Skip to content

IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000416-AS-000140

    <GroupDescription></GroupDescription>
    Group
  • SRG-APP-000400-AS-000246

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance SSH interface to the messaging server must prohibit the use of cached authenticators after 600 seconds.

    &lt;VulnDiscussion&gt;When the messaging server is using PKI authentication, a local revocation cache must be stored for instances when the revocat...
    Rule Medium Severity
  • SRG-APP-000456-AS-000266

    <GroupDescription></GroupDescription>
    Group
  • SRG-APP-000356-AS-000202

    <GroupDescription></GroupDescription>
    Group
  • SRG-APP-000148-AS-000101

    <GroupDescription></GroupDescription>
    Group
  • SRG-APP-000015-AS-000010

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session.

    &lt;VulnDiscussion&gt;Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious use...
    Rule Medium Severity
  • SRG-APP-000358-AS-000064

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must off-load log records onto a different system or media from the system being logged.

    &lt;VulnDiscussion&gt;Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to...
    Rule Medium Severity
  • SRG-APP-000372-AS-000212

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must synchronize internal MQ Appliance messaging server clocks to an authoritative time source when the time difference is greater than the organization-defined time period.

    &lt;VulnDiscussion&gt;Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysi...
    Rule Low Severity
  • SRG-APP-000371-AS-000077

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must compare internal MQ Appliance messaging server clocks at least every 24 hours with an authoritative time source.

    &lt;VulnDiscussion&gt;Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysi...
    Rule Low Severity
  • The MQ Appliance messaging server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

    &lt;VulnDiscussion&gt;Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested enc...
    Rule Medium Severity
  • SRG-APP-000400-AS-000246

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour.

    &lt;VulnDiscussion&gt;When the messaging server is using PKI authentication, a local revocation cache must be stored for instances when the revocat...
    Rule Medium Severity
  • SRG-APP-000359-AS-000065

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must provide an immediate warning to the SA and ISSO, at a minimum, when allocated log record storage volume reaches 75% of maximum log record storage capacity.

    &lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log ...
    Rule Medium Severity
  • SRG-APP-000295-AS-000263

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must automatically terminate a SSH user session after organization-defined conditions or trigger events requiring a session disconnect.

    &lt;VulnDiscussion&gt;An attacker can take advantage of CLI user sessions that are left open, thus bypassing the user authentication process. To t...
    Rule Medium Severity
  • SRG-APP-000295-AS-000263

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance must automatically terminate a WebGUI user session after 600 seconds of idle time.

    &lt;VulnDiscussion&gt;An attacker can take advantage of WebGUI user sessions that are left open, thus bypassing the user authentication process. T...
    Rule Medium Severity
  • The MQ Appliance messaging server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

    &lt;VulnDiscussion&gt;Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products t...
    Rule Medium Severity
  • SRG-APP-000514-AS-000137

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.

    &lt;VulnDiscussion&gt;Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certifica...
    Rule Medium Severity
  • SRG-APP-000435-AS-000069

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server, when categorized as a high level system, must be in a high-availability (HA) cluster.

    &lt;VulnDiscussion&gt;A high level system is a system that handles data vital to the organization's operational readiness or effectiveness of deplo...
    Rule Medium Severity
  • SRG-APP-000014-AS-000009

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must use encryption strength in accordance with the categorization of the management data during remote access management sessions.

    &lt;VulnDiscussion&gt;Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to...
    Rule Medium Severity
  • SRG-APP-000515-AS-000203

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly.

    &lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is ...
    Rule Medium Severity
  • The MQ Appliance messaging server must provide centralized management and configuration of the content to be captured in log records generated by all application components.

    &lt;VulnDiscussion&gt;A clustered messaging server is made up of several servers working together to provide the user a failover and increased comp...
    Rule Medium Severity
  • SRG-APP-000440-AS-000167

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.

    &lt;VulnDiscussion&gt;Preventing the disclosure or modification of transmitted information requires that messaging servers take measures to employ ...
    Rule Medium Severity
  • SRG-APP-000439-AS-000274

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.

    &lt;VulnDiscussion&gt;During the initial setup of a Transport Layer Security (TLS) connection to the messaging server, the client sends a list of s...
    Rule Medium Severity
  • SRG-APP-000439-AS-000155

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.

    &lt;VulnDiscussion&gt;Preventing the disclosure of transmitted information requires that the messaging server take measures to employ some form of ...
    Rule Medium Severity
  • SRG-APP-000095-AS-000056

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must produce log records containing information to establish what type of events occurred.

    &lt;VulnDiscussion&gt;Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type o...
    Rule Medium Severity
  • SRG-APP-000266-AS-000168

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must identify potentially security-relevant error conditions.

    &lt;VulnDiscussion&gt;The structure and content of error messages need to be carefully considered by the organization and development team. Any app...
    Rule Medium Severity
  • SRG-APP-000108-AS-000067

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.

    &lt;VulnDiscussion&gt;Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a sec...
    Rule Medium Severity
  • SRG-APP-000435-AS-000163

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing operationally-defined security safeguards.

    &lt;VulnDiscussion&gt;DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot ac...
    Rule Medium Severity
  • SRG-APP-000404-AS-000249

    <GroupDescription></GroupDescription>
    Group
  • The MQ Appliance messaging server must accept FICAM-approved third-party credentials.

    &lt;VulnDiscussion&gt;Access may be denied to legitimate users if FICAM-approved third-party credentials are not accepted. This requirement typica...
    Rule Low Severity
  • SRG-APP-000181-AS-000255

    <GroupDescription></GroupDescription>
    Group

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules