IBM MQ Appliance V9.0 AS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000416-AS-000140
Group -
SRG-APP-000400-AS-000246
Group -
The MQ Appliance SSH interface to the messaging server must prohibit the use of cached authenticators after 600 seconds.
When the messaging server is using PKI authentication, a local revocation cache must be stored for instances when the revocation cannot be authenticated through the network, but if cached authentic...Rule Medium Severity -
SRG-APP-000456-AS-000266
Group -
SRG-APP-000356-AS-000202
Group -
SRG-APP-000148-AS-000101
Group -
SRG-APP-000015-AS-000010
Group -
SRG-APP-000358-AS-000064
Group -
The MQ Appliance messaging server must off-load log records onto a different system or media from the system being logged.
Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to...Rule Medium Severity -
SRG-APP-000372-AS-000212
Group -
The MQ Appliance messaging server must synchronize internal MQ Appliance messaging server clocks to an authoritative time source when the time difference is greater than the organization-defined time period.
Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronization of internal messagin...Rule Low Severity -
SRG-APP-000371-AS-000077
Group -
The MQ Appliance messaging server must compare internal MQ Appliance messaging server clocks at least every 24 hours with an authoritative time source.
Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronization of system clocks is ...Rule Low Severity -
SRG-APP-000400-AS-000246
Group -
The MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour.
When the messaging server is using PKI authentication, a local revocation cache must be stored for instances when the revocation cannot be authenticated through the network, but if cached authentic...Rule Medium Severity -
SRG-APP-000359-AS-000065
Group -
SRG-APP-000295-AS-000263
Group -
The MQ Appliance messaging server must automatically terminate a SSH user session after organization-defined conditions or trigger events requiring a session disconnect.
An attacker can take advantage of CLI user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the messaging ...Rule Medium Severity -
SRG-APP-000295-AS-000263
Group -
The MQ Appliance must automatically terminate a WebGUI user session after 600 seconds of idle time.
An attacker can take advantage of WebGUI user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the messagi...Rule Medium Severity -
SRG-APP-000514-AS-000137
Group -
The MQ Appliance messaging server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved...Rule Medium Severity -
SRG-APP-000435-AS-000069
Group -
SRG-APP-000014-AS-000009
Group -
The MQ Appliance messaging server must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the messaging server via a network for the purposes of managing the mes...Rule Medium Severity -
SRG-APP-000515-AS-000203
Group -
SRG-APP-000440-AS-000167
Group -
The MQ Appliance messaging server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
Preventing the disclosure or modification of transmitted information requires that messaging servers take measures to employ approved cryptography in order to protect the information during transmi...Rule Medium Severity -
SRG-APP-000439-AS-000274
Group -
The MQ Appliance messaging server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
During the initial setup of a Transport Layer Security (TLS) connection to the messaging server, the client sends a list of supported cipher suites in order of preference. The messaging server wil...Rule Medium Severity -
SRG-APP-000439-AS-000155
Group -
The MQ Appliance messaging server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.
Preventing the disclosure of transmitted information requires that the messaging server take measures to employ some form of cryptographic mechanism in order to protect the information during trans...Rule Medium Severity -
SRG-APP-000095-AS-000056
Group -
SRG-APP-000266-AS-000168
Group -
The MQ Appliance messaging server must identify potentially security-relevant error conditions.
The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrat...Rule Medium Severity -
SRG-APP-000108-AS-000067
Group -
The MQ Appliance messaging server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.
Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident. When log processing fails, the events during the failure...Rule Medium Severity -
SRG-APP-000435-AS-000163
Group -
SRG-APP-000404-AS-000249
Group -
SRG-APP-000181-AS-000255
Group -
The MQ Appliance messaging server must provide a log reduction capability that supports on-demand reporting requirements.
The ability to generate on-demand reports, including after the log data has been subjected to log reduction, greatly facilitates the organization's ability to generate incident reports as needed to...Rule Medium Severity -
SRG-APP-000109-AS-000070
Group -
The MQ Appliance messaging server must be configured to fail over to another system in the event of log subsystem failure.
This requirement is dependent upon system MAC and availability. If the system MAC and availability do not specify redundancy requirements, this requirement is NA. It is critical that, when a syste...Rule Medium Severity -
SRG-APP-000225-AS-000154
Group -
The MQ Appliance messaging server must provide a clustering capability.
This requirement is dependent upon system criticality and confidentiality requirements. If the system categorization and confidentiality levels do not specify redundancy requirements, this requirem...Rule Medium Severity -
SRG-APP-000219-AS-000147
Group -
SRG-APP-000158-AS-000108
Group -
The MQ Appliance messaging server must uniquely identify all network-connected endpoint devices before establishing any connection.
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed messaging servers and components, the decisions regarding t...Rule Medium Severity -
SRG-APP-000172-AS-000121
Group -
Access to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication.
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Messaging servers have the capability to utilize LDAP directories ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.