Check: ZWMQ0049
zOS TSS STIG:
ZWMQ0049
(in versions v6 r43 through v6 r30)
Title
WebSphere MQ security class(es) is(are) defined improperly. (Cat II impact)
Discussion
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Check Content
Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(#RDT) - TSSCMDS.RPT(WHOOMADM) - TSSCMDS.RPT(WHOOMCMD) - TSSCMDS.RPT(WHOOMCON) - TSSCMDS.RPT(WHOOMNLI) - TSSCMDS.RPT(WHOOMPRO) - TSSCMDS.RPT(WHOOMQUE) - TSSCMDS.RPT(WHOOXADM) - TSSCMDS.RPT(WHOOXNLI) - TSSCMDS.RPT(WHOOXPRO) - TSSCMDS.RPT(WHOOXQUE) - TSSCMDS.RPT(WHOOXTOP) Ensure the following WebSphere MQ resource classes are defined to the TSS RDT: MQADMIN MQCONN MQCMDS MQNLIST MQPROC MQQUEUE For V7.0.0 and above: MXADMIN MXNLIST MXPROC MXQUEUE MXTOPIC Ensure that each ssid. resource is defined in each of the above resource classes. NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). NOTE: If both MQADMIN and MXADMIN resource classes are not defined to the RDT record, no security checking is performed.
Fix Text
The IAO will ensure that all WebSphere MQ resources are defined to TSS. The following should be defined to the RDT: MQADMIN MQCONN MQCMDS MQNLIST MQPROC MQQUEUE For V7.0.0 and above: MXADMIN MXNLIST MXPROC MXQUEUE MXTOPIC Use the following commands to define (establish ownership of) resources for each WebSphere MQ subsystem to TSS: TSS ADD(deptname) MQADMIN(ssid.) TSS ADD(deptname) MQCMDS(ssid.) TSS ADD(deptname) MQCONN(ssid.) TSS ADD(deptname) MQNLIST(ssid.) TSS ADD(deptname) MQPROC(ssid.) TSS ADD(deptname) MQQUEUE(ssid.) For V7.0.0 and above: TSS ADD(deptname) MXADMIN(ssid.) TSS ADD(deptname) MXNLIST(ssid.) TSS ADD(deptname) MXPROC(ssid.) TSS ADD(deptname) MXQUEUE(ssid.) TSS ADD(deptname) MXTOPIC(ssid.) NOTE: ssid is the queue manager name (a.k.a., subsystem identifier). Another method to ensure protection is to assign the DEFPROT attribute to the resource class in the RDT record by using the following command: TSS REP(RDT) RESCLASS(MQADMIN) ATTR(DEFPROT) TSS REP(RDT) RESCLASS(MQCMDS) ATTR(DEFPROT) TSS REP(RDT) RESCLASS(MQCONN) ATTR(DEFPROT) TSS REP(RDT) RESCLASS(MQNLIST) ATTR(DEFPROT) TSS REP(RDT) RESCLASS(MQPROC) ATTR(DEFPROT) TSS REP(RDT) RESCLASS(MQQUEUE) ATTR(DEFPROT) For V7.0.0 and above: TSS REP(RDT) RESCLASS(MXADMIN) ATTR(DEFPROT) TSS REP(RDT) RESCLASS(MXNLIST) ATTR(DEFPROT) TSS REP(RDT) RESCLASS(MXPROC) ATTR(DEFPROT) TSS REP(RDT) RESCLASS(MXQUEUE) ATTR(DEFPROT) TSS REP(RDT) RESCLASS(MXTOPIC) ATTR(DEFPROT)
Additional Identifiers
Rule ID: SV-7535r2_rule
Vulnerability ID: V-6959
Group Title: ZWMQ0049
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000213 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-002358 |
Implement a reference monitor for organization-defined access control policies that is always invoked. |