Power Global

 View Only
Expand all | Collapse all

vHMC STIGS

  • 1.  vHMC STIGS

    Posted 14 days ago
    I am new to doing STIGS for vHMC and I need assistance. 
    I am currently doing the Version 1 Release 2 STIG.
    I don't know what I'm doing and what I'm looking at. I really just need help.

    ------------------------------
    Luis Mendez
    ------------------------------


  • 2.  RE: vHMC STIGS

    Posted 13 days ago

    I have been using the Power Systems HMC for decades but have not heard of STIGS.

    Can you elaborate on the virtual HMC you are using, or what you hope to control or let us know where the code came from?
    Cheers, Nigel



    ------------------------------
    Nigel Griffiths
    ------------------------------



  • 3.  RE: vHMC STIGS

    Posted 12 days ago
    Security Technical Implementation Guides (STIGs)
    Cyber remove preview
    Security Technical Implementation Guides (STIGs)
    The Defense Information Systems Agency recently approved the automated benchmark for the Microsoft Windows 11 Security Technical Implementation Guide (STIG), which is effective immediately upon release.
    View this on Cyber >
    IBM Hardware Management Console (HMC) STIG
    STIG Viewer | Unified Compliance Framework® remove preview
    IBM Hardware Management Console (HMC) STIG
    IBM Hardware Management Console (HMC) STIG Date Finding Count (35) 2017-09-28 CAT I (High): 10 CAT II (Med): 24 CAT III (Low): 1 STIG Description IBM Hardware Management Console is used to perform Initial Program Loads (IPLs), power on resets, shutdowns, and configuring of hardware components for system logical partitions.
    View this on STIG Viewer | Unified Compliance Framework® >




    ------------------------------
    minesh patel
    ------------------------------



  • 4.  RE: vHMC STIGS

    Posted 12 days ago
    It appears from the text in this STIG that this is HMC for the Z platform (mainframe). Sections like "ESCON Director Application", "Distributed Console Access Facility (DCAF)". Despite the same functionality, I believe there are some differences, but, I also believe that with this vision, it can be implemented the STIG for the HMC's of the Power platform.

    ------------------------------
    Marcos D. Wille
    ------------------------------



  • 5.  RE: vHMC STIGS

    Posted 13 days ago

    Hello Luis,

    just for interest. Could you post the link to the vHMC STIG here?

    Best regards

    Manfred



    ------------------------------
    Manfred Hettmann
    ------------------------------



  • 6.  RE: vHMC STIGS

    Posted 12 days ago
    Hi Nigel and Manfred,

    Security Technical Implementation Guides (
    STIGs).

    Possibly he's reading:

    https://www.stigviewer.com/stig/ibm_hardware_management_console_hmc/




    ------------------------------
    Juergen Maehlmann
    ------------------------------



  • 7.  RE: vHMC STIGS

    Posted 12 days ago
    Hi Luis
    I agree with Nigel, just that I haven't been using it for decades... just one decade so far ;)
    But your question isn't clear to me, are you trying to configure a vHMC based on ercommendations from a STIG you have or are you working with making a STIG for vHMC?
    If you are working on securing your HMC, Rob made an article about that a couple of years ago. https://robmcnelly.com/securing-your-hmc/
    @Nigel Griffiths It's another IT abbreviation Security Technical Implementation Guide.

    Brgds!
    Henrik


    ------------------------------
    Henrik Mainz
    ------------------------------



  • 8.  RE: vHMC STIGS

    Posted 9 days ago
    Hello everyone,
    Thank you all for your responses. I will message here to be able to answer all your questions.
    I am running vHMC Version 9 Release 2.
    I cannot tell you if it's for Z platform or any kind of platform because I do not know where to find that information.
    The post from Juergen Maehlmann shows the link for the STIG for HMC.
    Yes, what I am trying to do is securing our vHMC to comply with Cyber. 
    I went to the link https://robmcnelly.com/securing-your-hmc/ and I don't see where the step-by-step document is located on that link. 
    Even if find anything, I don't know what I'm looking at. Looking at the stigviewer link, I don't know what ESCON is and if it applies to the type of vHMC that I have. If I even have ESCON, where do I find it, how do I locate it? 
    Looking at the entire list in stigviewer, most of that stuff I don't know where to look or what applies.

    ------------------------------
    Luis Mendez
    ------------------------------



  • 9.  RE: vHMC STIGS

    Posted 9 days ago

    If you're using v9.2 or a virtual HMC, it isn't a z HMC- it's for POWER.

    It seems like you might have some misunderstanding's of IBM's offerings in this space.

    Hardware Management Console (general term) - Appliance that manages hardware. It is offered in 2 main "Flavors" for the 2 main IBM compute platforms- POWER or Z- these are completely different offerings and do not share a common codebase/ui/etc.

