Skip to content

III - Administrative Sensitive

Rules and Groups employed by this XCCDF Profile

  • HLESC020

    <GroupDescription></GroupDescription>
    Group
  • Sign-on to the ESCD Application Console must be restricted to only authorized personnel.

    &lt;VulnDiscussion&gt;The ESCD Application Console is used to add, change, and delete port configurations and to dynamically switch paths between d...
    Rule Medium Severity
  • HLESC030

    <GroupDescription></GroupDescription>
    Group
  • The ESCON Director Application Console Event log must be enabled.

    &lt;VulnDiscussion&gt;The ESCON Director Console Event Log is used to record all ESCON Director Changes. Failure to create an ESCON Director Applic...
    Rule High Severity
  • HLESC080

    <GroupDescription></GroupDescription>
    Group
  • The Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel.

    &lt;VulnDiscussion&gt;The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthori...
    Rule Medium Severity
  • HMC0010

    <GroupDescription></GroupDescription>
    Group
  • The Hardware Management Console must be located in a secure location.

    &lt;VulnDiscussion&gt;The Hardware Management Console is used to perform Initial Program Load (IPLs) and control the Processor Resource/System Mana...
    Rule High Severity
  • HMC0030

    <GroupDescription></GroupDescription>
    Group
  • Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be restricted to an authorized vendor site.

    &lt;VulnDiscussion&gt;Dial-out access from the Hardware Management Console could impact the integrity of the environment, by enabling the possible ...
    Rule Medium Severity
  • HMC0040

    <GroupDescription></GroupDescription>
    Group
  • Access to the Hardware Management Console must be restricted to only authorized personnel.

    &lt;VulnDiscussion&gt;Access to the Hardware Management Console if not properly restricted to authorized personnel could lead to a bypass of securi...
    Rule Medium Severity
  • HMC0050

    <GroupDescription></GroupDescription>
    Group
  • Automatic Call Answering to the Hardware Management Console must be disabled.

    &lt;VulnDiscussion&gt;Automatic Call Answering to the Hardware Management Console allows unrestricted access by unauthorized personnel and could le...
    Rule Medium Severity
  • HMC0070

    <GroupDescription></GroupDescription>
    Group
  • The Hardware Management Console Event log must be active.

    &lt;VulnDiscussion&gt;The Hardware Management Console controls the operation and availability of the Central Processor Complex (CPC). Failure to cr...
    Rule Medium Severity
  • HMC0080

    <GroupDescription></GroupDescription>
    Group
  • The manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software.

    &lt;VulnDiscussion&gt;The changing of passwords from the HMC default values, blocks malicious users with knowledge of these default passwords, from...
    Rule High Severity
  • HMC0090

    <GroupDescription></GroupDescription>
    Group
  • Predefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users.

    &lt;VulnDiscussion&gt;Individual task roles with access to specific resources if not created and restricted, will allow unrestricted access to syst...
    Rule Medium Severity
  • HMC0100

    <GroupDescription></GroupDescription>
    Group
  • Individual user accounts with passwords must be maintained for the Hardware Management Console operating system and application.

    &lt;VulnDiscussion&gt;Without identification and authentication, unauthorized users could reconfigure the Hardware Management Console or disrupt it...
    Rule Medium Severity
  • HMC0110

    <GroupDescription></GroupDescription>
    Group
  • The PASSWORD History Count value must be set to 10 or greater.

    &lt;VulnDiscussion&gt;History Count specifies the number of previous passwords saved for each USERID and compares it with an intended new password....
    Rule Medium Severity
  • HMC0120

    <GroupDescription></GroupDescription>
    Group
  • The PASSWORD expiration day(s) value must be set to equal or less then 60 days.

    &lt;VulnDiscussion&gt;Expiration Day(s) specifies the maximum number of days that each user's password is valid. When a user logs on to the Hardwar...
    Rule Medium Severity
  • HMC0130

    <GroupDescription></GroupDescription>
    Group
  • Maximum failed password attempts before disable delay must be set to 3 or less.

    &lt;VulnDiscussion&gt;The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password...
    Rule Medium Severity
  • HMC0140

    <GroupDescription></GroupDescription>
    Group
  • The password values must be set to meet the requirements in accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above, and CJCSI 6510.01E (INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)).

    &lt;VulnDiscussion&gt;In accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above and CJCSI 6510.01E (INF...
    Rule Medium Severity
  • HMC0150

    <GroupDescription></GroupDescription>
    Group
  • The terminal or workstation must lock out after a maximum of 15 minutes of inactivity, requiring the account password to resume.

    &lt;VulnDiscussion&gt;If the system, workstation, or terminal does not lock the session after more than15 minutes of inactivity, requiring a passwo...
    Rule Medium Severity
  • HMC0160

    <GroupDescription></GroupDescription>
    Group
  • The Department of Defense (DoD) logon banner must be displayed prior to any login attempt.

    &lt;VulnDiscussion&gt;Failure to display the required DoD logon banner prior to a login attempt may void legal proceedings resulting from unauthori...
    Rule Medium Severity
  • HMC0170

    <GroupDescription></GroupDescription>
    Group
  • A private web server must subscribe to certificates, issued from any DoD-authorized Certificate Authority, as an access control mechanism for web users.

    &lt;VulnDiscussion&gt;If the Hardware Management Consoles (HMC) is network-connected, use SSL encryption techniques, through digital certificates t...
    Rule Medium Severity
  • HMC0180

    <GroupDescription></GroupDescription>
    Group
  • Hardware Management Console audit record content data must be backed up.

    &lt;VulnDiscussion&gt;The Hardware Management Console has the ability to backup and display the following data: 1) Critical console data 2) Critica...
    Rule Medium Severity
  • HMC0200

    <GroupDescription></GroupDescription>
    Group
  • Hardware Management Console management must be accomplished by using the out-of-band or direct connection method.

    &lt;VulnDiscussion&gt;Removing the management traffic from the production network diminishes the security profile of the Hardware Management Consol...
    Rule Medium Severity
  • HLP0010

    <GroupDescription></GroupDescription>
    Group
  • Unauthorized partitions must not exist on the system complex.

    &lt;VulnDiscussion&gt;The running of unauthorized Logical Partitions (LPARs) could allow a “Trojan horse” version of the operating environment to b...
    Rule Medium Severity
  • HLP0020

    <GroupDescription></GroupDescription>
    Group
  • On Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS.

    &lt;VulnDiscussion&gt;Unrestricted control over the IOCDS files could result in unauthorized updates and impact the configuration of the environmen...
    Rule Medium Severity
  • HLP0030

    <GroupDescription></GroupDescription>
    Group
  • Processor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands.

    &lt;VulnDiscussion&gt;Unrestricted control over the issuing of system commands by a Logical Partition could result in unauthorized data access and ...
    Rule Medium Severity
  • HLP0040

    <GroupDescription></GroupDescription>
    Group
  • Classified Logical Partition (LPAR) channel paths must be restricted.

    &lt;VulnDiscussion&gt;Restricted LPAR channel paths are necessary to ensure data integrity. Unrestricted LPAR channel path access could result in a...
    Rule High Severity
  • HLP0050

    <GroupDescription></GroupDescription>
    Group
  • On Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data.

    &lt;VulnDiscussion&gt;Allowing unrestricted access to all Logical Partition data could result in the possibility of unauthorized access and updatin...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules