STIGQter STIGQter: STIG Summary: IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

SSH CLI access to the MQ Appliance management interface must be restricted to approved management workstations.

DISA Rule

SV-89699r1_rule

Vulnerability Number

V-75025

Group Title

SRG-APP-000408-NDM-000314

Rule Version

MQMH-ND-001530

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Log on to the MQ Appliance WebGUI as a privileged user.
Go to Network icon. Select Management >> SSH Service.
Click "edit" next to the Access control list field.
Edit the SSH ACL and add authorized workstations or management network segment.

For a firewall solution, isolate the MQ SSH network interface behind the firewall and apply firewall rules to limit SSH access to only authorized management workstations or networks.

Check Contents

Log on to the MQ Appliance WebGUI as a privileged user.
Go to the Network icon. Select Management >> SSH Service.
Click "edit" next to the Access control list field.
View the SSH ACL and obtain the list of authorized addresses.

Ask the administrator for the list of approved addresses. If an authorized management network is in place, the SSH ACL can include a range of addresses within the authorized management network.

If a firewall is used to isolate SSH traffic, request the IP addresses of the MQ appliance and the relevant firewall ruleset.

If SSH traffic is not restricted to the list of approved addresses, this is a finding.

Vulnerability Number

V-75025

Documentable

False

Rule Version

MQMH-ND-001530

Severity Override Guidance

Log on to the MQ Appliance WebGUI as a privileged user.
Go to the Network icon. Select Management >> SSH Service.
Click "edit" next to the Access control list field.
View the SSH ACL and obtain the list of authorized addresses.

Ask the administrator for the list of approved addresses. If an authorized management network is in place, the SSH ACL can include a range of addresses within the authorized management network.

If a firewall is used to isolate SSH traffic, request the IP addresses of the MQ appliance and the relevant firewall ruleset.

If SSH traffic is not restricted to the list of approved addresses, this is a finding.

Check Content Reference

M

Target Key

3243

Comments