STIGQter: STIG Summary: zOS WebsphereMQ for TSS STIG Version: 6 Release: 2 Benchmark Date: 24 Jul 2020:

WebSphere MQ MQCONN Class resources must be protected properly.

DISA Rule

SV-7542r4_rule

Vulnerability Number

V-6962

Group Title

ZWMQ0052

Rule Version

ZWMQ0052

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-002234 - The information system audits the execution of privileged functions.

Weight

10

Fix Recommendation

Review the following connection resources defined to the MQCONN resource class:

Resource Authorized Users
ssid.BATCH TSO and batch job ACIDs
ssid.CICS CICS region ACIDs
ssid.IMS IMS region ACIDs
ssid.CHIN Channel initiator ACIDs

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

c) For all connection resources defined to the MQCONN resource class, ensure the following items are in effect:

1) Access authorization restricts access to the appropriate users as indicated in (b) above.
2) All access FAILUREs are logged.

The following is a sample of the commands required to allow a batch user (USER1) to connect to a queue manager (QM1):

TSS ADD(USER1) FAC(QM1MSTR)
TSS PER(USER1) MQCONN(QM1.BATCH) ACC(READ)

Check Contents

a) Refer to the following report produced by the TSS Data Collection:

- SENSITVE.RPT(WHOHMCON)

b) Review the following connection resources defined to the MQCONN resource class:

Resource Authorized Users
ssid.BATCH TSO and batch job ACIDs
ssid.CICS CICS region ACIDs
ssid.IMS IMS region ACIDs
ssid.CHIN Channel initiator ACIDs

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

c) For all connection resources defined to the MQCONN resource class, ensure the following items are in effect:

1) Access authorization restricts access to the appropriate users as indicated in (b) above.
2) All access FAILUREs are logged.

d) If all of the items in (c) are true, there is NO FINDING.

e) If any item in (c) is untrue, this is a FINDING.

Vulnerability Number

V-6962

Documentable

False

Rule Version

ZWMQ0052

Severity Override Guidance

a) Refer to the following report produced by the TSS Data Collection:

- SENSITVE.RPT(WHOHMCON)

b) Review the following connection resources defined to the MQCONN resource class:

Resource Authorized Users
ssid.BATCH TSO and batch job ACIDs
ssid.CICS CICS region ACIDs
ssid.IMS IMS region ACIDs
ssid.CHIN Channel initiator ACIDs

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

c) For all connection resources defined to the MQCONN resource class, ensure the following items are in effect:

1) Access authorization restricts access to the appropriate users as indicated in (b) above.
2) All access FAILUREs are logged.

d) If all of the items in (c) are true, there is NO FINDING.

e) If any item in (c) is untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3599

Comments