STIGQter: STIG Summary: IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

The MQ Appliance network device must generate audit records for all account creations, modifications, disabling, and termination events.

DISA Rule

SV-89685r1_rule

Vulnerability Number

V-75011

Group Title

SRG-APP-000509-NDM-000324

Rule Version

MQMH-ND-001380

Severity

CAT II

CCI(s)

• CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Weight

10

Fix Recommendation

Configure a syslog target by using the command line interface (CLI). Log on as an administrative user.

To enter global configuration mode, enter "config".

To create a syslog target, enter:
logging target <logging target name>
type syslog
admin-state enabled
local-address <MQ Appliance IP>
remote-address <syslog server IP>
remote-port <syslog server port>
event audit info
event auth notice
event mgmt notice
event cli notice
event user notice
event system error
exit
write mem
y

It is the responsibility of the sysadmin to configure the triggers necessary to send alerts based upon information received at the syslog server. To meet the current requirement, the sysadmin should trigger notification upon receiving the following audit events: 0x8240001f and 0x810001f0. All account creations, modifications, disabling, and termination events fall into this event category.

Check Contents

Log on to the MQ Appliance CLI as a privileged user.

Enter:
co
show logging target

All configured logging targets will be displayed. Verify:
- This list includes a remote syslog notification target; and
- It includes all desired log event source and log level parameters, e.g., event audit info.

In the WebGUI, Manage Appliance/User access. Create, disable or modify an account. Verify the administrator receives notification of this event.

If any is not true, this is a finding.

Vulnerability Number

V-75011

Documentable

False

Rule Version

MQMH-ND-001380

Severity Override Guidance

Log on to the MQ Appliance CLI as a privileged user.

Enter:
co
show logging target

All configured logging targets will be displayed. Verify:
- This list includes a remote syslog notification target; and
- It includes all desired log event source and log level parameters, e.g., event audit info.

In the WebGUI, Manage Appliance/User access. Create, disable or modify an account. Verify the administrator receives notification of this event.

If any is not true, this is a finding.

Check Content Reference

M

Target Key

3243

Comments