WebSphere MQ MQCONN Class resources must be protected properly.

An XCCDF Rule

Description

<VulnDiscussion>WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-225631r855253_rule
Severity: Medium
References: CCI-000213 CCI-002234
Updated: 8 months ago

Review the following connection resources defined to the MQCONN resource class:

Resource       Authorized Users
ssid.BATCH       TSO and batch job ACIDs
ssid.CICS       CICS region ACIDs
ssid.IMS       IMS region ACIDsssid.CHIN       Channel initiator ACIDs

NOTE:       ssid is the queue manager name (a.k.a., subsystem identifier).

c) For all connection resources defined to the MQCONN resource class, ensure the following items are in effect:

1) Access authorization restricts access to the appropriate users as indicated in (b) above.
2) All access FAILUREs are logged.

The following is a sample of the commands required to allow a batch user (USER1) to connect to a queue manager (QM1):

TSS ADD(USER1) FAC(QM1MSTR)
TSS PER(USER1) MQCONN(QM1.BATCH) ACC(READ)

WebSphere MQ MQCONN Class resources must be protected properly.

Description

Remediation - Manual Procedure