UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

WebSphere MQ MQCONN Class resources are protected improperly.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6962 ZWMQ0052 SV-7542r2_rule DCCS-1 DCCS-2 ECAR-1 ECAR-2 IAIA-1 IAIA-2 Medium
Description
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
STIG Date
z/OS TSS STIG 2016-01-04

Details

Check Text ( C-4654r1_chk )
a) Refer to the following report produced by the TSS Data Collection:

- SENSITVE.RPT(WHOHMCON)

b) Review the following connection resources defined to the MQCONN resource class:

Resource Authorized Users
ssid.BATCH TSO and batch job ACIDs
ssid.CICS CICS region ACIDs
ssid.IMS IMS region ACIDs
ssid.CHIN Channel initiator ACIDs

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

c) For all connection resources defined to the MQCONN resource class, ensure the following items are in effect:

1) Access authorization restricts access to the appropriate users as indicated in (b) above.
2) All access is logged.

d) If all of the items in (c) are true, there is NO FINDING.

e) If any item in (c) is untrue, this is a FINDING.
Fix Text (F-18850r1_fix)
Review the following connection resources defined to the MQCONN resource class:

Resource Authorized Users
ssid.BATCH TSO and batch job ACIDs
ssid.CICS CICS region ACIDs
ssid.IMS IMS region ACIDs
ssid.CHIN Channel initiator ACIDs

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

c) For all connection resources defined to the MQCONN resource class, ensure the following items are in effect:

1) Access authorization restricts access to the appropriate users as indicated in (b) above.
2) All access is logged.

The following is a sample of the commands required to allow a batch user (USER1) to connect to a queue manager (QM1):

TSS ADD(USER1) FAC(QM1MSTR)
TSS PER(USER1) MQCONN(QM1.BATCH) ACC(READ)
ACTION(AUDIT)