{"stig":{"title":"zOS WebSphere MQ for ACF2 Security Technical Implementation Guide","version":"7","release":"2"},"checks":[{"vulnId":"V-224354","ruleId":"SV-224354r1144153_rule","severity":"high","ruleTitle":"WebSphere MQ channel security must be implemented in accordance with security requirements.","description":"WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers.\n\nFailure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.\n\nSatisfies: SRG-OS-000505, SRG-OS-000555","checkContent":"Refer to the following report produced by the z/OS Data Collection:\n\n- MQSRPT(ssid).\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nCollect the following Information for WebSphere MQ queue manager.\n\n- If a WebSphere MQ queue manager communicates with another WebSphere MQ queue manager, provide the WebSphere MQ queue manager and channel names used to connect these queue managers.\n\nAutomated Analysis requires Additional Analysis.\nAutomated Analysis\nRefer to the following report produced by the z/OS Data Collection:\n\n- PDI(ZWMQ0011)\n\nIf the following guidelines are true for each channel definition displayed from the DISPLAY CHANNEL command, this is not a finding.\n\nVerify that each WebSphere MQ channel is using SSL by checking for the SSLCIPH parameter, which must specify a FIPS 140-2 compliant value of the following: (Note: Both ends of the channel must specify the same cipher specification.)\n\nECDHE_ECDSA_AES_128_CBC_SHA256\nECDHE_ECDSA_AES_256_CBC_SHA384\nECDHE_RSA_AES_128_CBC_SHA256\nECDHE_RSA_AES_256_CBC_SHA384\nTLS_RSA_WITH_3DES_EDE_CBC_SHA\nTLS_RSA_WITH_AES_128_CBC_SHA\nTLS_RSA_WITH_AES_128_CBC_SHA256\nTLS_RSA_WITH_AES_256_CBC_SHA\nTLS_RSA_WITH_AES_256_CBC_SHA256\n\nRepeat the above step for each queue manager ssid identified.","fixText":"Review the WebSphere MQ Screen interface invoked by the REXX CSQOREXX. Review the channel's SSLCIPH setting.\n\nDisplay the channel properties and look for the \"SSL Cipher Specification\" value.\n\nEnsure that a FIPS 140-2 compliant value is shown.\n\nECDHE_ECDSA_AES_128_CBC_SHA256\nECDHE_ECDSA_AES_256_CBC_SHA384\nECDHE_RSA_AES_128_CBC_SHA256\nECDHE_RSA_AES_256_CBC_SHA384\nTLS_RSA_WITH_3DES_EDE_CBC_SHA\nTLS_RSA_WITH_AES_128_CBC_SHA\nTLS_RSA_WITH_AES_128_CBC_SHA256\nTLS_RSA_WITH_AES_256_CBC_SHA\nTLS_RSA_WITH_AES_256_CBC_SHA256\n\nNote that both ends of the channel must specify the same cipher specification. \n\nRepeat these steps for each queue manager ssid identified.","ccis":["CCI-000068","CCI-002421","CCI-002423","CCI-002450"]},{"vulnId":"V-224355","ruleId":"SV-224355r1144155_rule","severity":"medium","ruleTitle":"WebSphere MQ channel security is not implemented in accordance with security requirements.","description":"WebSphere MQ channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. WebSphere MQ channels use SSL encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers.\n\nFailure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.","checkContent":"Refer to the following report produced by the z/OS Data Collection:\n\n- MQSRPT(ssid).\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nTo determine which Release of WebSphere MQ, review ssid reports for message CSQU000I. Collect the following Information for each WebSphere MQ queue manager. \n\n- If a WebSphere MQ queue manager communicates with another WebSphere MQ queue manager, provide the WebSphere MQ queue manager and channel names used to connect these queue managers.\n- If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel.\n\nReview the ssid report(s) and perform the following steps. If the following guidance for each queue manager ssid is true, this is not a finding.\n\nFind the DISPLAY QMGR DEADQ, SSLKEYR, SCYCASE command to locate the start of the Queue Manager definitions.\n\nVerify that each WebSphere MQ 5.3 queue manager is using a digital certificate by reviewing the SSLKEYR parameter to verify that a keyring is identified, i.e., SSLKEYR(sslkeyring-id).\nSSLKEYR(sslkeyring-id).\nIssue the following ACF2 command, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator's userid and sslkeyring-id is obtained from the above action:\n\nLIST ssidCHIN PROFILE(KEYRING)\n\nIn the output of the above LIST command, obtain the keyring-default from the DEFAULT entry for KEYRING entry with RINGNAME of sslkeyring-id. Use this keyring-default in the following command:\n\nSET PROFILE(USER) DIV(CERTDATA)\nLIST keyring-default\n\nReview the ISSUERDN field for the CERTDATA record for the following.\n\nOU=PKI.OU=DoD.O=U.S. Government.C=US\nOU=ECA.O=U.S. Government.C=US\n\nRepeat these steps for each queue manager ssid identified.","fixText":"Refer to the following report produced by the z/OS Data Collection:\n\n- MQSRPT(ssid)\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier). \n\nFind the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions.