On Thu, Feb 24, 2022 at 01:57:26PM +0000, Vincencio Michaelis via IBM Community wrote:
> i know not to assign to a partition but this is not clsoing my
> security risc here...i want to disable simply by firmware FSP
I'm trying to understand why this is a risk.
POWER systems aren't a desktop running Windoze which can be infected
by common viruses which might be written to random USB
sticks. AIX/VIOs doesn't even read common filesystem types.
The only security vector I can see is the USB firmware update
option. That requires signed firmware files so it's a fairly low risk
and exotic vector.
Please let me know if you find a way to disable that. Perhaps there is
an option in the FSP interface, because I've never seen anything on
the HMC.
------------------------------------------------------------------
Russell Adams
Russell.Adams@AdamsSystems.nlPrincipal Consultant Adams Systems Consultancy
http://adamssystems.nl/
Original Message:
Sent: 2/24/2022 8:57:00 AM
From: Vincencio Michaelis
Subject: RE: Disabling USB port in Power HW / HMC
hi
i know not to assign to a partition but this is not clsoing my security risc here...i want to disable simply by firmware FSP
------------------------------
Vincencio Michaelis
------------------------------
Original Message:
Sent: Thu February 24, 2022 08:54 AM
From: Russell Adams
Subject: Disabling USB port in Power HW / HMC
On Thu, Feb 24, 2022 at 01:32:55PM +0000, Vincencio Michaelis via IBM Community wrote:
> we cannot find a way to disable USB on P8 .
> Where can i disable USB on P8 machines e.g. E880 ?
Don't assign the USB controller to any LPAR.
Once that's done, the only other vector would be the firmware update
that can be performed by USB. Please share if you find a way to
disable that.
Would a locked cabinet answer their question?
------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/
Original Message:
Sent: 2/24/2022 8:33:00 AM
From: Vincencio Michaelis
Subject: RE: Disabling USB port in Power HW / HMC
Hello
we cannot find a way to disable USB on P8 .
Where can i disable USB on P8 machines e.g. E880 ?
Thx
vince
------------------------------
Vincencio Michaelis
Original Message:
Sent: Thu February 24, 2022 02:54 AM
From: Tommi Sihvo
Subject: Disabling USB port in Power HW / HMC
Excellent!
This is exactly what I was looking for, Many Thanks Douglas! :)
Br,
tommi
------------------------------
Tommi Sihvo, Lead Service Architect
TietoEVRY, Compute Services
email tommi.sihvo@tietoevry.com mobile +358 (0)40 5180 Finland
Original Message:
Sent: Wed February 23, 2022 09:16 AM
From: Douglas Gibbs
Subject: Disabling USB port in Power HW / HMC
Hello,
This should help you.
From the ASMI menu log in as the admin user, then expand the System Configuration menu, expand Security and select USB Policy. From here you can enable or disable USB access on the FSP and on the CEC.
Regards,
Douglas
Douglas Gibbs
IO Product Manager, IBM Cognitive Systems
IBM Canada Ltd.
905-413-5334
"Tommi Sihvo via IBM Community" ---02/23/2022 06:27:31 AM---Hi, Bumped into curious thing in one security audit.
Original Message:
Sent: 2/23/2022 6:27:00 AM
From: Tommi Sihvo
Subject: Disabling USB port in Power HW / HMC
Hi,
Bumped into curious thing in one security audit.
Auditors requested evidence for "Restrict physical ports (for example, USB) as appropriate"
To be honest, I am not really sure what to answer on that one yet; I know USB ports are seen on HMC as standard IO adapters, but never before needed even
to consider how to disable those.
Any ideas? Or any official statement in documentation saying something about USB ports in Power? :-)
Br,
tommi
------------------------------
Tommi Sihvo, Lead Service Architect
TietoEVRY, Compute Services
email tommi.sihvo@tietoevry.com mobile +358 (0)40 5180 Finland
------------------------------