STIGQter: STIG Summary: zOS WebsphereMQ for TSS STIG Version: 6 Release: 2 Benchmark Date: 24 Jul 2020:

WebSphere MQ security class(es) is(are) defined improperly.

DISA Rule

SV-7535r3_rule

Vulnerability Number

V-6959

Group Title

ZWMQ0049

Rule Version

ZWMQ0049

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-002358 - The information system implements a reference monitor for organization-defined access control policies that is always invoked.

Weight

10

Fix Recommendation

The IAO will ensure that all WebSphere MQ resources are defined to TSS.

The following should be defined to the RDT:

MQADMIN
MQCONN
MQCMDS
MQNLIST
MQPROC
MQQUEUE

For V7.0.0 and above:

MXADMIN
MXNLIST
MXPROC
MXQUEUE
MXTOPIC

Use the following commands to define (establish ownership of) resources for each WebSphere MQ subsystem to TSS:

TSS ADD(deptname) MQADMIN(ssid.)
TSS ADD(deptname) MQCMDS(ssid.)
TSS ADD(deptname) MQCONN(ssid.)
TSS ADD(deptname) MQNLIST(ssid.)
TSS ADD(deptname) MQPROC(ssid.)
TSS ADD(deptname) MQQUEUE(ssid.)

For V7.0.0 and above:

TSS ADD(deptname) MXADMIN(ssid.)
TSS ADD(deptname) MXNLIST(ssid.)
TSS ADD(deptname) MXPROC(ssid.)
TSS ADD(deptname) MXQUEUE(ssid.)
TSS ADD(deptname) MXTOPIC(ssid.)

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

Another method to ensure protection is to assign the DEFPROT attribute to the resource class in the RDT record by using the following command:

TSS REP(RDT) RESCLASS(MQADMIN) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQCMDS) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQCONN) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQNLIST) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQPROC) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQQUEUE) ATTR(DEFPROT)

For V7.0.0 and above:

TSS REP(RDT) RESCLASS(MXADMIN) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXNLIST) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXPROC) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXQUEUE) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXTOPIC) ATTR(DEFPROT)

Check Contents

Refer to the following report produced by the TSS Data Collection:

- TSSCMDS.RPT(#RDT)
- TSSCMDS.RPT(WHOOMADM)
- TSSCMDS.RPT(WHOOMCMD)
- TSSCMDS.RPT(WHOOMCON)
- TSSCMDS.RPT(WHOOMNLI)
- TSSCMDS.RPT(WHOOMPRO)
- TSSCMDS.RPT(WHOOMQUE)
- TSSCMDS.RPT(WHOOXADM)
- TSSCMDS.RPT(WHOOXNLI)
- TSSCMDS.RPT(WHOOXPRO)
- TSSCMDS.RPT(WHOOXQUE)
- TSSCMDS.RPT(WHOOXTOP)

Ensure the following WebSphere MQ resource classes are defined to the TSS RDT:

MQADMIN
MQCONN
MQCMDS
MQNLIST
MQPROC
MQQUEUE

For V7.0.0 and above:

MXADMIN
MXNLIST
MXPROC
MXQUEUE
MXTOPIC

Ensure that each ssid. resource is defined in each of the above resource classes.

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

NOTE: If both MQADMIN and MXADMIN resource classes are not defined to the RDT record, no security checking is performed.

Vulnerability Number

V-6959

Documentable

False

Rule Version

ZWMQ0049

Severity Override Guidance

Refer to the following report produced by the TSS Data Collection:

- TSSCMDS.RPT(#RDT)
- TSSCMDS.RPT(WHOOMADM)
- TSSCMDS.RPT(WHOOMCMD)
- TSSCMDS.RPT(WHOOMCON)
- TSSCMDS.RPT(WHOOMNLI)
- TSSCMDS.RPT(WHOOMPRO)
- TSSCMDS.RPT(WHOOMQUE)
- TSSCMDS.RPT(WHOOXADM)
- TSSCMDS.RPT(WHOOXNLI)
- TSSCMDS.RPT(WHOOXPRO)
- TSSCMDS.RPT(WHOOXQUE)
- TSSCMDS.RPT(WHOOXTOP)

Ensure the following WebSphere MQ resource classes are defined to the TSS RDT:

MQADMIN
MQCONN
MQCMDS
MQNLIST
MQPROC
MQQUEUE

For V7.0.0 and above:

MXADMIN
MXNLIST
MXPROC
MXQUEUE
MXTOPIC

Ensure that each ssid. resource is defined in each of the above resource classes.

NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).

NOTE: If both MQADMIN and MXADMIN resource classes are not defined to the RDT record, no security checking is performed.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3599

Comments