STIGQter: STIG Summary: zOS WebsphereMQ for RACF STIG Version: 6 Release: 2 Benchmark Date: 24 Jul 2020:

WebSphere MQ resource classes are not properly actived for security checking by the ACP.

DISA Rule

SV-7534r3_rule

Vulnerability Number

V-6959

Group Title

ZWMQ0049

Rule Version

ZWMQ0049

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-002358 - The information system implements a reference monitor for organization-defined access control policies that is always invoked.

Weight

10

Fix Recommendation

The IAO will ensure that all WebSphere MQ resources are active and properly defined.

Ensure the following WebSphere MQ resource classes are active:

GMQADMIN
GMQNLIST
GMQPROC
GMQQUEUE
MQADMIN
MQCMDS
MQCONN
MQNLIST
MQPROC
MQQUEUE

For V7.0.0 and above:

GMXADMIN
GMXNLIST
GMXPROC
GMXQUEUE
GMXTOPIC
MXADMIN
MXNLIST
MXPROC
MXQUEUE
MXTOPIC

NOTE: If both MQADMIN and MXADMIN resource classes are not active, no security checking is performed.

The follow sample contains commands to active the required classes:

SETR CLASSACT(MQADMIN MQCMDS MQCONN)
SETR CLASSACT(MQNLIST MQPROC MQQUEUE)
SETR CLASSACT(MXADMIN MXNLIST MXPROC MXQUEUE)

Check Contents

Refer to the following reports produced by the RACF Data Collection:

- RACFCMDS.RPT(SETROPTS)
- DSMON.RPT(RACCDT) - Alternate list of active resource classes

Automated Analysis
Refer to the following report produced by the RACF Data Collection:

- PDI(ZWMQ0049)

Ensure the following WebSphere MQ resource classes are active:

GMQADMIN
GMQNLIST
GMQPROC
GMQQUEUE
MQADMIN
MQCMDS
MQCONN
MQNLIST
MQPROC
MQQUEUE

For V7.0.0 and above:

GMXADMIN
GMXNLIST
GMXPROC
GMXQUEUE
GMXTOPIC
MXADMIN
MXNLIST
MXPROC
MXQUEUE
MXTOPIC

NOTE: If both MQADMIN and MXADMIN resource classes are not active, no security checking is performed.

Vulnerability Number

V-6959

Documentable

False

Rule Version

ZWMQ0049

Severity Override Guidance

Refer to the following reports produced by the RACF Data Collection:

- RACFCMDS.RPT(SETROPTS)
- DSMON.RPT(RACCDT) - Alternate list of active resource classes

Automated Analysis
Refer to the following report produced by the RACF Data Collection:

- PDI(ZWMQ0049)

Ensure the following WebSphere MQ resource classes are active:

GMQADMIN
GMQNLIST
GMQPROC
GMQQUEUE
MQADMIN
MQCMDS
MQCONN
MQNLIST
MQPROC
MQQUEUE

For V7.0.0 and above:

GMXADMIN
GMXNLIST
GMXPROC
GMXQUEUE
GMXTOPIC
MXADMIN
MXNLIST
MXPROC
MXQUEUE
MXTOPIC

NOTE: If both MQADMIN and MXADMIN resource classes are not active, no security checking is performed.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3597

Comments