Check: HLP0030
IBM Hardware Management Console (HMC) STIG:
HLP0030
(in versions v2 r1 through v1 r5)
Title
Processor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands. (Cat II impact)
Discussion
Unrestricted control over the issuing of system commands by a Logical Partition could result in unauthorized data access and inadvertent updates. This could result in severe damage to system resources.
Check Content
Using the Hardware Management Console, verify that the Logical Partitions cannot issue control program commands to another Logical Partition. Use the PR/SM panel, known as the Security Definitions Page, to do this. The Cross Partition Control option must be turned off. NOTE: The default is that the Cross Partition Control option is turned off. If Processor Resource/Systems Manager (PR/SM) allows unrestricted issuing of control program commands then this is a FINDING
Fix Text
Review the Security Definition parameters specified under PR/SM, and turn off the Cross Partition Control option.
Additional Identifiers
Rule ID: SV-256864r958472_rule
Vulnerability ID: V-256864
Group Title: SRG-OS-000080-GPOS-00048
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000213 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-000226 |
The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies. |
Controls
| Number | Title |
|---|---|
| AC-3 |
Access Enforcement |