Securing Your HMC

Edit: Some links no longer work

Originally posted April 3, 2018 on AIXchange

IBM developerWorks has a nice article about securing your HMC:

If you use Power HMC and are looking for information on how to secure your HMC, you are at the right place. Default configuration of HMC is good enough for most enterprise users. You will find steps to harden HMC further based on your corporate security standards. The steps mentioned below work on HMC V8.8.4.0 and later. It is recommended that every HMC is set to minimum at Level 1. You may choose to go to Level 2 and Level 3 depending on your environment and corporate security requirements. If necessary, please check with your corporate security compliance team before making these changes.

The document includes instructions for changing passwords, setting up accounts for each HMC user, assigning necessary roles to users, setting up LDAP, blocking ports in firewalls, etc. You’ll also find a list of HMC network ports, along with some thoughts around completely taking your HMC off of the network. There’s discussion around setting up NIST SP 800-131A compliance, ciphers and certificates, along with commands you can use to audit the HMC and audit user activity. Finally, there’s a mention about centralizing your HMC logs using rsyslog to send data to a central log server.

The end of the doc lays out the options for tracking fixes:

If you come across a hot new security vulnerability everyone is talking about, you can look at the attachment section of wiki to start with. It has a list of vulnerabilities fixed in last couple of years. You can click on CVEs to read associated security bulletin. This list will be kept up-to-date.

You can search for the latest security bulletins, check Twitter (@IBMPowereSupp) or subscribe to receive email notifications. There’s also a discussion group on LinkedIn (IBM PowerVM).

As an aside, the doc includes a recommendation to use Kali Linux to determine the OpenSSH version that’s running on your HMC. A commenter mentions that if running Kali and metasploit is frowned upon in your environment, running ssh –vvv is another way to find the OpenSSH version.

Beyond that, what do you think? This seems like useful information that we can use in our environments.