WebSphere MQ RESLEVEL resources in the MQADMIN resource class are not protected in accordance with security requirements.
An XCCDF Rule
Description
<VulnDiscussion>RESLEVEL security profiles control the number of userids checked for API-resource security. RESLEVEL is a powerful option that can cause the bypassing of all security checks. RESLEVEL security will not be implemented. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-224567r855248_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
RESLEVEL security profiles control the number of userids checked for API-resource security. RESLEVEL security will not be implemented due to the following exposures and limitations:
(1) RESLEVEL is a powerful option that can cause the bypassing of all security checks.
(2) Security audit records are not created when the RESLEVEL profile is utilized.
(3) If the WARNING option is specified on a RESLEVEL profile, no warning messages are produced.
To protect against any profile in the MQADMIN class, such as ssid.**, resolving to a RESLEVEL profile, a ssid.RESLEVEL profile will be defined for each queue manager with