UCF STIG Viewer Logo

IBM MQ Appliance V9.0 AS Security Technical Implementation Guide


Overview

Date Finding Count (43)
2017-06-09 CAT I (High): 1 CAT II (Med): 39 CAT III (Low): 3
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-74915 High The MQ Appliance messaging server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
V-74801 Medium The MQ Appliance messaging server must provide an immediate warning to the SA and ISSO, at a minimum, when allocated log record storage volume reaches 75% of maximum log record storage capacity.
V-74909 Medium The MQ Appliance messaging server must generate log records for access and authentication events.
V-74805 Medium The MQ Appliance messaging server must automatically terminate a SSH user session after organization-defined conditions or trigger events requiring a session disconnect.
V-74835 Medium The MQ Appliance messaging server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
V-74863 Medium The MQ Appliance messaging server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.
V-74901 Medium The MQ Appliance messaging server must map the authenticated identity to the individual messaging user or group account for PKI-based authentication.
V-74861 Medium The MQ Appliance messaging server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
V-74903 Medium The MQ Appliance must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
V-75029 Medium The MQ Appliance messaging server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected (messaging) sessions.
V-74907 Medium The MQ Appliance messaging server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
V-74897 Medium The MQ Appliance messaging server must uniquely identify all network-connected endpoint devices before establishing any connection.
V-74895 Medium The MQ Appliance messaging server must ensure authentication of both SSH client and server during the entire session.
V-74893 Medium The MQ Appliance messaging server must provide a clustering capability.
V-74891 Medium The MQ Appliance messaging server must be configured to fail over to another system in the event of log subsystem failure.
V-74899 Medium Access to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication.
V-74853 Medium The MQ Appliance messaging server must provide centralized management and configuration of the content to be captured in log records generated by all application components.
V-74851 Medium The MQ Appliance messaging server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly.
V-74859 Medium The MQ Appliance messaging server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
V-74879 Medium The MQ Appliance messaging server must identify potentially security-relevant error conditions.
V-74919 Medium The MQ Appliance messaging server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
V-74831 Medium The MQ Appliance messaging server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
V-74913 Medium The MQ Appliance messaging server must authenticate all network-connected endpoint devices before establishing any connection.
V-74911 Medium The MQ Appliance messaging server must generate a unique session identifier using a FIPS 140-2 approved random number generator.
V-74815 Medium The MQ Appliance SSH interface to the messaging server must prohibit the use of cached authenticators after 600 seconds.
V-74917 Medium MQ Appliance messaging servers must use NIST-approved or NSA-approved key management technology and processes.
V-74813 Medium The MQ Appliance must automatically terminate a WebGUI user session after 600 seconds of idle time.
V-74905 Medium The MQ Appliance messaging server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).
V-74849 Medium The MQ Appliance messaging server must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
V-74877 Medium The MQ Appliance messaging server must produce log records containing information to establish what type of events occurred.
V-74749 Medium The MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour.
V-74741 Medium The MQ Appliance messaging server must off-load log records onto a different system or media from the system being logged.
V-74747 Medium The MQ Appliance messaging server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
V-74889 Medium The MQ Appliance messaging server must provide a log reduction capability that supports on-demand reporting requirements.
V-74847 Medium The MQ Appliance messaging server, when categorized as a high level system, must be in a high-availability (HA) cluster.
V-74921 Medium The MQ Appliance messaging server must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.
V-74729 Medium The MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session.
V-74883 Medium The MQ Appliance messaging server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.
V-74727 Medium The MQ Appliance messaging server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
V-74885 Medium The MQ Appliance messaging server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing operationally-defined security safeguards.
V-74743 Low The MQ Appliance messaging server must synchronize internal MQ Appliance messaging server clocks to an authoritative time source when the time difference is greater than the organization-defined time period.
V-74745 Low The MQ Appliance messaging server must compare internal MQ Appliance messaging server clocks at least every 24 hours with an authoritative time source.
V-74887 Low The MQ Appliance messaging server must accept FICAM-approved third-party credentials.