STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to zOS WebSphere MQ for TSS Security Technical Implementation Guide

V-225629

CAT II (Medium)

WebSphere MQ security class(es) must not be defined improperly.

Rule ID

SV-225629r1146215_rule

STIG

zOS WebSphere MQ for TSS Security Technical Implementation Guide

Version

V7R2

CCIs

CCI-000213CCI-002358

Discussion

WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.

Check Content

Refer to the following reports produced by the TSS Data Collection:

- TSSCMDS.RPT(#RDT).
- SENSITVE.RPT(WHOOMADM).
- SENSITVE.RPT(WHOOMCMD).
- SENSITVE.RPT(WHOOMCON).
- SENSITVE.RPT(WHOOMNLI).
- SENSITVE.RPT(WHOOMPRO.)
- SENSITVE.RPT(WHOOMQUE).
- SENSITVE.RPT(WHOOXADM).
- SENSITVE.RPT(WHOOXNLI).
- SENSITVE.RPT(WHOOXPRO).
- SENSITVE.RPT(WHOOXQUE).
- SENSITVE.RPT(WHOOXTOP).

If the following WebSphere MQ Resource Class(es) is (are) defined in the Resource Definition Table (RDT), this is not a finding.

MQADMIN
MQCMDS
MQCONN
MQNLIST
MQPROC
MQQUEUE

When SCYCASE is set to MIXED, and the following WebSphere MQ Resource Class(es) is (are) defined in the Resource Definition Table (RDT), this is not a finding.

MXADMIN
MXNLIST
MXPROC
MXQUEUE
MXTOPIC

Note: ssid is the queue manager name (a.k.a., subsystem identifier).

Note: If both MQADMIN and MXADMIN resource classes are not defined to the RDT record, no security checking is performed.

Fix Text

Ensure that all WebSphere MQ resources are defined to TSS.

The following should be defined to the RDT:

MQADMIN
MQCONN
MQCMDS
MQNLIST
MQPROC
MQQUEUE

When SCYCASE is set to mixed,  and the following WebSphere MQ resource classes should be defined to the TSS RDT.

MXADMIN
MXNLIST
MXPROC
MXQUEUE
MXTOPIC

Use the following commands to define (establish ownership of) resources for each WebSphere MQ subsystem to TSS:

TSS ADD(deptname) MQADMIN(ssid.)
TSS ADD(deptname) MQCMDS(ssid.)
TSS ADD(deptname) MQCONN(ssid.)
TSS ADD(deptname) MQNLIST(ssid.)
TSS ADD(deptname) MQPROC(ssid.)
TSS ADD(deptname) MQQUEUE(ssid.)

When SCYCASE is set to mixed, CLASMAP Definitions must include the following entries:

TSS ADD(deptname) MXADMIN(ssid.)
TSS ADD(deptname) MXNLIST(ssid.)
TSS ADD(deptname) MXPROC(ssid.)
TSS ADD(deptname) MXQUEUE(ssid.)
TSS ADD(deptname) MXTOPIC(ssid.)

Note: ssid is the queue manager name (a.k.a., subsystem identifier).

Another method to ensure protection is to assign the DEFPROT attribute to the resource class in the RDT record by using the following command:

TSS REP(RDT) RESCLASS(MQADMIN) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQCMDS) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQCONN) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQNLIST) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQPROC) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MQQUEUE) ATTR(DEFPROT)

When SCYCASE is set to mixed.

TSS REP(RDT) RESCLASS(MXADMIN) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXNLIST) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXPROC) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXQUEUE) ATTR(DEFPROT)
TSS REP(RDT) RESCLASS(MXTOPIC) ATTR(DEFPROT)