STIGQter: STIG Summary: IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

The MQ Appliance network device must alert the Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) in the event of an audit processing failure.

DISA Rule

SV-89611r1_rule

Vulnerability Number

V-74937

Group Title

SRG-APP-000108-NDM-000232

Rule Version

MQMH-ND-000340

Severity

CAT II

CCI(s)

• CCI-000139 - The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure.

Weight

10

Fix Recommendation

Log on to the MQ Appliance CLI as a privileged user.

Configure a syslog target.

To enter global configuration mode, enter "config".

To create a syslog target, enter:
logging target <logging target name>
type syslog
admin-state enabled
local-address <MQ Appliance IP>
remote-address <syslog server IP>
remote-port <syslog server port>
event audit info
event auth notice
event mgmt notice
event cli notice
event user notice
event system error
exit
write mem
y

At the syslog server, set up event notification triggers for the following event codes: 0x80c0006a, 0x82400067, 0x00330034, 0x80400080.

Check Contents

Log on to the MQ Appliance CLI as a privileged user.

Enter:
co
show logging target

All configured logging targets will be displayed. Verify:
- This list includes a remote syslog notification target; and
- It includes all desired log event source and log level parameters:
event audit info
event auth notice
event mgmt notice
event cli notice
event user notice
event system error

Configuring notification of events occurring at the external logging server is the responsibility of the administrator.

Ask the system admin to provide evidence the required alert triggers for the following event codes: 0x80c0006a, 0x82400067, 0x00330034, 0x80400080 have been set up and the ISSO and SA at a minimum are alerted.

If there is no evidence that alerts are sent in the event of an audit processing failure, this is a finding.

Vulnerability Number

V-74937

Documentable

False

Rule Version

MQMH-ND-000340

Severity Override Guidance

Log on to the MQ Appliance CLI as a privileged user.

Enter:
co
show logging target

All configured logging targets will be displayed. Verify:
- This list includes a remote syslog notification target; and
- It includes all desired log event source and log level parameters:
event audit info
event auth notice
event mgmt notice
event cli notice
event user notice
event system error

Configuring notification of events occurring at the external logging server is the responsibility of the administrator.

Ask the system admin to provide evidence the required alert triggers for the following event codes: 0x80c0006a, 0x82400067, 0x00330034, 0x80400080 have been set up and the ISSO and SA at a minimum are alerted.

If there is no evidence that alerts are sent in the event of an audit processing failure, this is a finding.

Check Content Reference

M

Target Key

3243

Comments