STIGQter: STIG Summary: IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

The MQ Appliance network device must generate account activity alerts that are forwarded to the administrators and Information System Security Officer (ISSO). Activity includes, creation, removal, modification and re-enablement after being previously disabled.

DISA Rule

SV-89659r1_rule

Vulnerability Number

V-74985

Group Title

SRG-APP-000291-NDM-000275

Rule Version

MQMH-ND-000840

Severity

CAT II

CCI(s)

• CCI-001683 - The information system notifies organization-defined personnel or roles for account creation actions.
• CCI-001684 - The information system notifies organization-defined personnel or roles for account modification actions.
• CCI-001685 - The information system notifies organization-defined personnel or roles for account disabling actions.
• CCI-001686 - The information system notifies organization-defined personnel or roles for account removal actions.
• CCI-002130 - The information system automatically audits account enabling actions.
• CCI-002132 - The information system notifies organization-defined personnel or roles for account enabling actions.

Weight

10

Fix Recommendation

Log on to the MQ Appliance CLI as a privileged user.

To enter global configuration mode, enter "config".

To creates a syslog target, enter:
logging target <logging target name>
type syslog
admin-state enabled
local-address <MQ Appliance IP>
remote-address <syslog server IP>
remote-port <syslog server port>
event audit info
event auth notice
event mgmt notice
event cli notice
event user notice
event system error
exit
write mem
y

Configure alerts that will trigger off of syslog audit events: 0x8240001f and 0x810001f0.

Check Contents

Log on to the MQ Appliance CLI as a privileged user.

Enter:
co
show logging target

All configured logging targets will be displayed. Verify:
- This list includes a remote syslog notification target; and
- It includes all desired log event source and log level parameters:
event audit info
event auth notice
event mgmt notice
event cli notice
event user notice
event system error

Ask the system admin to provide evidence that alerts are sent based on the following audit events: 0x8240001f and 0x810001f0.

Account administration events will fall into this event category and be written to the audit logs.

If alerts are not sent when accounts on the MQ appliance are created, modified, deleted, or re-enabled, this is a finding.

Vulnerability Number

V-74985

Documentable

False

Rule Version

MQMH-ND-000840

Severity Override Guidance

Log on to the MQ Appliance CLI as a privileged user.

Enter:
co
show logging target

All configured logging targets will be displayed. Verify:
- This list includes a remote syslog notification target; and
- It includes all desired log event source and log level parameters:
event audit info
event auth notice
event mgmt notice
event cli notice
event user notice
event system error

Ask the system admin to provide evidence that alerts are sent based on the following audit events: 0x8240001f and 0x810001f0.

Account administration events will fall into this event category and be written to the audit logs.

If alerts are not sent when accounts on the MQ appliance are created, modified, deleted, or re-enabled, this is a finding.

Check Content Reference

M

Target Key

3243

Comments