    The POWER HMC offering also has a virtual offering (vHMC) which allows running POWER HMC code in a virtual environment (PowerVM/KVM/VMware).

    The STIG you're referencing is for the zHMC platform, and is not going to get you much of anywhere with a Power HMC.



    ------------------------------
    Justin Davis
    ------------------------------



  • 10.  RE: vHMC STIGS

    Posted 9 days ago
    I know I mentioned it before that I am running vHMC v9.2.
    Since I am running vHMC, you are saying that the STIG will not work at all for vHMC that I am currently running?
    Does this mean that there will be no point in doing the STIG?
    If I do follow this particular STIG list for vHMC, what can I omit from the list that will not apply to vHMC?

    ------------------------------
    Luis Mendez
    ------------------------------



  • 11.  RE: vHMC STIGS

    Posted 8 days ago
    Hi Luis
    As Justin explained, as you are running a vHMC it can only be for Power, it does not excist for z.
    And as they are completely different appliances and do not share a common codebase/ui/etc. You can not follow the STIG you have linked to.
    It is unlikely that you will find anyone in this forum that can tell you what tto omit, I don't think that there are that many who works with both Power and Z environments and who have experience with following STIGs aswell.
    As Nigel mentioned (who is one of the most experienced I know of) heh as never heard of STIGs.
    I tried to look around in https://public.cyber.mil/ to se if I could find or search for anu STIGs for IBM Power, but as I mentioned I haven't been using them.
    So if you have a requirement business wise to setting up your vHMC based on a STIG, I would suggest reaching out to IBM in a support case asking them for a STIG for vHMC.
    The one you have is of no use to you as I understand it. 


    ------------------------------
    Henrik Mainz
    ------------------------------



  • 12.  RE: vHMC STIGS

    Posted 8 days ago
      |   view attached
    Hi again Luis
    I just managed to find and download the IBM Hardware Management Console (HMC) STIG - Ver 1, Rel 5​ from https://public.cyber.mil/stigs/downloads/
    And if you read the pdf "U_IBM_HMC_V1R5_Overview" it says clearly on page 6:
    1.1 Executive Summary
    The IBM Hardware Management Console (HMC) Overview provides guidance for secure configuration and usage of the IBM HMC Licensed Internal Code application to manage System z resources.

    So this STIG is as I interpret it solely for z-HMC's and there is none for vHMC, at least I didn't find it when searching for IBM or Power.

    ------------------------------
    Henrik Mainz
    ------------------------------

    Attachment(s)

    zip
    U_IBM_HMC_V1R5_STIG.zip   706 KB 1 version


  • 13.  RE: vHMC STIGS

    Posted 8 days ago
    Hi all,

    searched above the border and found:
    How to secure your HMC

    in IBM Power Community.

    As always this has to be read carefully and to be adjusted to the locals.

    mentioned links and commands should fit for vHMC, too.

    by example: we've put the hmc in a secured Rack, as level 1 point 2 needs physical access to hmc after reboot.

    Hmm, i assume Luis is not able to put the vHMC inside a secured rack, but possibly the machine, where the vHMC is running has to be inside a secured rack ;-)

    In any case the "normal" ssh- and webgui-hardening can be taken as a leading hint, what has to be enabled or disabled - as far as possible with used hmc-version.


    ------------------------------
    Juergen Maehlmann
    ------------------------------



  • 14.  RE: vHMC STIGS

    Posted 8 days ago
    Edited by Justin Davis 8 days ago

    There are a fair number of things in the STIG that should be done on a Power (physical or virtual) HMC as well, the issue is that Luis would need to go through and determine the mechanisms for implementing the changes.

    That being said- if there isn't a STIG written, I would think you can't really follow one... but I don't work in a space that requires following the STIG guidelines- that'd be a question for your BISO/CISO/next level of security compliance support. Also might be worth a question to IBM support, it does seems as though there is a mechanism for Vendors to build STIG's in conjunction with DISA. https://public.cyber.mil/stigs/vendor-process/



    ------------------------------
    Justin Davis
    ------------------------------



  • 15.  RE: vHMC STIGS

    Posted 7 days ago
    Thank you gentlemen for all the information that you have provided. 
    I am currently looking at the link that Juergen Maehlmann has provided. It does give me some information. 
    I have reached out to IBM for help but for some reason, we do not have support for this. Guess the contract we have does not extend to this level of support. This is why I am reaching out through the community instead.
    I think that I might have to review each STIG and see if there is a difference between zHMC and vHMC. It will take a bit longer doing this but might be the only way at the moment.

    ------------------------------
    Luis Mendez
    ------------------------------