STIGQter: STIG Summary: IBM MQ Appliance V9.0 AS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

The MQ Appliance messaging server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing operationally-defined security safeguards.

DISA Rule

SV-89559r1_rule

Vulnerability Number

V-74885

Group Title

SRG-APP-000435-AS-000163

Rule Version

MQMH-AS-000650

Severity

CAT II

CCI(s)

• CCI-000054 - The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions.
• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.

Weight

10

Fix Recommendation

For each queue manager's server connection (SVRCONN) channel(s):

To access the MQ Appliance CLI, enter:
mqcli

runmqsc <queue manager name> >>

To display available SVRCONN channels, enter:
DIS CHANNEL(*) CHLTYPE(SVRCONN)

ALTER CHANNEL(<svrconn channel name>) CHLTYPE(SVRCONN)
MAXINST(max allowed channel instances)
MAXINSTC(max allowed channels for same client: less than MAXINST)
end

Check Contents

Obtain documentation that specifies operational limits from system admin. Check the "SVRCONN" channels of each queue manager to confirm that "MAXINST" and "MAXINSTC" values are set to a value that reflects operational requirements.

To access the MQ Appliance CLI, enter:
mqcli

To identify the queue managers, enter:
dspmq

To run the "runmqsc [queue mgr name]" command for each running queue manager identified, enter:
runmqsc [queue mgr name]

To display available SVRCONN channels details, enter:
DIS CHANNEL(*) CHLTYPE(SVRCONN)

Display values for each channel:
DIS CHANNEL(Channel Name)

If the value of either "MAXINST" or "MAXINSTC" is greater than the organization-defined limit, this is a finding.

Vulnerability Number

V-74885

Documentable

False

Rule Version

MQMH-AS-000650

Severity Override Guidance

Obtain documentation that specifies operational limits from system admin. Check the "SVRCONN" channels of each queue manager to confirm that "MAXINST" and "MAXINSTC" values are set to a value that reflects operational requirements.

To access the MQ Appliance CLI, enter:
mqcli

To identify the queue managers, enter:
dspmq

To run the "runmqsc [queue mgr name]" command for each running queue manager identified, enter:
runmqsc [queue mgr name]

To display available SVRCONN channels details, enter:
DIS CHANNEL(*) CHLTYPE(SVRCONN)

Display values for each channel:
DIS CHANNEL(Channel Name)

If the value of either "MAXINST" or "MAXINSTC" is greater than the organization-defined limit, this is a finding.

Check Content Reference

M

Target Key

3239

Comments