\nVerify that each WebSphere MQ queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id)\nIssue the following ACF2 command, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator's userid and sslkeyring-id is obtained from the above action:\n\nLIST ssidCHIN PROFILE(CERTDATA, KEYRING)\n\nThe output will contain information on the CERTDATA and KEYRING records for the user. Find the CERTDATA entry that has a Key ring name field with sslkeyring-id. Review the ISSUERDN field for this CERTDATA record for the following:\n\nOU=PKI.OU=DoD.O=U.S. Government.C=US\nOU=ECA.O=U.S. Government.C=US\n\nNote: The Certificate Label Name is case sensitive.\n\nReview the Issuer's Name field in the resulting output for information of any of the following:\n\nOU=PKI.OU=DoD.O=U.S. Government.C=US\nOU=ECA.O=U.S. Government.C=US\n\nRepeat these steps for each queue manager ssid identified.\n\nTo implement the requirements stated above, the following two items are provided which attempt to assist with (1) Technical \"how to\" information and (2) A DISA Point of contact for obtaining SSL certificates for CSD WebSphere MQ channels:\n\nReview the information available on setting up SSL, Keyrings, and Digital Certificates in the CA-ACF2 Security for z/OS Administrators Guide as well as the WebSphere MQ Security manual. Also review the information contained in the documentation provided as part of the install package from the DISA SSO Resource Management Factory (formerly Software Factory).\n\nFor information on obtaining an SSL certificate in the DISA CSD environment, send email inquiry to disaraoperations@disa.mil.","ccis":["CCI-002470"]},{"vulnId":"V-224356","ruleId":"SV-224356r1144158_rule","severity":"medium","ruleTitle":"Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF).","description":"IBM WebSphere MQ can use a user ID associated with an ACP certificate as a channel user ID. When an entity at one end of an SSL channel receives a certificate from a remote connection, the entity asks The ACP if there is a user ID associated with that certificate. The entity uses that user ID as the channel user ID. If there is no user ID associated with the certificate, the entity uses the user ID under which the channel initiator is running. Without a validly defined Certificate Name Filter for the entity IBM WebSphere MQ will set the channel user ID to the default.","checkContent":"Validate that the list of all Production WebSphere MQ Remotes exists and contains approved Certified Name Filters and associated USERIDS.\n\nIf the filter(s) is (are) defined, accurate and has been approved by Vulnerability ICER0030 and the associated USERID(s) is only granted need to know permissions and authority to resources and commands, this is not a finding. \n\nIf there is no Certificate Name Filter for WebSphere MQ Remotes this is a finding.\n\nNote: Improper use of CNF filters for MQ Series will result in the following Message ID.\n\nCSQX632I found in the following example:\n\nCSQX632I csect-name SSL certificate has no\nassociated user ID, remote channel\nchannel-name - channel initiator user ID\nused","fixText":"The responsible MQ systems programmer(s) shall create and maintain a spreadsheet that contains a list of all Production WebSphere MQ Remotes, associated individual USERIDs with corresponding valid Certified Name Filters (CNF). This documentation will be reviewed and validated annually by responsible MQ systems programmer(s) and forwarded for approval by the ISSM.\n\nThe ISSO will define the associated USERIDs, the CNF, and grant the minimal need-to-know access by granting only the required resources and Commands for each USERID in the ACP. Refer to IBM WebSphere MQ Security manual for details on defining CNF for WebSphere MQ.\n\nGeneric access shall not be granted such as resource permission at the SSID. MQ resource level.","ccis":["CCI-001133","CCI-000366"]},{"vulnId":"V-224357","ruleId":"SV-224357r1144159_rule","severity":"medium","ruleTitle":"User timeout parameter values for WebSphere MQ queue managers are not specified in accordance with security requirements.","description":"Users signed on to a WebSphere MQ queue manager could leave their terminals unattended for long periods of time. This may allow unauthorized individuals to gain access to WebSphere MQ resources and application data. This exposure could compromise the availability, integrity, and confidentiality of some system services and application data.","checkContent":"Refer to the following report produced by the z/OS Data Collection:\n\n- MQSRPT(ssid).\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nAutomated Analysis\nRefer to the following report produced by the z/OS Data Collection:\n\n- PDI(ZWMQ0020)\n\nReview the ssid report(s) and perform the following steps:\n\nFind the DISPLAY SECURITY command to locate the start of the security parameter settings.\nReview the CSQH015I and CSQH016I messages to determine the Timeout and Interval parameter settings respectively.\nRepeat these steps for each queue manager ssid.\n\nThe standard values are:\n\nTIMEOUT(15)\nINTERVAL(5)\n\nIf the Timeout and Interval values conform to the standard values, this is not a finding.","fixText":"Review the WebSphere MQ System Setup Guide and the information on the ALTER SECURITY command in the WebSphere MQ Script (MQSC) Command Reference.\n\nEnsure the values for the TIMEOUT and INTERVAL parameters are specified in accordance with security requirements.","ccis":["CCI-000057","CCI-001133"]},{"vulnId":"V-224358","ruleId":"SV-224358r1144160_rule","severity":"medium","ruleTitle":"WebSphere MQ started tasks are not defined in accordance with the proper security requirements.","description":"Started tasks are used to execute WebSphere MQ queue manager services. Improperly defined WebSphere MQ started tasks may result in inappropriate access to application resources and the loss of accountability. This exposure could compromise the availability of some system services and application data.","checkContent":"Refer to the following reports produced by the ACF2 Data Collection:\n\n- ACF2CMDS.RPT(LOGONIDS).\n- ACF2CMDS.RPT(ATTSTC).\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nProvide a list of all WebSphere MQ Subsystem IDs (Queue managers) and Release levels.\n\nssidMSTR is the name of a queue manager STC.\nssidCHIN is the name of a distributed queuing (a.k.a., channel initiator) STC.\n\nReview WebSphere MQ started tasks and verify the following items are in effect. If they are, this is not a finding.\n\nEach ssidMSTR and ssidCHIN started task is associated with a unique logonid.\nEach ssidMSTR and ssidCHIN STC logonid has the following attributes defined.\n\nSTC\nMUSASS\nNOSMC\n\nRepeat these steps for each queue manager ssid.","fixText":"The ISSO will ensure that all WebSphere MQ started tasks are properly defined.\n\nReview WebSphere MQ started tasks and ensure the following items are in effect:\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\nssidMSTR is the name of a queue manager STC.\nssidCHIN is the name of a distributed queuing (a.k.a., channel initiator) STC.\n\nEach WebSphere MQ started task is associated with a unique logonid.\n\nEach WebSphere MQ STC logonid has the attributes of STC, MUSASS, and NOSMC.\n\nExample:\n\nSET LID \nINSERT ssid.MSTR NAME(MQseries, STC) STC MUSASS NO-SMC\n\nINSERT ssid.CHIN NAME(MQseries, STC) STC MUSASS NO-SMC","ccis":["CCI-000764"]},{"vulnId":"V-224359","ruleId":"SV-224359r1144162_rule","severity":"medium","ruleTitle":"WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system datasets are not properly restricted.","description":"MVS datasets provide the configuration, operational, and executable properties of WebSphere MQ. Some datasets are responsible for the security implementation of WebSphere MQ. Failure to properly protect these datasets may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the ACP Data Collection:\n\n- SENSITVE.RPT(MQSRPT).\n\nVerify ACP datasets rules for WebSphere MQ system datasets (e.g., SYS2.MQM.) restrict access as follows. If the following guidance is true, this is not a finding.\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nIf the following guidance is true, this is not a finding.\n\nThe ACP dataset rules for the datasets restrict READ access to datasets referenced by the following DDnames, restricted to WebSphere MQ STCs, WebSphere MQ administrators, and systems programming personnel. All access to these datasets is logged.\n\nDDname\tProcedure\tDescription\nCSQINP1\tssidMSTR\tInput parameters\nCSQINP2\tssidMSTR\tInput parameters\nCSQXLIB\tssidCHIN\tUser exit library\n\nThe ACP dataset rules for the datasets restrict WRITE and/or greater access to the above datasets to WebSphere MQ administrators and systems programming personnel.\n\nThe ACP dataset rules for the datasets restrict WRITE and/or greater access to datasets referenced by the following DDnames, restricted to WebSphere MQ STCs, WebSphere MQ administrators, and systems programming personnel. All WRITE and/or greater access to these datasets is logged.\n\nDDname\tProcedure\tDescription\nCSQPxxxx\tssidMSTR\tPage datasets\nBSDSx\tssidMSTR\tBootstrap datasets\nCSQOUTx\tssidMSTR\tSYSOUT datasets\nCSQSNAP\tssidMSTR\tDUMP dataset\n(See note)\tssidMSTR\tLog datasets\n\nNote: To determine the log dataset names, review the JESMSGLG file of the ssidMSTR active task(s). Find CSQJ001I messages to obtain dataset names.\n \nThe ACP dataset rules for the datasets restrict ALTER access to archive datasets, restricted to WebSphere MQ STCs, WebSphere MQ administrator, and systems programming personnel. All ALTER access to these datasets is logged.\n\nNote: To determine the archive datasets names, review the JESMSGLG file of the ssidMSTR active task(s). Find the CSQY122I message to obtain the ARCPRFX1 and ARCPRFX2 dataset high-level qualifiers.