STIGQter: STIG Summary: zOS WebsphereMQ for RACF STIG Version: 6 Release: 2 Benchmark Date: 24 Jul 2020:

WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.

DISA Rule

SV-7554r3_rule

Vulnerability Number

V-6973

Group Title

ZWMQ0059

Rule Version

ZWMQ0059

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-002234 - The information system audits the execution of privileged functions.

Weight

10

Fix Recommendation

Command security validates userids authorized to issue MQSeries / WebSphere MQ commands. Command security will be active

For all command resources (i.e., ssid.command) defined to the MQCMDS resource class, ensure the following items are in effect:

NOTE 1: ssid is the queue manager name (a.k.a., subsystem identifier).

1) Resource profiles are defined with a UACC(NONE).
2) Access authorization restricts access to the appropriate personnel as designated in the table entitled "Websphere MQ Command Security Controls " in the zOS STIG Addendum.
3) All command access is logged as designated in the table entitled "Websphere MQ Command Security Controls" in the zOS STIG Addendum.

A set of sample commands are provided below to implement the minimum profiles necessary for proper security.

/* THE FOLLOWING PROFILE FORCES GRANULAR PROFILES DEFINITIONS */
RDEF MQCMDS ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQCMDS DENY-BY-DEFAULT PROFILE')

RDEF MQCMDSN <ssid>.<CmdName>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MQCMDS Required See ZWMQ0059')

PE <ssid>.<CmdNAme>.** CL(MQCMDS) ID(<autherizeduser>) ACC(C)

SETR RACL(MQCMDS) REF

Note that an additional WebSphere MQ Refresh may be required for active Qmanagers. This is done from the CONSOLE:

The example is for a Que Manager Named QMD1
>QMD1 REFRESH SECURITY(*)

Check Contents

a) Refer to the following reports produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(MQCMDS)

b) For all command resources (i.e., ssid.command) defined to the MQCMDS resource class, ensure the following items are in effect:

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

1) Resource profiles are defined with a UACC(NONE).
2) Access authorization restricts access to the appropriate personnel as designated in the Websphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum.
3) All command access is logged as designated in the Websphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum.

c) If all of the items in (b) are true, there is NO FINDING.

d) If any item in (b) is untrue, this is a FINDING.

Vulnerability Number

V-6973

Documentable

False

Rule Version

ZWMQ0059

Severity Override Guidance

a) Refer to the following reports produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(MQCMDS)

b) For all command resources (i.e., ssid.command) defined to the MQCMDS resource class, ensure the following items are in effect:

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

1) Resource profiles are defined with a UACC(NONE).
2) Access authorization restricts access to the appropriate personnel as designated in the Websphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum.
3) All command access is logged as designated in the Websphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum.

c) If all of the items in (b) are true, there is NO FINDING.

d) If any item in (b) is untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3597

Comments