WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted.

An XCCDF Rule

Description

<VulnDiscussion>MVS data sets provide the configuration, operational, and executable properties of WebSphere MQ. Some data sets are responsible for the security implementation of WebSphere MQ. Failure to properly protect these data sets may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-225628r868776_rule
Severity: Medium
References: CCI-000213 CCI-001499 CCI-002234
Updated: 8 months ago

The systems programmer will have the ISSO  ensure that all update and alter access to MQSeries/WebSphere MQ product and system data sets are restricted to WebSphere MQ administrators, systems programmers, and MQSeries/WebSphere MQ started tasks.

The installation requires that the following data sets be APF authorized. 

hlqual.SCSQAUTH
hlqual.SCSQLINKhlqual.SCSQANLx
hlqual.SCSQSNL
hlqual.SCSQMVR1
hlqual.SCSQMVR2

(2)	Read access to data sets referenced by the CSQINP1, CSQINP2, and CSQXLIB DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all access to these data sets.

(3)	Write and allocate access to data set profiles protecting all page sets, logs, bootstrap data sets (BSDS), and data sets referenced by the CSQOUTX and CSQSNAP DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all write and allocate access to these data sets.

(5)	Allocate access to all archive data sets in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all allocate access to these data sets.

WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted.

Description

Remediation - Manual Procedure