\n\nExcept for the specific dataset requirements just mentioned, WRITE and/or greater access to all other WebSphere MQ system datasets is restricted to the WebSphere MQ administrator and systems programming personnel.","fixText":"The systems programmer will have the ISSO ensure that all WRITE and/or greater access to WebSphere MQ product and system datasets are restricted to WebSphere MQ administrators, systems programmers, and WebSphere MQ started tasks.\n\nThe installation requires that the following datasets be APF authorized. \n\nhlqual.SCSQAUTH\nhlqual.SCSQLINK\nhlqual.SCSQANLx\nhlqual.SCSQSNL\nhlqual.SCSQMVR1\nhlqual.SCSQMVR2\n\nREAD access to datasets referenced by the CSQINP1, CSQINP2, and CSQXLIB DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all access to these datasets.\n\nWRITE and/or greater access to dataset profiles protecting all page sets, logs, bootstrap datasets (BSDS), and datasets referenced by the CSQOUTX and CSQSNAP DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all WRITE and/or greater access to these datasets.\n\nALTER access to all archive datasets in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all ALTER access to these datasets.","ccis":["CCI-001499","CCI-002234"]},{"vulnId":"V-224360","ruleId":"SV-224360r1144163_rule","severity":"medium","ruleTitle":"WebSphere MQ resource classes must be properly activated.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the ACF2 Data Collection:\n\n- ACF2CMDS.RPT(ACFGSO).\n\nVerify the System Authorization Facility Definition (SAFDEF) includes an entry for WebSphere MQ as follows, this is not a finding.\n\nINSERT SAFDEF.MQS ID(MQS) FUNCRET(8) RETCODE(4) MODE(IGNORE) -\nRACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN) REP\n\nIf the Internal CLASMAP Definitions do not include the following entries, this is a finding.\n\nINSERT CLASMAP.MQADMIN RESOURCE(MQADMIN) RSRCTYPE(MQA) ENTITYLN(62)\nINSERT CLASMAP.MQCMDS RESOURCE(MQCMDS) RSRCTYPE(MQC) ENTITYLN(22)\nINSERT CLASMAP.MQCONN RESOURCE(MQCONN) RSRCTYPE(MQK) ENTITYLN(10)\nINSERT CLASMAP.MQNLIST RESOURCE(MQNLIST) RSRCTYPE(MQN) ENTITYLN(53)\nINSERT CLASMAP.MQPROC RESOURCE(MQPROC) RSRCTYPE(MQP) ENTITYLN(53)\nINSERT CLASMAP.MQQUEUE RESOURCE(MQQUEUE) RSRCTYPE(MQQ) ENTITYLN(53)\n\nWhen SCYCASE is set to MIXED, CLASMAP Definitions must include the following entries:\n\nINSERT CLASMAP.MXADMIN RESOURCE(MXADMIN) RSRCTYPE(MXA) ENTITYLN(62)\nINSERT CLASMAP.MXNLIST RESOURCE(MXNLIST) RSRCTYPE(MXN) ENTITYLN(53)\nINSERT CLASMAP.MXPROC RESOURCE(MXPROC) RSRCTYPE(MXP) ENTITYLN(53)\nINSERT CLASMAP.MXQUEUE RESOURCE(MXQUEUE) RSRCTYPE(MXQ) ENTITYLN(53)\nINSERT CLASMAP.MXTOPIC RESOURCE(MXTOPIC) RSRCTYPE(MXT) ENTITYLN(246)","fixText":"The ISSO will ensure that all WebSphere MQ resources are active and properly defined.\n\nEnsure the System Authorization Facility Definition (SAFDEF) includes an entry for WebSphere MQ as follows:\n\nINSERT SAFDEF.MQS ID(MQS) FUNCRET(8) RETCODE(4) MODE(IGNORE)\nRACROUTE(REQUEST=EXTRACT,CLASS=MQADMIN) REP\n\nEnsure the Internal CLASMAP Definitions include the following entries:\n\nINSERT CLASMAP.MQADMIN RESOURCE(MQADMIN) RSRCTYPE(MQA) ENTITYLN(62)\nINSERT CLASMAP.MQQUEUE RESOURCE(MQQUEUE) RSRCTYPE(MQQ) ENTITYLN(53)\nINSERT CLASMAP.MQNLIST RESOURCE(MQNLIST) RSRCTYPE(MQN) ENTITYLN(53)\nINSERT CLASMAP.MQCMDS RESOURCE(MQCMDS) RSRCTYPE(MQC) ENTITYLN(22)\nINSERT CLASMAP.MQCONN RESOURCE(MQCONN) RSRCTYPE(MQK) ENTITYLN(10)\nINSERT CLASMAP.MQPROC RESOURCE(MQPROC) RSRCTYPE(MQP) ENTITYLN(53)\n\nWhen SCYCASE is set to mixed CLASMAP Definitions must include the following entries:\n\nINSERT CLASMAP.MXADMIN RESOURCE(MXADMIN) RSRCTYPE(MXA) ENTITYLN(62)\nINSERT CLASMAP.MXNLIST RESOURCE(MXNLIST) RSRCTYPE(MXN) ENTITYLN(53)\nINSERT CLASMAP.MXPROC RESOURCE(MXPROC) RSRCTYPE(MXP) ENTITYLN(53)\nINSERT CLASMAP.MXQUEUE RESOURCE(MXQUEUE) RSRCTYPE(MXQ) ENTITYLN(53)\nINSERT CLASMAP.MXTOPIC RESOURCE(MXTOPIC) RSRCTYPE(MXT) ENTITYLN(246)","ccis":["CCI-000213","CCI-002358"]},{"vulnId":"V-224361","ruleId":"SV-224361r1144164_rule","severity":"high","ruleTitle":"WebSphere MQ switch profiles must be properly defined to the appropriate class.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the z/OS Data Collection:\n\n- MQSRPT(ssid).\n\nAutomated Analysis requires Additional Analysis.\nRefer to the following report produced by the z/OS Data Collection:\n\n- PDI(ZWMQ0051)\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nReview the Security switches identified in response to the DISPLAY SECURITY command in each ssid report(s). If all of the following switches specify ON, this is not a finding.\n\nSUBSYSTEM\nCONNECTION\nCOMMAND\nCONTEXT\nALTERNATE USER\nPROCESS\nNAMELIST\nQUEUE\nTOPIC\nCOMMAND RESOURCES\n\nIf SUBSYSTEM specifies OFF, this is a finding with a severity of Category I.\n\nIf any of the other above switches specify OFF (other than the exception mentioned below), this is a finding and downgrade the severity to a Category II. \n\nIf COMMAND RESOURCE Security switch specifies OFF, this is not a finding.