STIGQter: STIG Summary: zOS WebsphereMQ for ACF2 STIG Version: 6 Release: 2 Benchmark Date: 24 Jul 2020:

WebSphere MQ started tasks are not defined in accordance with the proper security requirements.

DISA Rule

SV-3904r2_rule

Vulnerability Number

V-3904

Group Title

ZWMQ0030

Rule Version

ZWMQ0030

Severity

CAT II

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

The IAO will ensure that all MQSeries/WebSphere MQ started tasks are properly defined.

Review MQSeries/WebSphere MQ started tasks and ensure the following items are in effect:

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).
ssidMSTR is the name of a queue manager STC.
ssidCHIN is the name of a distributed queuing (a.k.a., channel initiator) STC.

1) Each MQSeries/WebSphere MQ started task is associated with a unique logonid.

2) Each MQSeries/WebSphere MQ STC logonid has the attributes of STC, MUSASS, and NOSMC.

Example:

SET LID
INSERT ssid.MSTR NAME(MQseries, STC) STC MUSASS NO-SMC

INSERT ssid.CHIN NAME(MQseries, STC) STC MUSASS NO-SMC

Check Contents

a) Refer to the following reports produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(LOGONIDS)
- ACF2CMDS.RPT(ATTSTC)

Provide a list of all WebSphere MQ Subsystem Ids (Queue managers) and Release levels.

b) Review WebSphere MQ started tasks and ensure the following items are in effect:

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).
ssidMSTR is the name of a queue manager STC.
ssidCHIN is the name of a distributed queuing (a.k.a., channel initiator) STC.

1) Each ssidMSTR and ssidCHIN started task is associated with a unique logonid.
2) Each ssidMSTR and ssidCHIN STC logonid has the attributes of STC, MUSASS, and NOSMC.

c) If both of the items in (b) are true, there is NO FINDING.

d) If either item in (b) is untrue, this is a FINDING.

Vulnerability Number

V-3904

Documentable

False

Rule Version

ZWMQ0030

Severity Override Guidance

a) Refer to the following reports produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(LOGONIDS)
- ACF2CMDS.RPT(ATTSTC)

Provide a list of all WebSphere MQ Subsystem Ids (Queue managers) and Release levels.

b) Review WebSphere MQ started tasks and ensure the following items are in effect:

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).
ssidMSTR is the name of a queue manager STC.
ssidCHIN is the name of a distributed queuing (a.k.a., channel initiator) STC.

1) Each ssidMSTR and ssidCHIN started task is associated with a unique logonid.
2) Each ssidMSTR and ssidCHIN STC logonid has the attributes of STC, MUSASS, and NOSMC.

c) If both of the items in (b) are true, there is NO FINDING.

d) If either item in (b) is untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3363

Comments