Rule ID
SV-224556r1145053_rule
Version
V7R3
MVS data sets provide the configuration, operational, and executable properties of WebSphere MQ. Some data sets are responsible for the security implementation of WebSphere MQ. Failure to properly protect these data sets may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.
Refer to the following report produced by the ACP Data Collection: - SENSITVE.RPT(MQSRPT) Verify ACP data sets rules for WebSphere MQ system data sets (e.g., SYS2.MQM.) restrict access as follows. If the following guidance is true, this is not a finding. Note: ssid is the queue manager name (a.k.a., subsystem identifier). If the following guidance is true, this is not a finding. The ACP data set rules for the data sets restricts READ access to data sets referenced by the following DDnames is restricted to WebSphere MQ STCs, WebSphere MQ administrators, and systems programming personnel. All access to these data sets is logged. DDname Procedure Description CSQINP1 ssidMSTR Input parameters CSQINP2 ssidMSTR Input parameters CSQXLIB ssidCHIN User exit library The ACP data set rules for the data sets restricts WRITE and/or greater access to the above data sets is restricted to WebSphere MQ administrators and systems programming personnel. The ACP data set rules for the data sets restricts WRITE and/or greater access to data sets referenced by the following DDnames, restricted to WebSphere MQ STCs, WebSphere MQ administrators, and systems programming personnel. All WRITE and/or greater access to these data sets is logged. DDname Procedure Description CSQPxxxx ssidMSTR Page data sets BSDSx ssidMSTR Bootstrap data sets CSQOUTx ssidMSTR SYSOUT data sets CSQSNAP ssidMSTR DUMP data set (See note) ssidMSTR Log data sets Note: To determine the log data set names, review the JESMSGLG file of the ssidMSTR active task(s). Find CSQJ001I messages to obtain data set names. The ACP data set rules for the data sets restricts ALTER access to archive data sets is restricted to WebSphere MQ STCs, WebSphere MQ administrator, and systems programming personnel. All ALTER access to these data sets is logged. Note: To determine the archive data sets names, review the JESMSGLG file of the ssidMSTR active task(s). Find the CSQY122I message to obtain the ARCPRFX1 and ARCPRFX2 data set high level qualifiers. Except for the specific data set requirements just mentioned, WRITE and/or greater access to all other WebSphere MQ system data sets is restricted to the WebSphere MQ administrator and systems programming personnel.
The systems programmer will have the ISSO ensure that all WRITE and/or greater access to WebSphere MQ product and system data sets is restricted to WebSphere MQ administrators, systems programmers, and WebSphere MQ started tasks. The installation requires that the following data sets be APF authorized. hlqual.SCSQAUTH hlqual.SCSQLINK hlqual.SCSQANLx hlqual.SCSQSNL hlqual.SCSQMVR1 hlqual.SCSQMVR2 READ access to data sets referenced by the CSQINP1, CSQINP2, and CSQXLIB DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all access to these data sets. WRITE and/or greater access to data set profiles protecting all page sets, logs, bootstrap data sets (BSDS), and data sets referenced by the CSQOUTX and CSQSNAP DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all WRITE and/or greater access to these data sets. ALTER access to all archive data sets in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all ALTER access to these data sets.