\n\nNote: At the discretion of the ISSO, COMMAND RESOURCE Security switch may specify OFF by defining ssid.NO.CMD.RESC.CHECKS in the TYPE(MQA) (i.e., MQADMIN or MXADMIN if SCYCASE is set to MIXED).","fixText":"Ensure that all Switch Profiles do not have the resource ssid.NO defined to the MQADMIN (or MXADMIN if SCYCASE is set to MIXED) resource class with the exception of ssid.NO.CMD.RESC.CHECKS.\n\nssid is the queue manager name (a.k.a., subsystem identifier).\n\nEnsure that all of the following switches specify ON.\n\nSUBSYSTEM\nCONNECTION\nCOMMAND\nCONTEXT\nALTERNATE USER\nPROCESS\nNAMELIST\nQUEUE\nCOMMAND RESOURCES\n\nExample:\n\n$KEY(ssid) TYPE(MQA)\nALTERNATE.USER.- UID(*) PREVENT\nCONTEXT.- UID(*) PREVENT\nRESLEVEL UID(*) PREVENT\n- UID(*) PREVENT\n\nNote: At the discretion of the ISSO, COMMAND RESOURCE Security switch may specify OFF by defining ssid.NO.CMD.RESC.CHECKS in the TYPE(MQA).\n\nExample:\n\n$KEY(ssid) TYPE(MQA)\nNO.CMD.RESC.CHECKS UID(*) PREVENT","ccis":["CCI-000213"]},{"vulnId":"V-224362","ruleId":"SV-224362r1144165_rule","severity":"medium","ruleTitle":"WebSphere MQ connection class resources must be protected in accordance with security.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the ACF2 Data Collection:\n\n- SENSITVE.RPT(MQCONN).\n- ACF2CMDS.RPT(RESOURCE) - Alternate report.\n\nReview the following connection resources defined to TYPE(MQK) (i.e., MQCONN resource class):\n\nResource\tAuthorized Users\nssid.BATCH\tTSO and batch job userids\nssid.CICS\tCICS region userids\nssid.IMS\tIMS region userids\nssid.CHIN\tChannel initiator userids\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nFor all connection resources defined to TYPE(MQK) (i.e., MQCONN resource class). If the following guidance is true, this is not a finding.\n\nAccess authorization to these connections restricts access to the appropriate users as indicated above.\nAll access FAILUREs are logged.","fixText":"Ensure all connections to WebSphere MQ resources are restricted using connection security.\n\nEnsure the following connection resources defined to TYPE(MQK) (i.e., MQCONN resource class):\n\nResource\tAuthorized Users\nssid.BATCH\tTSO and batch job userids\nssid.CICS\tCICS region userids\nssid.IMS\tIMS region userids\nssid.CHIN\tChannel initiator userids\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nFor all connection resources defined to TYPE(MQK), ensure the following items are in effect:\n\nAccess authorization to these connections restricts access to the appropriate users as indicated above.\n\nAll access FAILURE is logged.\n\nExample:\n\n$KEY(ssid) TYPE(MQK)\nBATCH UID(STCssid) SERVICE(READ)  \nBATCH UID(syspaudt) SERVICE(READ)  \nBATCH UID(*) PREVENT \nCHIN UID(STCssidCHIN) SERVICE(READ)  \nCHIN UID(*) PREVENT \nCICS UID(*) PREVENT \nIMS UID(*) PREVENT","ccis":["CCI-000213"]},{"vulnId":"V-224363","ruleId":"SV-224363r1144166_rule","severity":"medium","ruleTitle":"WebSphere MQ dead letter and alias dead letter queues are not properly defined.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the z/OS Data Collection:\n\n- MQSRPT(ssid).\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nReview the ssid report(s) and perform the following steps:\n\nFind the DISPLAY QMGR DEADQ command to locate the start of the dead-letter queue information. Review the DEADQ parameter to obtain the name of the real dead-letter queue.\n\nFrom the top of the report, find the QUEUE(dead-letter.queue.name) entry to locate the start of the real dead-letter queue definition. Review the GET and PUT parameters to determine their values, and verify they conform to the specified security requirements. If the following values are set for the dead-letter.queue.name, this is not a finding.\n\nThe  standard values are:\n\nGET(ENABLED)\nPUT(ENABLED)\n\nNote: dead-letter.queue.name is the value of the DEADQ parameter determined above.\n \nFrom the top of the report, find the QUEUE(dead-letter.queue.name.PUT) entry to locate the start of the alias dead-letter queue definition. Review the GET and PUT parameters to determine their values, and verify they conform to those specified in the security requirements. If the following values are set for the dead-letter.queue.name.PUT, this is not a finding.\n\nThe standard values are:\n\nGET(DISABLED)\nPUT(ENABLED)\n\nNote: Dead-letter.queue.name is the value of the DEADQ parameter determined above.\n\nNote: The TARGQ parameter value for the alias queue will be the real dead letter queue name.\n\nNote: If an alias queue is not used in place of the dead-letter queue, then the ACP rules for the dead-letter queue must be coded to restrict unauthorized users and systems from reading the messages on the file.","fixText":"The systems programmer responsible for supporting WebSphere MQ will ensure that the dead-letter queue and its alias are properly defined.\n\nThe following scenario describes how to securely define a dead-letter queue:\n\nDefine the real dead-letter queue with attributes PUT(ENABLED) and GET(ENABLED).\n\nGive update authority for the dead-letter queue to CKTI (the WebSphere MQ-supplied CICS task initiator), channel initiators, and any automated application used for dead-letter queue maintenance.\n\nDefine an alias queue that resolves to the real dead-letter queue, but give the alias queue the attributes PUT(ENABLED) and GET(DISABLED).\n\nTo put a message on the dead-letter queue, an application uses the alias queue. The application does the following:\n\nRetrieve the name of the real dead-letter queue. To do this, it opens the queue manager object using MQOPEN, and then issues an MQINQ to get the dead-letter queue name.\n\nBuild the name of the alias queue by appending the characters \".PUT\" to this name, in this case, ssid.DEAD.QUEUE.PUT.\n\nOpen the alias queue, ssid.DEAD.QUEUE.PUT.\n\nPut the message on the real dead-letter queue by issuing an MQPUT against the alias queue.\n\nGive the userid associated with the application update authority to the alias, but no access to the real dead-letter queue.\n\nNote: If an alias queue is not used in place of the dead-letter queue, then the ACP rules for the dead-letter queue will be coded to restrict unauthorized users and systems from reading the messages on the file.\n\nUndeliverable messages can be routed to a dead-letter queue. Two levels of access should be established for these queues. The first level allows applications, as well as some WebSphere MQ objects, to put messages to this queue. The second level restricts the ability to get messages from this queue and protects sensitive data. This will be accomplished by defining an alias queue that resolves to the real dead-letter queue, but defines the alias queue with the attributes PUT(ENABLED) and GET(DISABLED). The ability to get messages from the dead-letter queue will be restricted to message channel agents (MCAs), CKTI (WebSphere MQ-supplied CICS task initiator), channel initiators utility, and any automated application used for dead-letter queue maintenance.","ccis":["CCI-000764","CCI-001762"]},{"vulnId":"V-224364","ruleId":"SV-224364r1144167_rule","severity":"medium","ruleTitle":"WebSphere MQ queue resource defined to the MQQUEUE or MXQUEUE resource class must be protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the z/OS Data Collection:\n\n- MQSRPT(ssid).\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier). \n\nRefer to the following report produced by the dataset and Resource Data Collection:\n\n- SENSITVE.RPT(MQQUEUE).\n- SENSITVE.RPT(MXQUEUE).\n- ACF2CMDS.RPT(RESOURCE) - Alternate report.\n\nFor all queue identified by the DISPLAY QUEUE(*) ALL command in the MQSRPT(ssid), these queues will be prefixed by ssid to identify the resources to be protected. Verify these queue resources are defined to TYPE(MQQ) or TYPE(MXQ) (i.e., MQQUEUE or MXQUEUE resource class, if SCYCASE is set to MIXED). If the following guidance is true, this is not a finding.\n\nFor message queues (i.e., ssid.queuename), access authorization restricts access to users requiring the ability to get messages from and put messages to message queues. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Decentralized MQ Administrators, non-DECC datacenter users, can have up to ALTER access to the user Message Queues.\n\nFor system queues (i.e., ssid.SYSTEM.queuename), access authorization restricts UPDATE and/or ALTER access to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, and CICS regions running WebSphere MQ applications.\n\nFor the following system queues, verify that UPDATE access is restricted to Auditors and Users that require access to review message queues.\nssid.SYSTEM.COMMAND.INPUT\nssid.SYSTEM.COMMAND.REPLY\nssid.SYSTEM.CSQOREXX.*\nssid.SYSTEM.CSQUTIL.*\n\nFor the real dead-letter queue (to determine queue name refer to ZWMQ0053), ALTER access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, CICS regions running WebSphere MQ applications, and any automated application used for dead-letter queue maintenance.\n\nFor the alias dead-letter queue (to determine queue name refer to ZWMQ0053), UPDATE access authorization restricts access to users requiring the ability to put messages to the dead-letter queue. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.","fixText":"The ISSO will ensure that all WebSphere MQ queues are restricted using queue level security.\n\nEnsure all queue resources defined to TYPE(MQQ) (i.e., MQQUEUE OR m resource class), are in effect:\n\nFor all queues identified by the DISPLAY QUEUE(*) ALL command in the MQSRPT(ssid), these queues will be prefixed by ssid to identify the resources to be protected. Ensure these queue resources are defined to TYPE(MQQ) (i.e., MQQUEUE OR MXQUEUE resource class. If the following guidance is true, this is not a finding.\n\nFor message queues (i.e., ssid.queuename), access authorization restricts access to users requiring the ability to get messages from and put messages to message queues. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Decentralized MQ Administrators, non-DECC datacenter users, can have up to ALTER access to the user Message Queues.\n\nFor system queues (i.e., ssid.SYSTEM.queuename), access authorization restricts UPDATE and/or ALTER access to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, and CICS regions running WebSphere MQ applications.\n\nFor the following system queues, ensure that UPDATE access is restricted to Auditors and Users that require access to review message queues.\nssid.SYSTEM.COMMAND.INPUT\nssid.SYSTEM.COMMAND.REPLY\nssid.SYSTEM.CSQOREXX.*\nssid.SYSTEM.CSQUTIL.*\n\nFor the real dead-letter queue (to determine queue name refer to ZWMQ0053), ALTER access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, CICS regions running WebSphere MQ applications, and any automated application used for dead-letter queue maintenance.\n\nFor the alias dead-letter queue (to determine queue name refer to ZWMQ0053), UPDATE access authorization restricts access to users requiring the ability to put messages to the dead-letter queue. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.\nExample:\n\n$KEY(ssid) TYPE(MQQ)\nDEAD.QUEUE UID(STCssidCHIN) SERVICE(READ,UPDATE) LOG\nDEAD.QUEUE UID(MQAdministrators) SERVICE(READ,UPDATE) LOG\nDEAD.QUEUE UID(*) PREVENT\n- UID(*) PREVENT","ccis":["CCI-000213"]},{"vulnId":"V-224365","ruleId":"SV-224365r1144168_rule","severity":"medium","ruleTitle":"WebSphere MQ Process resources must be protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the ACF2 Data Collection:\n\n- SENSITVE.RPT(MQPROC).\n- SENSITVE.RPT(MXPROC).\n- ACF2CMDS.RPT(RESOURCE) - Alternate report.\n\nFor all process resources (i.e., ssid.processname) defined to TYPE(MQP) or TYPE(MXP) (i.e., MQPROC or MXPROC resource class, if SCYCASE is set to MIXED), verify access authorization restricts access to users requiring the ability to make process inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. If this guidance is true, this is not a finding.\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).","fixText":"The ISSO will ensure that process security is active, all profiles are defined to the MQPROC class, and process inquiries are restricted to READ access.\n\nFor all process resources (i.e., ssid.processname) defined to TYPE(MQP) (i.e., MQPROC resource class or MXPROC resource class if SCYCASE is set to MIXED), ensure access authorization restricts access to users requiring the ability to make process inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nExample:\n\n$KEY(ssid) TYPE(MQP)\nCHL_TRIG_PROCESS UID(MQAdministrators) SERVICE(READ) LOG \nCHL_TRIG_PROCESS UID(*) PREVENT\nSYSTEM.DEFAULT.PROCESS UID(MQAdministrators) SERVICE(READ) LOG\nSYSTEM.DEFAULT.PROCESS UID(*)  PREVENT","ccis":["CCI-000213"]},{"vulnId":"V-224366","ruleId":"SV-224366r1144169_rule","severity":"medium","ruleTitle":"WebSphere MQ Namelist resources must be protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the ACF2 Data Collection:\n\n- SENSITVE.RPT(MQNLIST).\n- SENSITVE.RPT(MXNLIST).\n- ACF2CMDS.RPT(RESOURCE) - Alternate report.\n\nFor all namelist resources (i.e., ssid.namelist) defined to TYPE(MQN) or TYPE(MXN) (i.e., MQNLIST or MXNLIST resource class, if SCYCASE is set to MIXED), verify access authorization restricts access to users requiring the ability to make namelist inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. If this guidance is true, this is not a finding.\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).","fixText":"The ISSO will ensure that all WebSphere MQ namelist resources are restricted to authorized users.\n\nFor all namelist resources (i.e., ssid.namelist) defined to TYPE(MQN) (i.e., MQNLIST resource class or MXNLIST resource class if SCYCASE is set to MIXED), ensure access authorization restricts access to users requiring the ability to make namelist inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nExample:\n\n$KEY(QZN1) TYPE(MQN)\nSYSTEM.DEFAULT.NAMELIST UID(MQAdministrators) SERVICE(READ) LOG\nSYSTEM.DEFAULT.NAMELIST UID(*) PREVENT","ccis":["CCI-000213"]},{"vulnId":"V-224367","ruleId":"SV-224367r1144170_rule","severity":"medium","ruleTitle":"WebSphere MQ alternate user resources defined to the appropriate resource class must be protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the ACF2 Data Collection:\n\n- SENSITVE.RPT(MQADMIN).\n- SENSITVE.RPT(MXADMIN).\n- ACF2CMDS.RPT(RESOURCE) - Alternate report.\n\nFor all alternate user resources (i.e., ssid.ALTERNATE.USER.alternatelogonid) defined to TYPE(MQA) or TYPE(MXA) (i.e., MQADMIN or MXADMIN resource class, if SCYCASE is set to MIXED), verify access authorization restricts access to users requiring the ability to use the alternate userid. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. If this guidance is true, this is not a finding.\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).","fixText":"The ISSO will ensure that use of alternate userids is restricted to authorized personnel.\n\nFor all alternate user resources (i.e., ssid.ALTERNATE.USER.alternatelogonid) defined to TYPE(MQA) (MQADMIN resource class or MXADMIN if SCYCASE is set to MIXED), ensure access authorization restricts access to users requiring the ability to use the alternate userid. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nExample:\n\n$KEY(ssid) TYPE(MQA)\nALTERNATE.USER.- UID(CICS support) SERVICE(READ,UPDATE) LOG \nALTERNATE.USER.- UID(*) PREVENT","ccis":["CCI-000213"]},{"vulnId":"V-224368","ruleId":"SV-224368r1144172_rule","severity":"medium","ruleTitle":"WebSphere MQ context resources defined to the appropriate resource class must be protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the ACF2 Data Collection:\n\n- SENSITVE.RPT(MQADMIN).\n- SENSITVE.RPT(MXADMIN).\n- ACF2CMDS.RPT(RESOURCE) - Alternate report.\n\nFor all context resources (i.e., ssid.CONTEXT) defined to TYPE(MQA) or TYPE(MXA) (i.e., MQADMIN or MXADMIN resource class, if SCYCASE is set to MIXED), verify access authorization restricts access to users requiring the ability to pass or set identity and/or origin data for a message. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. If this guidance is true, this is not a finding.\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).","fixText":"The ISSO will ensure that use of context resources is restricted to authorized personnel.\n\nFor all context resources (i.e., ssid.CONTEXT) defined to TYPE(MQA) (i.e., MQADMIN resource class or MXADMIN if SCYCASE is set to MIXED), ensure access authorization restricts access to users requiring the ability to pass or set identity and/or origin data for a message. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nExample:\n\n$KEY(ssid) TYPE(MQA)\nCONTEXT.- UID (CICS SUPPORT) LOG\nCONTEXT.- UID(*) PREVENT","ccis":["CCI-000213"]},{"vulnId":"V-224369","ruleId":"SV-224369r1144194_rule","severity":"medium","ruleTitle":"WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the dataset and Resource Data Collection:\n\n- SENSITVE.RPT(MQCMDS).\n- ACF2CMDS.RPT(RESOURCE) - Alternate report.\n\nFor all command resources (i.e., ssid.command) defined to TYPE(MQC) (i.e., MQCMDS resource class), if the following guidance is true, this is not a finding.\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nAccess authorization restricts access to the appropriate personnel as designated in the WebSphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum.\n\nAll command access is logged as designated in the WebSphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum.","fixText":"The ISSO will ensure that all WebSphere MQ commands are restricted to authorized personnel.\n\nFor all command resources (i.e., ssid.command) defined to TYPE(MQC) (i.e., MQCMDS resource class, ensure the following items are in effect:\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nAccess authorization restricts access to the appropriate personnel as designated in the table titled WebSphere MQ COMMAND SECURITY CONTROLS in the zOS STIG Addendum.\n\nAll command access is logged as designated in the table titled WebSphere MQ COMMAND SECURITY CONTROLS, in the zOS STIG Addendum.\n\nExample:\n\n$KEY(ssid) TYPE(MQC)\nALTER.- UID(syspaudt) SERVICE(READ,ADD,UPDATE) LOG\nALTER.- UID(*) PREVENT\n\nSET R(MQC)\nCOMPILE 'ACF2.MVA.MQC(ssid)' STORE\n\nF ACF2,REBUILD(MQC)","ccis":["CCI-000213","CCI-002234"]},{"vulnId":"V-224370","ruleId":"SV-224370r1144174_rule","severity":"medium","ruleTitle":"WebSphere MQ RESLEVEL resources in the appropriate ADMIN resource class must be protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the dataset and Resource Data Collection:\n\n- SENSITVE.RPT(MQADMIN).\n- SENSITVE.RPT(MXADMIN).\n- ACF2CMDS.RPT(RESOURCE) - Alternate report.\n\nAutomated Analysis\nRefer to the following report produced by the dataset and Resource Data Collection:\n\n- PDI(ZWMQ0060).\n\nIf the following guidance is true, this is not a finding.\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nA RESLEVEL resource (i.e., ssid.RESLEVEL) is defined for each queue manager to TYPE(MQA) or TYPE(MXA)  (i.e., MQADMIN or MXADMIN resource class, if SCYCASE is set to MIXED) with a default access of PREVENT.\n\nAccess authorization to these RESLEVEL resources restricts all access. No users are permitted access to ssid.RESLEVEL resources.","fixText":"Ensure that a ssid.RESLEVEL profile is only defined for each queue manager.\n\nEnsure the following items are in effect:\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nA RESLEVEL resource (i.e., ssid.RESLEVEL) is defined for each queue manager to TYPE(MQA) (i.e., MQADMIN or MZADMIN resource class) with a default access of PREVENT.\nAccess authorization to these RESLEVEL resources restricts all access. No users are permitted access to ssid.RESLEVEL resources.\n\nExample:\n\n$KEY(ssid) TYPE(MQA)\nRESLEVEL UID(*) PREVENT","ccis":["CCI-001762","CCI-000213"]}]}