Skip to content
Log In

III - Administrative Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • Sign-on to the ESCD Application Console must be restricted to only authorized personnel.

    The ESCD Application Console is used to add, change, and delete port configurations and to dynamically switch paths between devices. Access to the ESCD Application Console is restricted to three cl...
    Rule Medium Severity
    Show

  • SRG-OS-000062-GPOS-00031

    Group
    Show

  • The ESCON Director Application Console Event log must be enabled.

    The ESCON Director Console Event Log is used to record all ESCON Director Changes. Failure to create an ESCON Director Application Console Event log results in the lack of monitoring and accountabi...
    Rule High Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • The Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel.

    The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could result in varying of ESCON Directors online or offli...
    Rule Medium Severity
    Show

  • SRG-OS-000104-GPOS-00051

    Group
    Show

  • DCAF Console access must require a password to be entered by each user.

    The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could result in varying of ESCON Directors online or offli...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Unauthorized partitions must not exist on the system complex.

    The running of unauthorized Logical Partitions (LPARs) could allow a “Trojan horse” version of the operating environment to be introduced into the system complex. This could impact the integrity of...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • On Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS.

    Unrestricted control over the IOCDS files could result in unauthorized updates and impact the configuration of the environment by allowing unauthorized access to a restricted resource. This could s...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Processor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands.

    Unrestricted control over the issuing of system commands by a Logical Partition could result in unauthorized data access and inadvertent updates. This could result in severe damage to system resour...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Classified Logical Partition (LPAR) channel paths must be restricted.

    Restricted LPAR channel paths are necessary to ensure data integrity. Unrestricted LPAR channel path access could result in a compromise of data integrity. When a classified LPAR exists on a mainfr...
    Rule High Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • On Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data.

    Allowing unrestricted access to all Logical Partition data could result in the possibility of unauthorized access and updating of data. This could also impact the integrity of the processing enviro...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Central processors must be restricted for classified/restricted Logical Partitions (LPARs).

    Allowing unrestricted access to classified processors for all LPARs could cause the corruption and loss of classified data sets, which could compromise classified processing.
    Rule High Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The Hardware Management Console must be located in a secure location.

    The Hardware Management Console is used to perform Initial Program Load (IPLs) and control the Processor Resource/System Manager (PR/SM). If the Hardware Management Console is not located in a secu...
    Rule High Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be restricted to an authorized vendor site.

    Dial-out access from the Hardware Management Console could impact the integrity of the environment, by enabling the possible introduction of spyware or other malicious code. It is important to note...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be disabled for all classified systems.

    This feature will not be activated for any classified systems. Allowing dial-out access from the Hardware Management Console could impact the integrity of the environment by enabling the possible i...
    Rule High Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • Access to the Hardware Management Console must be restricted to only authorized personnel.

    Access to the Hardware Management Console if not properly restricted to authorized personnel could lead to a bypass of security, access to the system, and an altering of the environment. This would...
    Rule Medium Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Access to the Hardware Management Console (HMC) must be restricted by assigning users proper roles and responsibilities.

    Access to the HMC if not properly controlled and restricted by assigning users proper roles and responsibilities, could allow modification to areas outside the need-to-know and abilities of the ind...
    Rule Medium Severity
    Show

  • SRG-OS-000324-GPOS-00125

    Group
    Show

  • Automatic Call Answering to the Hardware Management Console must be disabled.

    Automatic Call Answering to the Hardware Management Console allows unrestricted access by unauthorized personnel and could lead to a bypass of security, access to the system, and an altering of the...
    Rule Medium Severity
    Show

  • SRG-OS-000062-GPOS-00031

    Group
    Show

  • The Hardware Management Console Event log must be active.

    The Hardware Management Console controls the operation and availability of the Central Processor Complex (CPC). Failure to create and maintain the Hardware Management Console Event log could result...
    Rule Medium Severity
    Show

  • SRG-OS-000480-GPOS-00227

    Group
    Show

  • The manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software.

    The changing of passwords from the HMC default values, blocks malicious users with knowledge of these default passwords, from creating a denial of service or from reconfiguring the HMC topology le...
    Rule High Severity
    Show

  • SRG-OS-000080-GPOS-00048

    Group
    Show

  • Predefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users.

    Individual task roles with access to specific resources if not created and restricted, will allow unrestricted access to system functions. The following is an example of some managed resource categ...
    Rule Medium Severity
    Show

  • SRG-OS-000104-GPOS-00051

    Group
    Show

  • Individual user accounts with passwords must be maintained for the Hardware Management Console operating system and application.

    Without identification and authentication, unauthorized users could reconfigure the Hardware Management Console or disrupt its operation by logging in to the system or application and execute unau...
    Rule Medium Severity
    Show

  • SRG-OS-000077-GPOS-00045

    Group
    Show

  • The PASSWORD History Count value must be set to 10 or greater.

    History Count specifies the number of previous passwords saved for each USERID and compares it with an intended new password. If there is a match with one of the previous passwords, or with the cur...
    Rule Medium Severity
    Show

  • SRG-OS-000076-GPOS-00044

    Group
    Show

  • The PASSWORD expiration day(s) value must be set to equal or less then 60 days.

    Expiration Day(s) specifies the maximum number of days that each user's password is valid. When a user logs on to the Hardware Management Console it compares the system password interval value spec...
    Rule Medium Severity
    Show

  • SRG-OS-000021-GPOS-00005

    Group
    Show

  • Maximum failed password attempts before disable delay must be set to 3 or less.

    The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Management Console allows as 3 times, before sett...
    Rule Medium Severity
    Show

  • SRG-OS-000329-GPOS-00128

    Group
    Show

  • A maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your password

    The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Management Console allows as 3 times, before sett...
    Rule Low Severity
    Show

  • SRG-OS-000069-GPOS-00037

    Group
    Show

  • The password values must be set to meet the requirements in accordance with DODI 8500.2 for DoD information systems processing sensitive information and above, and CJCSI 6510.01E (INFORMATION ASSURANCE [IA] AND COMPUTER NETWORK DEFENSE [CND]).

    In accordance with DODI 8500.2 for DOD information systems processing sensitive information and above and CJCSI 6510.01E (INFORMATION ASSURANCE [IA] AND COMPUTER NETWORK DEFENSE [CND]). The followi...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules