Hi all,
searched above the border and found:
How to secure your HMCin IBM Power Community.
As always this has to be read carefully and to be adjusted to the locals.
mentioned links and commands should fit for vHMC, too.
by example: we've put the hmc in a secured Rack, as level 1 point 2 needs physical access to hmc after reboot.
Hmm, i assume Luis is not able to put the vHMC inside a secured rack, but possibly the machine, where the vHMC is running has to be inside a secured rack ;-)
In any case the "normal" ssh- and webgui-hardening can be taken as a leading hint, what has to be enabled or disabled - as far as possible with used hmc-version.
------------------------------
Juergen Maehlmann
------------------------------
Original Message:
Sent: Tue November 29, 2022 10:54 AM
From: Henrik Mainz
Subject: vHMC STIGS
Hi again Luis
I just managed to find and download the IBM Hardware Management Console (HMC) STIG - Ver 1, Rel 5 from https://public.cyber.mil/stigs/downloads/
And if you read the pdf "U_IBM_HMC_V1R5_Overview" it says clearly on page 6:
1.1 Executive Summary
The IBM Hardware Management Console (HMC) Overview provides guidance for secure configuration and usage of the IBM HMC Licensed Internal Code application to manage System z resources.
So this STIG is as I interpret it solely for z-HMC's and there is none for vHMC, at least I didn't find it when searching for IBM or Power.
------------------------------
Henrik Mainz
Original Message:
Sent: Tue November 29, 2022 10:43 AM
From: Henrik Mainz
Subject: vHMC STIGS
Hi Luis
As Justin explained, as you are running a vHMC it can only be for Power, it does not excist for z.
And as they are completely different appliances and do not share a common codebase/ui/etc. You can not follow the STIG you have linked to.
It is unlikely that you will find anyone in this forum that can tell you what tto omit, I don't think that there are that many who works with both Power and Z environments and who have experience with following STIGs aswell.
As Nigel mentioned (who is one of the most experienced I know of) heh as never heard of STIGs.
I tried to look around in https://public.cyber.mil/ to se if I could find or search for anu STIGs for IBM Power, but as I mentioned I haven't been using them.
So if you have a requirement business wise to setting up your vHMC based on a STIG, I would suggest reaching out to IBM in a support case asking them for a STIG for vHMC.
The one you have is of no use to you as I understand it.
------------------------------
Henrik Mainz
Original Message:
Sent: Mon November 28, 2022 12:05 PM
From: Luis Mendez
Subject: vHMC STIGS
I know I mentioned it before that I am running vHMC v9.2.
Since I am running vHMC, you are saying that the STIG will not work at all for vHMC that I am currently running?
Does this mean that there will be no point in doing the STIG?
If I do follow this particular STIG list for vHMC, what can I omit from the list that will not apply to vHMC?
------------------------------
Luis Mendez
Original Message:
Sent: Mon November 28, 2022 11:04 AM
From: Justin Davis
Subject: vHMC STIGS
If you're using v9.2 or a virtual HMC, it isn't a z HMC- it's for POWER.
It seems like you might have some misunderstanding's of IBM's offerings in this space.
Hardware Management Console (general term) - Appliance that manages hardware. It is offered in 2 main "Flavors" for the 2 main IBM compute platforms- POWER or Z- these are completely different offerings and do not share a common codebase/ui/etc.
The POWER HMC offering also has a virtual offering (vHMC) which allows running POWER HMC code in a virtual environment (PowerVM/KVM/VMware).
The STIG you're referencing is for the zHMC platform, and is not going to get you much of anywhere with a Power HMC.
------------------------------
Justin Davis
Original Message:
Sent: Mon November 28, 2022 09:57 AM
From: Luis Mendez
Subject: vHMC STIGS
Hello everyone,
Thank you all for your responses. I will message here to be able to answer all your questions.
I am running vHMC Version 9 Release 2.
I cannot tell you if it's for Z platform or any kind of platform because I do not know where to find that information.
The post from Juergen Maehlmann shows the link for the STIG for HMC.
Yes, what I am trying to do is securing our vHMC to comply with Cyber.
I went to the link https://robmcnelly.com/securing-your-hmc/ and I don't see where the step-by-step document is located on that link.
Even if find anything, I don't know what I'm looking at. Looking at the stigviewer link, I don't know what ESCON is and if it applies to the type of vHMC that I have. If I even have ESCON, where do I find it, how do I locate it?
Looking at the entire list in stigviewer, most of that stuff I don't know where to look or what applies.
------------------------------
Luis Mendez
Original Message:
Sent: Wed November 23, 2022 02:04 PM
From: Luis Mendez
Subject: vHMC STIGS
I am new to doing STIGS for vHMC and I need assistance.
I am currently doing the Version 1 Release 2 STIG.
I don't know what I'm doing and what I'm looking at. I really just need help.
------------------------------
Luis Mendez
------------------------------