WebSphere MQ security class(es) is(are) defined improperly.

An XCCDF Rule

Description

<VulnDiscussion>WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-225629r855252_rule
Severity: Medium
References: CCI-000213 CCI-002358
Updated: 8 months ago

The IAO will ensure that all WebSphere MQ resources are defined to TSS.

The following should be defined to the RDT:

MQADMIN
MQCONNMQCMDS
MQNLIST
MQPROC
MQQUEUE

For V7.0.0 and above:

MXADMIN
MXNLIST
MXPROC
MXQUEUE
MXTOPIC

Use the following commands to define (establish ownership of) resources for each WebSphere MQ subsystem to TSS:

TSS ADD(deptname) MQADMIN(ssid.)
TSS ADD(deptname) MQCMDS(ssid.)
TSS ADD(deptname) MQCONN(ssid.)
TSS ADD(deptname) MQNLIST(ssid.)
TSS ADD(deptname) MQPROC(ssid.)
TSS ADD(deptname) MQQUEUE(ssid.)

For V7.0.0 and above:

TSS ADD(deptname) MXADMIN(ssid.)
TSS ADD(deptname) MXNLIST(ssid.)
TSS ADD(deptname) MXPROC(ssid.)
TSS ADD(deptname) MXQUEUE(ssid.)
TSS ADD(deptname) MXTOPIC(ssid.)

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

Another method to ensure protection is to assign the DEFPROT attribute to the resource class in the RDT record by using the following command:

TSS REP(RDT) RESCLASS(MQADMIN) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQCMDS) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQCONN) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQNLIST) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQPROC) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQQUEUE) ATTR(DEFPROT)

For V7.0.0 and above:

TSS REP(RDT) RESCLASS(MXADMIN) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXNLIST) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXPROC) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXQUEUE) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXTOPIC) ATTR(DEFPROT)

WebSphere MQ security class(es) is(are) defined improperly.

Description

Remediation - Manual Procedure