| Checked | Name | Title |
|---|
| ☐ | SV-89401r1_rule | The MQ Appliance messaging server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
| ☐ | SV-89403r1_rule | The MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session. |
| ☐ | SV-89415r1_rule | The MQ Appliance messaging server must off-load log records onto a different system or media from the system being logged. |
| ☐ | SV-89417r1_rule | The MQ Appliance messaging server must synchronize internal MQ Appliance messaging server clocks to an authoritative time source when the time difference is greater than the organization-defined time period. |
| ☐ | SV-89419r1_rule | The MQ Appliance messaging server must compare internal MQ Appliance messaging server clocks at least every 24 hours with an authoritative time source. |
| ☐ | SV-89421r1_rule | The MQ Appliance messaging server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
| ☐ | SV-89423r1_rule | The MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour. |
| ☐ | SV-89475r1_rule | The MQ Appliance messaging server must provide an immediate warning to the SA and ISSO, at a minimum, when allocated log record storage volume reaches 75% of maximum log record storage capacity. |
| ☐ | SV-89479r1_rule | The MQ Appliance messaging server must automatically terminate a SSH user session after organization-defined conditions or trigger events requiring a session disconnect. |
| ☐ | SV-89487r1_rule | The MQ Appliance must automatically terminate a WebGUI user session after 600 seconds of idle time. |
| ☐ | SV-89489r1_rule | The MQ Appliance SSH interface to the messaging server must prohibit the use of cached authenticators after 600 seconds. |
| ☐ | SV-89505r1_rule | The MQ Appliance messaging server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). |
| ☐ | SV-89509r1_rule | The MQ Appliance messaging server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates. |
| ☐ | SV-89521r1_rule | The MQ Appliance messaging server, when categorized as a high level system, must be in a high-availability (HA) cluster. |
| ☐ | SV-89523r1_rule | The MQ Appliance messaging server must use encryption strength in accordance with the categorization of the management data during remote access management sessions. |
| ☐ | SV-89525r1_rule | The MQ Appliance messaging server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly. |
| ☐ | SV-89527r1_rule | The MQ Appliance messaging server must provide centralized management and configuration of the content to be captured in log records generated by all application components. |
| ☐ | SV-89533r1_rule | The MQ Appliance messaging server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. |
| ☐ | SV-89535r1_rule | The MQ Appliance messaging server must remove all export ciphers to protect the confidentiality and integrity of transmitted information. |
| ☐ | SV-89537r1_rule | The MQ Appliance messaging server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version. |
| ☐ | SV-89551r1_rule | The MQ Appliance messaging server must produce log records containing information to establish what type of events occurred. |
| ☐ | SV-89553r1_rule | The MQ Appliance messaging server must identify potentially security-relevant error conditions. |
| ☐ | SV-89557r1_rule | The MQ Appliance messaging server must alert the SA and ISSO, at a minimum, in the event of a log processing failure. |
| ☐ | SV-89559r1_rule | The MQ Appliance messaging server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing operationally-defined security safeguards. |
| ☐ | SV-89561r1_rule | The MQ Appliance messaging server must accept FICAM-approved third-party credentials. |
| ☐ | SV-89563r1_rule | The MQ Appliance messaging server must provide a log reduction capability that supports on-demand reporting requirements. |
| ☐ | SV-89565r1_rule | The MQ Appliance messaging server must be configured to fail over to another system in the event of log subsystem failure. |
| ☐ | SV-89567r1_rule | The MQ Appliance messaging server must provide a clustering capability. |
| ☐ | SV-89569r1_rule | The MQ Appliance messaging server must ensure authentication of both SSH client and server during the entire session. |
| ☐ | SV-89571r1_rule | The MQ Appliance messaging server must uniquely identify all network-connected endpoint devices before establishing any connection. |
| ☐ | SV-89573r1_rule | Access to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication. |
| ☐ | SV-89575r1_rule | The MQ Appliance messaging server must map the authenticated identity to the individual messaging user or group account for PKI-based authentication. |
| ☐ | SV-89577r1_rule | The MQ Appliance must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. |
| ☐ | SV-89579r1_rule | The MQ Appliance messaging server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users). |
| ☐ | SV-89581r1_rule | The MQ Appliance messaging server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. |
| ☐ | SV-89583r1_rule | The MQ Appliance messaging server must generate log records for access and authentication events. |
| ☐ | SV-89585r1_rule | The MQ Appliance messaging server must generate a unique session identifier using a FIPS 140-2 approved random number generator. |
| ☐ | SV-89587r1_rule | The MQ Appliance messaging server must authenticate all network-connected endpoint devices before establishing any connection. |
| ☐ | SV-89589r1_rule | The MQ Appliance messaging server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. |
| ☐ | SV-89591r1_rule | MQ Appliance messaging servers must use NIST-approved or NSA-approved key management technology and processes. |
| ☐ | SV-89593r1_rule | The MQ Appliance messaging server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes. |
| ☐ | SV-89595r1_rule | The MQ Appliance messaging server must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged. |
| ☐ | SV-89703r1_rule | The MQ Appliance messaging server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected (messaging) sessions. |
STIGQter: STIG Summary: