STIGQter STIGQter: STIG Summary: IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 05 Jun 2017

CheckedNameTitle
SV-89597r1_ruleAccess to the MQ Appliance network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
SV-89599r1_ruleAccess to the MQ Appliance network element must use two or more authentication servers for the purpose of granting administrative access.
SV-89601r1_ruleThe MQ Appliance network device access must automatically disable accounts after a 35-day period of account inactivity.
SV-89603r1_ruleThe MQ Appliance network device must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
SV-89605r1_ruleThe MQ Appliance network device must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
SV-89607r1_ruleThe MQ Appliance network device must notify the administrator of changes to access and/or privilege parameters of the administrator account that occurred since the last logon.
SV-89609r1_ruleThe MQ Appliance network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
SV-89611r1_ruleThe MQ Appliance network device must alert the Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) in the event of an audit processing failure.
SV-89613r1_ruleThe MQ Appliance network device must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
SV-89615r1_ruleThe MQ Appliance network device must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
SV-89617r1_ruleIn the event the authentication server is unavailable, the MQ Appliance must provide one local account created for emergency administration use.
SV-89619r1_ruleThe MQ Appliance network device must use multifactor authentication for network access to privileged accounts.
SV-89621r1_ruleWhen connecting to the MQ Appliance network device using the WebGUI, it must implement replay-resistant authentication mechanisms for network access to privileged accounts.
SV-89623r1_ruleThe MQ Appliance network device must enforce a minimum 15-character password length.
SV-89625r1_ruleThe MQ Appliance network device must prohibit password reuse for a minimum of five generations.
SV-89627r1_ruleThe MQ Appliance network device must enforce password complexity by requiring that at least one upper-case character be used.
SV-89629r1_ruleThe MQ Appliance network device must enforce password complexity by requiring that at least one lower-case character be used.
SV-89631r1_ruleThe MQ Appliance network device must enforce password complexity by requiring that at least one numeric character be used.
SV-89633r1_ruleThe MQ Appliance network device must enforce password complexity by requiring that at least one special character be used.
SV-89635r1_ruleAuthorization for access to the MQ Appliance network device must enforce a 60-day maximum password lifetime restriction.
SV-89643r1_ruleWebGUI access to the MQ Appliance network device, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
SV-89645r1_ruleWebGUI access to the MQ Appliance network device must map the authenticated identity to the user account for PKI-based authentication.
SV-89647r1_ruleThe MQ Appliance network device must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
SV-89649r1_ruleThe WebGUI of the MQ Appliance network device must terminate all sessions and network connections when nonlocal device maintenance is completed.
SV-89651r1_ruleThe WebGUI of the MQ Appliance network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SV-89653r1_ruleThe SSH CLI of the MQ Appliance network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SV-89655r1_ruleThe MQ Appliance network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.
SV-89657r1_ruleThe MQ Appliance network device must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
SV-89659r1_ruleThe MQ Appliance network device must generate account activity alerts that are forwarded to the administrators and Information System Security Officer (ISSO). Activity includes, creation, removal, modification and re-enablement after being previously disabled.
SV-89661r1_ruleThe MQ Appliance network device must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
SV-89663r1_ruleThe MQ Appliance network device must terminate shared/group account credentials when members leave the group.
SV-89665r1_ruleThe MQ Appliance network device must notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the result, date and time of the last logon (access).
SV-89667r1_ruleThe MQ Appliance network device must generate an immediate alert when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
SV-89669r1_ruleThe MQ Appliance network device must compare internal information system clocks at least every 24 hours with an authoritative time server.
SV-89671r1_ruleThe MQ Appliance network device must synchronize internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.
SV-89673r1_ruleThe MQ Appliance network device must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
SV-89675r1_ruleWebGUI access to the MQ Appliance network device must accept Personal Identity Verification (PIV) credentials.
SV-89677r1_ruleWebGUI access to the MQ Appliance network device must electronically verify Personal Identity Verification (PIV) credentials.
SV-89679r1_ruleThe MQ Appliance network device must prohibit the use of cached authenticators after an organization-defined time period.
SV-89681r1_ruleApplications used for nonlocal maintenance sessions using the MQ Appliance WebGUI must implement cryptographic mechanisms to protect the confidentiality and integrity of nonlocal maintenance and diagnostic communications.
SV-89683r1_ruleThe MQ Appliance network device must generate audit records when concurrent logons from different workstations occur.
SV-89685r1_ruleThe MQ Appliance network device must generate audit records for all account creations, modifications, disabling, and termination events.
SV-89687r1_ruleThe MQ Appliance network device must off-load audit records onto a different system or media than the system being audited.
SV-89689r1_ruleThe MQ Appliance network device must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in association with CJCSM 6510.01B.
SV-89691r1_ruleAdministrative accounts for device management must be configured on the authentication server and not the MQ Appliance network device itself (except for the emergency administration account).
SV-89693r1_ruleAccess to the MQ Appliance network device must employ automated mechanisms to centrally apply authentication settings.
SV-89695r1_ruleThe MQ Appliance network device must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
SV-89697r1_ruleThe MQ Appliance network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
SV-89699r1_ruleSSH CLI access to the MQ Appliance management interface must be restricted to approved management workstations.