WebSphere MQ security class(es) must not be defined improperly.

An XCCDF Rule

Description

WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.

ID: SV-225629r1055911_rule
Version: ZWMQ0049
Severity: Medium
References: CCI-000213 CCI-002358
Updated: 6 days ago

Remediation Templates

Ensure that all WebSphere MQ resources are defined to TSS.

The following should be defined to the RDT:

MQADMIN
MQCONNMQCMDS
MQNLIST
MQPROC
MQQUEUE

When SCYCASE is set to mixed,  and the following WebSphere MQ resource classes should be defined to the TSS RDT.

MXADMIN
MXNLIST
MXPROC
MXQUEUE
MXTOPIC

Use the following commands to define (establish ownership of) resources for each WebSphere MQ subsystem to TSS:

TSS ADD(deptname) MQADMIN(ssid.)
TSS ADD(deptname) MQCMDS(ssid.)
TSS ADD(deptname) MQCONN(ssid.)
TSS ADD(deptname) MQNLIST(ssid.)
TSS ADD(deptname) MQPROC(ssid.)
TSS ADD(deptname) MQQUEUE(ssid.)

When SCYCASE is set to mixed, CLASMAP Definitions must include the following entries:

TSS ADD(deptname) MXADMIN(ssid.)
TSS ADD(deptname) MXNLIST(ssid.)
TSS ADD(deptname) MXPROC(ssid.)
TSS ADD(deptname) MXQUEUE(ssid.)
TSS ADD(deptname) MXTOPIC(ssid.)

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

Another method to ensure protection is to assign the DEFPROT attribute to the resource class in the RDT record by using the following command:

TSS REP(RDT) RESCLASS(MQADMIN) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQCMDS) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQCONN) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQNLIST) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQPROC) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQQUEUE) ATTR(DEFPROT)

When SCYCASE is set to mixed.

TSS REP(RDT) RESCLASS(MXADMIN) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXNLIST) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXPROC) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXQUEUE) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXTOPIC) ATTR(DEFPROT)

WebSphere MQ security class(es) must not be defined improperly.

Description

Remediation Templates

A Manual Procedure