STIGQter STIGQter: STIG Summary: IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 05 Jun 2017

CheckedNameTitle
SV-89401r1_ruleThe MQ Appliance messaging server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
SV-89403r1_ruleThe MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session.
SV-89415r1_ruleThe MQ Appliance messaging server must off-load log records onto a different system or media from the system being logged.
SV-89417r1_ruleThe MQ Appliance messaging server must synchronize internal MQ Appliance messaging server clocks to an authoritative time source when the time difference is greater than the organization-defined time period.
SV-89419r1_ruleThe MQ Appliance messaging server must compare internal MQ Appliance messaging server clocks at least every 24 hours with an authoritative time source.
SV-89421r1_ruleThe MQ Appliance messaging server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SV-89423r1_ruleThe MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour.
SV-89475r1_ruleThe MQ Appliance messaging server must provide an immediate warning to the SA and ISSO, at a minimum, when allocated log record storage volume reaches 75% of maximum log record storage capacity.
SV-89479r1_ruleThe MQ Appliance messaging server must automatically terminate a SSH user session after organization-defined conditions or trigger events requiring a session disconnect.
SV-89487r1_ruleThe MQ Appliance must automatically terminate a WebGUI user session after 600 seconds of idle time.
SV-89489r1_ruleThe MQ Appliance SSH interface to the messaging server must prohibit the use of cached authenticators after 600 seconds.
SV-89505r1_ruleThe MQ Appliance messaging server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).
SV-89509r1_ruleThe MQ Appliance messaging server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
SV-89521r1_ruleThe MQ Appliance messaging server, when categorized as a high level system, must be in a high-availability (HA) cluster.
SV-89523r1_ruleThe MQ Appliance messaging server must use encryption strength in accordance with the categorization of the management data during remote access management sessions.
SV-89525r1_ruleThe MQ Appliance messaging server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly.
SV-89527r1_ruleThe MQ Appliance messaging server must provide centralized management and configuration of the content to be captured in log records generated by all application components.
SV-89533r1_ruleThe MQ Appliance messaging server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
SV-89535r1_ruleThe MQ Appliance messaging server must remove all export ciphers to protect the confidentiality and integrity of transmitted information.
SV-89537r1_ruleThe MQ Appliance messaging server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version.
SV-89551r1_ruleThe MQ Appliance messaging server must produce log records containing information to establish what type of events occurred.
SV-89553r1_ruleThe MQ Appliance messaging server must identify potentially security-relevant error conditions.
SV-89557r1_ruleThe MQ Appliance messaging server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.
SV-89559r1_ruleThe MQ Appliance messaging server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing operationally-defined security safeguards.
SV-89561r1_ruleThe MQ Appliance messaging server must accept FICAM-approved third-party credentials.
SV-89563r1_ruleThe MQ Appliance messaging server must provide a log reduction capability that supports on-demand reporting requirements.
SV-89565r1_ruleThe MQ Appliance messaging server must be configured to fail over to another system in the event of log subsystem failure.
SV-89567r1_ruleThe MQ Appliance messaging server must provide a clustering capability.
SV-89569r1_ruleThe MQ Appliance messaging server must ensure authentication of both SSH client and server during the entire session.
SV-89571r1_ruleThe MQ Appliance messaging server must uniquely identify all network-connected endpoint devices before establishing any connection.
SV-89573r1_ruleAccess to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication.
SV-89575r1_ruleThe MQ Appliance messaging server must map the authenticated identity to the individual messaging user or group account for PKI-based authentication.
SV-89577r1_ruleThe MQ Appliance must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
SV-89579r1_ruleThe MQ Appliance messaging server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).
SV-89581r1_ruleThe MQ Appliance messaging server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
SV-89583r1_ruleThe MQ Appliance messaging server must generate log records for access and authentication events.
SV-89585r1_ruleThe MQ Appliance messaging server must generate a unique session identifier using a FIPS 140-2 approved random number generator.
SV-89587r1_ruleThe MQ Appliance messaging server must authenticate all network-connected endpoint devices before establishing any connection.
SV-89589r1_ruleThe MQ Appliance messaging server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
SV-89591r1_ruleMQ Appliance messaging servers must use NIST-approved or NSA-approved key management technology and processes.
SV-89593r1_ruleThe MQ Appliance messaging server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes.
SV-89595r1_ruleThe MQ Appliance messaging server must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged.
SV-89703r1_ruleThe MQ Appliance messaging server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected (messaging) sessions.