SSH CLI access to the MQ Appliance management interface must be restricted to approved management workstations.
An XCCDF Rule
Description
<VulnDiscussion>The approved method for authenticating to systems is via two-factor authentication. Two-factor authentication is defined as using something you have (e.g., CAC or token) and something you know (e.g., PIN). The SSH CLI in MQ does not have the native ability to use multifactor authentication. This increases the risk of user account compromise. Restricting access to the MQ SSH management interface helps to mitigate this risk. Access must be restricted to only those management workstations or networks that require access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-89699r1_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Log on to the MQ Appliance WebGUI as a privileged user.
Go to Network icon. Select Management >> SSH Service.
Click "edit" next to the Access control list field.
Edit the SSH ACL and add authorized workstations or management network segment.
For a firewall solution, isolate the MQ SSH network interface behind the firewall and apply firewall rules to limit SSH access to only authorized management workstations or networks.