Check: ZWMQ0057
zOS ACF2 STIG:
ZWMQ0057
(in versions v6 r43 through v6 r30)
Title
WebSphere MQ alternate user resources defined to MQADMIN resource class are not protected in accordance with security requirements. (Cat II impact)
Discussion
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Check Content
a) Refer to the following report produced by the ACF2 Data Collection: - SENSITVE.RPT(MQADMIN) - ACF2CMDS.RPT(RESOURCE) – Alternate report b) For all alternate user resources (i.e., ssid.ALTERNATE.USER.alternatelogonid) defined to TYPE(MQA) (i.e., MQADMIN resource class), ensure access authorization restricts access to users requiring the ability to use the alternate userid. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). c) If (b) is true, there is NO FINDING. d) If (b) is untrue, this is a FINDING.
Fix Text
The IAO will ensure that use of alternate userids is restricted to authorized personnel. For all alternate user resources (i.e., ssid.ALTERNATE.USER.alternatelogonid) defined to TYPE(MQA) (i.e., MQADMIN resource class), ensure access authorization restricts access to users requiring the ability to use the alternate userid. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Example: $KEY(ssid) TYPE(MQA) ALTERNATE.USER.- UID(CICS support) SERVICE(READ,UPDATE) LOG ALTERNATE.USER.- UID(*) PREVENT
Additional Identifiers
Rule ID: SV-7272r2_rule
Vulnerability ID: V-6969
Group Title: ZWMQ0057
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |