| V-256857 | | The Enterprise System Connection (ESCON) Director (ESCD) Application Console must be located in a secure location | The ESCD Application Console is used to add, change, and delete port configurations and dynamically switch paths between devices. If the ESCON Directo... |
| V-256859 | | The ESCON Director Application Console Event log must be enabled. | The ESCON Director Console Event Log is used to record all ESCON Director Changes. Failure to create an ESCON Director Application Console Event log r... |
| V-256865 | | Classified Logical Partition (LPAR) channel paths must be restricted. | Restricted LPAR channel paths are necessary to ensure data integrity. Unrestricted LPAR channel path access could result in a compromise of data integ... |
| V-256867 | | Central processors must be restricted for classified/restricted Logical Partitions (LPARs). | Allowing unrestricted access to classified processors for all LPARs could cause the corruption and loss of classified data sets, which could compromis... |
| V-256868 | | The Hardware Management Console must be located in a secure location. | The Hardware Management Console is used to perform Initial Program Load (IPLs) and control the Processor Resource/System Manager (PR/SM). If the Hardw... |
| V-256870 | | Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be disabled for all classified systems. | This feature will not be activated for any classified systems. Allowing dial-out access from the Hardware Management Console could impact the integrit... |
| V-256875 | | The manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software. | The changing of passwords from the HMC default values, blocks malicious users with knowledge of these default passwords, from creating a denial of ser... |
| V-256889 | | Product engineering access to the Hardware Management Console must be disabled. | The Hardware Management Console has a built-in feature that allows Product Engineers access to the console. With access authority, IBM Product Enginee... |
| V-256890 | | Connection to the Internet for IBM remote support must be in compliance with the Remote Access STIGs. | Failure to securely connect to remote sites can leave systems open to multiple attacks and security violations through the network. Failure to securel... |
| V-256891 | | Connection to the Internet for IBM remote support must be in compliance with mitigations specified in the Ports and Protocols and Services Management (PPSM) requirements. | Failure to securely connect to remote sites can leave systems open to multiple attacks and security violations through the network. Failure to securel... |
| V-256858 | | Sign-on to the ESCD Application Console must be restricted to only authorized personnel. | The ESCD Application Console is used to add, change, and delete port configurations and to dynamically switch paths between devices. Access to the ESC... |
| V-256860 | | The Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel. | The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could resul... |
| V-256861 | | DCAF Console access must require a password to be entered by each user. | The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could resul... |
| V-256862 | | Unauthorized partitions must not exist on the system complex. | The running of unauthorized Logical Partitions (LPARs) could allow a “Trojan horse” version of the operating environment to be introduced into the sys... |
| V-256863 | | On Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS. | Unrestricted control over the IOCDS files could result in unauthorized updates and impact the configuration of the environment by allowing unauthorize... |
| V-256864 | | Processor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands. | Unrestricted control over the issuing of system commands by a Logical Partition could result in unauthorized data access and inadvertent updates. This... |
| V-256866 | | On Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data. | Allowing unrestricted access to all Logical Partition data could result in the possibility of unauthorized access and updating of data. This could als... |
| V-256869 | | Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be restricted to an authorized vendor site. | Dial-out access from the Hardware Management Console could impact the integrity of the environment, by enabling the possible introduction of spyware o... |
| V-256871 | | Access to the Hardware Management Console must be restricted to only authorized personnel. | Access to the Hardware Management Console if not properly restricted to authorized personnel could lead to a bypass of security, access to the system,... |
| V-256872 | | Access to the Hardware Management Console (HMC) must be restricted by assigning users proper roles and responsibilities. | Access to the HMC if not properly controlled and restricted by assigning users proper roles and responsibilities, could allow modification to areas ou... |
| V-256873 | | Automatic Call Answering to the Hardware Management Console must be disabled. | Automatic Call Answering to the Hardware Management Console allows unrestricted access by unauthorized personnel and could lead to a bypass of securit... |
| V-256874 | | The Hardware Management Console Event log must be active. | The Hardware Management Console controls the operation and availability of the Central Processor Complex (CPC). Failure to create and maintain the Har... |
| V-256876 | | Predefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users. | Individual task roles with access to specific resources if not created and restricted, will allow unrestricted access to system functions. The followi... |
| V-256877 | | Individual user accounts with passwords must be maintained for the Hardware Management Console operating system and application. | Without identification and authentication, unauthorized users could reconfigure the Hardware Management Console or disrupt its operation by logging in... |
| V-256878 | | The PASSWORD History Count value must be set to 10 or greater. | History Count specifies the number of previous passwords saved for each USERID and compares it with an intended new password. If there is a match with... |
| V-256879 | | The PASSWORD expiration day(s) value must be set to equal or less then 60 days. | Expiration Day(s) specifies the maximum number of days that each user's password is valid. When a user logs on to the Hardware Management Console it c... |
| V-256880 | | Maximum failed password attempts before disable delay must be set to 3 or less. | The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Ma... |
| V-256882 | | The password values must be set to meet the requirements in accordance with DODI 8500.2 for DoD information systems processing sensitive information and above, and CJCSI 6510.01E (INFORMATION ASSURANCE [IA] AND COMPUTER NETWORK DEFENSE [CND]). | In accordance with DODI 8500.2 for DOD information systems processing sensitive information and above and CJCSI 6510.01E (INFORMATION ASSURANCE [IA] A... |
| V-256883 | | The terminal or workstation must lock out after a maximum of 15 minutes of inactivity, requiring the account password to resume. | If the system, workstation, or terminal does not lock the session after more than15 minutes of inactivity, requiring a password to resume operations, ... |
| V-256884 | | The Department of Defense (DoD) logon banner must be displayed prior to any login attempt. | Failure to display the required DoD logon banner prior to a login attempt may void legal proceedings resulting from unauthorized access to system reso... |
| V-256885 | | A private web server must subscribe to certificates, issued from any DOD-authorized Certificate Authority (CA), as an access control mechanism for web users. | If the Hardware Management Consoles (HMC) is network-connected, use SSL encryption techniques, through digital certificates to provide message privacy... |
| V-256886 | | Hardware Management Console audit record content data must be backed up. | The Hardware Management Console has the ability to backup and display the following data: 1) Critical console data 2) Critical hard disk information 3... |
| V-256887 | | Audit records content must contain valid information to allow for proper incident reporting. | The content of audit data must validate that the information contains:
User IDs
Successful and unsuccessful attempts to access security files (e.g.,... |
| V-256888 | | Hardware Management Console management must be accomplished by using the out-of-band or direct connection method. | Removing the management traffic from the production network diminishes the security profile of the Hardware Management Console servers by allowing all... |
| V-256881 | | A maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your password | The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Ma... |
