STIGQter: STIG Summary: IBM MQ Appliance V9.0 AS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

The MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session.

DISA Rule

SV-89403r1_rule

Vulnerability Number

V-74729

Group Title

SRG-APP-000015-AS-000010

Rule Version

MQMH-AS-000020

Severity

CAT II

CCI(s)

• CCI-001199 - The information system protects the confidentiality and/or integrity of organization-defined information at rest.
• CCI-001350 - The information system implements cryptographic mechanisms to protect the integrity of audit information.
• CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.
• CCI-002420 - The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
• CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.
• CCI-002475 - The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.
• CCI-002476 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.

Weight

10

Fix Recommendation

Advanced Message Security can sign and encrypt messages at the point of production, and then decrypt and authenticate them at the point of consumption. At all points in between, the message is protected, either for integrity (using hashing) or for privacy (using encryption). Steps for setting up AMS are not included here. Reference vendor documentation for guidance on setting up AMS.

To access the MQ Appliance CLI, enter:
mqcli

runmqsc [QMgrName]

SET POLICY([queue name]) SIGNALG([SHA256, SHA384, or SHA512]) +
ENCALG([3DES, AES128, or AES256]) +
RECIP(['distinguished name (DN) of the message recipient']) +
SIGNER(['Signature DN validated during message retrieval'])
end

Check Contents

Obtain queue security policy requirements from system admin.

To verify the Advanced Message Security (AMS) policy for a specific queue manager's queues, enter:
mqcli

To list the policies for each queue, enter:
runmqsc [QMgrName]

To display all policies, enter:
DIS POLICY(*)

If no security policies are found or the specifics of the security policy does not meet documented queue security requirements, this is a finding.

Vulnerability Number

V-74729

Documentable

False

Rule Version

MQMH-AS-000020

Severity Override Guidance

Obtain queue security policy requirements from system admin.

To verify the Advanced Message Security (AMS) policy for a specific queue manager's queues, enter:
mqcli

To list the policies for each queue, enter:
runmqsc [QMgrName]

To display all policies, enter:
DIS POLICY(*)

If no security policies are found or the specifics of the security policy does not meet documented queue security requirements, this is a finding.

Check Content Reference

M

Target Key

3239

Comments