Check: ZWMQ0030
zOS RACF STIG:
ZWMQ0030
(in versions v6 r43 through v6 r30)
Title
WebSphere MQ started tasks are not defined in accordance with the proper security requirements. (Cat II impact)
Discussion
Started tasks are used to execute WebSphere MQ queue manager services. Improperly defined WebSphere MQ started tasks may result in inappropriate access to application resources and the loss of accountability. This exposure could compromise the availability of some system services and application data.
Check Content
a) Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACSPT) - RACFCMDS.RPT(LISTUSER) Provide a list of all WebSphere MQ Subsystem Ids (Queue managers) and Release levels. b) Review WebSphere MQ started tasks and ensure the following items are in effect: NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). ssidMSTR is the name of a queue manager STC. ssidCHIN is the name of a distributed queuing (a.k.a., channel initiator) STC. 1) Each ssidMSTR and ssidCHIN started task is associated with a unique userid. 2) All ssidMSTR and ssidCHIN started tasks are defined to the STARTED resource class. 3) All ssidMSTR and ssidCHIN started tasks userid are defined as a PROTECTED. c) If both of the items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.
Fix Text
Each queue manager started task procedure xxxxMSTR and distributed queuing started task procedure xxxxCHIN will have a matching profile defined to the STARTED resource class. Create a corresponding userid for each started task. The STC userids will be defined as PROTECTED userids. Queue manager and channel initiator started tasks will not be defined with the TRUSTED attribute. The following sample contains commands to properly define the required Started Procs: Note that this example uses "qmq1" as the value for ssid. AU qmq1mstr NAME('STC, MQSERIES') NOPASS DFLTGRP(STC) OWNER(STC) DATA('MQSERIES QUEUE MANAGER PROC') AU qmq1chin NAME('STC, MQSERIES') NOPASSDFLTGRP(STC) OWNER(STC) DATA('MQSERIES DISTRIBUTED QUEUING CHANNEL INIT PROC') RDEF STARTED qmq1mstr.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MAP qmq1mstr PROC TO qmq1mstr USERID') STDATA(USER(=MEMBER) GROUP(STC) TRACE(YES)) RDEF STARTED qmq1chin.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('MAP qmq1mstr PROC TO qmq1chin USERID') STDATA(USER(=MEMBER) GROUP(STC) TRACE(YES)) SETR RACL(STARTED) REFRESH
Additional Identifiers
Rule ID: SV-7526r2_rule
Vulnerability ID: V-3904
Group Title: ZWMQ0030
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
Controls
Number | Title |
---|---|
IA-2 |
Identification And Authentication (Organizational Users) |