STIGQter: STIG Summary: IBM MQ Appliance V9.0 AS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

The MQ Appliance must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

DISA Rule

SV-89577r1_rule

Vulnerability Number

V-74903

Group Title

SRG-APP-000163-AS-000111

Rule Version

MQMH-AS-001080

Severity

CAT II

CCI(s)

• CCI-000795 - The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity.

Weight

10

Fix Recommendation

Specify LDAP as the authentication method for each queue manager.

To access the MQ Appliance CLI, enter:
mqcli

runmqsc [queue manager name]

DEFINE AUTHINFO('[Object name e.g., USE.LDAP]')
AUTHTYPE(IDPWLDAP)
CONNAME('[ldap1(port),ldap2(port),ldap3(port)]')
SECCOMM(YES) [Ensures encryption is used]
SHORTUSR('[short user name]')
CHCKCLNT(REQUIRED)
BASEDNU('base user DN')
REPLACE

ALTER QMGR CONNAUTH('[AUTHINFO object name]')
REFRESH SECURITY TYPE(CONNAUTH)

Enter "end" to exit runmqsc mode.

Configure LDAP server to disable accounts after 35 days of inactivity.

Check Contents

To access the MQ Appliance CLI, for each queue manager, enter:
mqcli

To identify the queue managers, enter:
dspmq

For each queue manager identified, run the command:
runmqsc [queue name]

To display the active authentication object, enter:
DIS QMGR CONNAUTH

Result: QMNAME([queue mgr name]) CONNAUTH([auth object name])

DIS AUTHINFO(auth object name)

Verify that "AUTHTYPE(IDPWLDAP)" is displayed.

Verify LDAP server user settings are configured to disable accounts after "35" days of inactivity.

If "AUTHTYPE(IDPWLDAP)" is not displayed or if the LDAP server user settings are not configured to disable accounts after "35" days of inactivity, this is a finding.

Vulnerability Number

V-74903

Documentable

False

Rule Version

MQMH-AS-001080

Severity Override Guidance

To access the MQ Appliance CLI, for each queue manager, enter:
mqcli

To identify the queue managers, enter:
dspmq

For each queue manager identified, run the command:
runmqsc [queue name]

To display the active authentication object, enter:
DIS QMGR CONNAUTH

Result: QMNAME([queue mgr name]) CONNAUTH([auth object name])

DIS AUTHINFO(auth object name)

Verify that "AUTHTYPE(IDPWLDAP)" is displayed.

Verify LDAP server user settings are configured to disable accounts after "35" days of inactivity.

If "AUTHTYPE(IDPWLDAP)" is not displayed or if the LDAP server user settings are not configured to disable accounts after "35" days of inactivity, this is a finding.

Check Content Reference

M

Target Key

3239

Comments