Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Resources
Documents
Publishers
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
zOS WebsphereMQ for RACF Security Technical Implementation Guide
Profiles
I - Mission Critical Public
I - Mission Critical Public
An XCCDF Profile
Details
Items
Prose
17 rules organized in 17 groups
SRG-OS-000033
1 Rule
WebSphere MQ channel security must be implemented in accordance with security requirements.
High Severity
WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data. Satisfies: SRG-OS-000505, SRG-OS-000555
SRG-OS-000403
1 Rule
WebSphere MQ channel security is not implemented in accordance with security requirements.
Medium Severity
WebSphere MQ channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. WebSphere MQ channels use SSL encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. Failure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.
SRG-OS-000480
1 Rule
Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF).
Medium Severity
IBM WebSphere MQ can use a user ID associated with an ACP certificate as a channel user ID. When an entity at one end of an SSL channel receives a certificate from a remote connection, the entity asks The ACP if there is a user ID associated with that certificate. The entity uses that user ID as the channel user ID. If there is no user ID associated with the certificate, the entity uses the user ID under which the channel initiator is running. Without a validly defined Certificate Name Filter for the entity IBM WebSphere MQ will set the channel user ID to the default.
SRG-OS-000163
1 Rule
User timeout parameter values for WebSphere MQ queue managers are not specified in accordance with security requirements.
Medium Severity
Users signed on to a WebSphere MQ queue manager could leave their terminals unattended for long periods of time. This may allow unauthorized individuals to gain access to WebSphere MQ resources and application data. This exposure could compromise the availability, integrity, and confidentiality of some system services and application data.
SRG-OS-000104
1 Rule
WebSphere MQ started tasks are not defined in accordance with the proper security requirements.
Medium Severity
Started tasks are used to execute WebSphere MQ queue manager services. Improperly defined WebSphere MQ started tasks may result in inappropriate access to application resources and the loss of accountability. This exposure could compromise the availability of some system services and application data.
SRG-OS-000080
1 Rule
WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted.
Medium Severity
MVS data sets provide the configuration, operational, and executable properties of WebSphere MQ. Some data sets are responsible for the security implementation of WebSphere MQ. Failure to properly protect these data sets may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
SRG-OS-000080
1 Rule
WebSphere MQ resource classes must be properly activated for security checking by the ESM.
Medium Severity
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to ensure the classes have been made ACTIVE under RACF will prevent RACF from enforcing security rules. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
SRG-OS-000080
1 Rule
WebSphere MQ switch profiles must be properly defined to the appropriate ADMIN class.
High Severity
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
SRG-OS-000080
1 Rule
WebSphere MQ MQ Connection Class resource definitions must be protected in accordance with security.
Medium Severity
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
SRG-OS-000104
1 Rule
WebSphere MQ dead letter and alias dead letter queues are not properly defined.
Medium Severity
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
SRG-OS-000080
1 Rule
WebSphere MQ MQQUEUE (Queue) resource profiles defined to the appropriate class must be protected in accordance with security requirements.
Medium Severity
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
SRG-OS-000080
1 Rule
WebSphere MQ Process resource profiles defined in the appropriate Class must be protected in accordance with security requirements.
Medium Severity
WebSphere MQ Process resources allow for the control of processes. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
SRG-OS-000080
1 Rule
WebSphere MQ Namelist resource profiles defined in the appropriate class must be protected in accordance with security requirements.
Medium Severity
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
SRG-OS-000080
1 Rule
WebSphere MQ Alternate User resources defined to appropriate ADMIN resource class must be protected in accordance with security requirements.
Medium Severity
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
SRG-OS-000080
1 Rule
WebSphere MQ context resources defined to the appropriate ADMIN resource class must be protected in accordance with security requirements.
Medium Severity
Context security validates whether a userid has authority to pass or set identity and/or origin data for a message. Context security will be active to avoid security exposure. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
SRG-OS-000080
1 Rule
WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.
Medium Severity
WebSphere MQ resources allow for the control of commands. Failure to properly protect WebSphere MQ Command resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
SRG-OS-000080
1 Rule
WebSphere MQ RESLEVEL resources in the appropriate ADMIN resource class must be protected in accordance with security requirements.
Medium Severity
RESLEVEL security profiles control the number of userids checked for API-resource security. RESLEVEL is a powerful option that can cause the bypassing of all security checks. RESLEVEL security will not be implemented.