WebSphere MQ RESLEVEL resources in the appropriate ADMIN resource class must be protected in accordance with security requirements.
An XCCDF Rule
Description
RESLEVEL security profiles control the number of userids checked for API-resource security. RESLEVEL is a powerful option that can cause the bypassing of all security checks. RESLEVEL security will not be implemented.
- ID
- SV-224567r1050719_rule
- Version
- ZWMQ0060
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
RESLEVEL security profiles control the number of userids checked for API-resource security. RESLEVEL security will not be implemented due to the following exposures and limitations:
1) RESLEVEL is a powerful option that can cause the bypassing of all security checks.
2) Security audit records are not created when the RESLEVEL profile is utilized.
3) If the WARNING option is specified on a RESLEVEL profile, no warning messages are produced.
To protect against any profile in the MQADMIN or MXADMIN class, such as ssid.**, resolving to a RESLEVEL profile, a ssid.RESLEVEL profile will be defined for each queue manager with UACC(NONE) specified and no users or groups specified in the access list.