changing connectivity attributes and accessing certain utilities. Level 3 users cannot view other users' passwords, change passwords, or perform maintenance procedures.
Additional Identifiers
Rule ID: SV-29994r3_rule
Vulnerability ID: V-24342
Group Title: HLESC020
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002227 |
The organization restricts privileged accounts on the information system to organization-defined personnel or roles. |
CCI-002235 |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |