WebSphere MQ queue resource defined to the appropriate resource class must be protected in accordance with security requirements.

An XCCDF Rule

Description

WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.

ID: SV-225633r1050731_rule
Version: ZWMQ0054
Severity: Medium
References: CCI-000213
Updated: 6 days ago

Remediation Templates

For all queue resources defined to the MQQUEUE or MXQUEUE resource class, ensure the following items are in effect:

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

For message queues (i.e., ssid.queuename), access authorization restricts access to users requiring the ability to get messages from and put messages to message queues. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.
For system queues (i.e., ssid.SYSTEM.queuename), access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, and CICS regions running WebSphere MQ applications.

For the following system queues ensure that UPDATE access is restricted to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, CICS regions running WebSphere MQ applications, auditors, and users that require access to review message queues.

ssid.SYSTEM.COMMAND.INPUT
ssid.SYSTEM.COMMAND.REPLY
ssid.SYSTEM.CSQOREXX.*

For the following system queues (i.e., ssid.SYSTEM.CSQUTIL.*) ensure that UPDATE access is restricted to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, CICS regions running WebSphere MQ applications, and auditors.

For the real dead-letter queue (to determine queue name, refer to ZWMQ0053), access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, CICS regions running WebSphere MQ applications, and any automated application used for dead-letter queue maintenance.

For the alias dead-letter queue (to determine queue name, refer to ZWMQ0053), access authorization restricts access to users requiring the ability to put messages to the dead-letter queue. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.

NOTE: If an alias queue is not used in place of the dead-letter queue, the RACF rules for the dead-letter queue will be coded to restrict unauthorized users and systems from reading the messages on the file.

The following is a sample of the commands required to allow a user (USER1) to get messages from or put messages to queues beginning with (PAY.) on subsystem (QM1):

TSS PER(USER1) MQQUEUE(QM1.PAY.) ACC(UPDATE)

WebSphere MQ queue resource defined to the appropriate resource class must be protected in accordance with security requirements.

Description

Remediation Templates

A Manual Procedure