Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide
SRG-APP-000317-NDM-000282
The MQ Appliance network device must terminate shared/group account credentials when members leave the group.
The MQ Appliance network device must terminate shared/group account credentials when members leave the group.
An XCCDF Rule
Details
Profiles
Prose
The MQ Appliance network device must terminate shared/group account credentials when members leave the group.
Medium Severity
<VulnDiscussion>A shared/group account credential is a shared form of authentication that allows multiple individuals to access the MQ Appliance network device using a single account. If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. The only local account on the MQ Appliance should be the emergency admin account of last resort referred to as the "Fallback user". This account is automatically inactive and not accessible as long as LDAP access is enabled. If network access to the LDAP server is lost, the MQ appliance will automatically enable the Fallback user account to allow for emergency administrative access. If a former admin knows the Fallback user password, still has network access, and can force the MQ appliance to not communicate with the LDAP server, they could access the MQ appliance using the Fallback user credentials. The Fallback user account password must be changed whenever MQ administrators leave the group/team or if their roles change and they no longer require access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>