STIGQter: STIG Summary: zOS WebsphereMQ for ACF2 STIG Version: 6 Release: 2 Benchmark Date: 24 Jul 2020:

WebSphere MQ MQCONN Class resources must be protected in accordance with security.

DISA Rule

SV-7263r4_rule

Vulnerability Number

V-6962

Group Title

ZWMQ0052

Rule Version

ZWMQ0052

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-002234 - The information system audits the execution of privileged functions.

Weight

10

Fix Recommendation

Ensure all connections to MQSeries/WebSphere MQ resources are restricted using connection security.

Ensure the following connection resources defined to TYPE(MQK) (i.e., MQCONN resource class):

Resource Authorized Users
ssid.BATCH TSO and batch job userids
ssid.CICS CICS region userids
ssid.IMS IMS region userids
ssid.CHIN Channel initiator userids

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

For all connection resources defined to TYPE(MQK), ensure the following items are in effect:

Access authorization to these connections restricts access to the appropriate users as indicated above.

All access FAILURE is logged.

Example:

$KEY(ssid) TYPE(MQK)
BATCH UID(STCssid) SERVICE(READ)
BATCH UID(syspaudt) SERVICE(READ)
BATCH UID(*) PREVENT
CHIN UID(STCssidCHIN) SERVICE(READ)
CHIN UID(*) PREVENT
CICS UID(*) PREVENT
IMS UID(*) PREVENT

Check Contents

a) Refer to the following report produced by the ACF2 Data Collection:

- SENSITVE.RPT(MQCONN)
- ACF2CMDS.RPT(RESOURCE) – Alternate report

b) Review the following connection resources defined to TYPE(MQK) (i.e., MQCONN resource class):

Resource Authorized Users
ssid.BATCH TSO and batch job userids
ssid.CICS CICS region userids
ssid.IMS IMS region userids
ssid.CHIN Channel initiator userids

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

c) For all connection resources defined to TYPE(MQK), ensure the following items are in effect:

1) Access authorization to these connections restricts access to the appropriate users as indicated in (b).
2) All access FAILUREs are logged.

d) If both of the items in (c) are true, there is NO FINDING.

e) If either item in (c) is untrue, this is a FINDING.

Vulnerability Number

V-6962

Documentable

False

Rule Version

ZWMQ0052

Severity Override Guidance

a) Refer to the following report produced by the ACF2 Data Collection:

- SENSITVE.RPT(MQCONN)
- ACF2CMDS.RPT(RESOURCE) – Alternate report

b) Review the following connection resources defined to TYPE(MQK) (i.e., MQCONN resource class):

Resource Authorized Users
ssid.BATCH TSO and batch job userids
ssid.CICS CICS region userids
ssid.IMS IMS region userids
ssid.CHIN Channel initiator userids

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

c) For all connection resources defined to TYPE(MQK), ensure the following items are in effect:

1) Access authorization to these connections restricts access to the appropriate users as indicated in (b).
2) All access FAILUREs are logged.

d) If both of the items in (c) are true, there is NO FINDING.

e) If either item in (c) is untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3595

Comments