STIG ID - BACF0007: Define WebSphere MQ Switch Profiles
Define WebSphere MQ Series external security
Severity: 2 - Medium
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data. If you have WebSphere MQ installed, review and follow the guidelines in this STIG to eliminate risk.
Your organization must ensure if WebSphere MQ is installed. WebSphere MQ external security will be turned on.
This STIG shows how to turn on WebSphere MQ Series external security.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
- From IBM Websphere MQ, review the start-up console messages or issue the DISPLAY SECURITY MQ command to verify that the WebSphere MQ switch profiles are properly defined to the MQADMIN class. ssid is the queue manager name, for example, subsystem identifier.
- Verify that all Switch Profiles do not have the resource ssid. NO defined to the MQADMIN resource class with the exception of ssid.NO.CMD.RESC.CHECKS.
- Review the Security switches identified in response to the DISPLAY SECURITY command in each ssid report(s).
- ALTERNATE USER
- COMMAND RESOURCES
- If the all of the switches specify ON,your organization does not have an audit finding..
- If SUBSYSTEM is specified OFF,your organization has a severity 1 audit finding. See Remediate Audit Findings.
- If any of the other above switches specify OFF (other than the exception mentioned below),your organization has an audit finding. This is audit finding is downgraded to a severity 2. See Remediate Audit Findings.
- If COMMAND RESOURCE Security switch specifies OFF,your organization does not have an audit finding.At the discretion of the IAO, COMMAND RESOURCE Security switch may specify OFF, by defining ssid.NO.CMD.RESC.CHECKS in the TYPE(MQA).
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) ensures MQ Switch profiles are properly defined with external security all turned on.
Follow these steps:
- Add the Switch Profiles toACF2:$KEY(ssid) TYPE(MQA) ALTERNATE.USER.- UID(*) PREVENT CONTEXT.- UID(*) PREVENT RESLEVEL UID(*) PREVENT - UID(*) PREVENT
- Verify the rule was updated:DECOMP * $KEY(ssid) TYPE(MQA) ALTERNATE.USER.- UID(*) PREVENT CONTEXT.- UID(*) PREVENT RESLEVEL UID(*) PREVENT - UID(*) PREVENT
- *(asterisk)Indicates you want to decompile the last explicitly referenced rule set processed.
WebSphere MQ is now properly protected.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCI is related to this STIG article. For more information, see the National Institute of Standards and Technology website.
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1