WebSphere MQ connection class resources must be protected properly.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-225631	SRG-OS-000080	ZWMQ0052	SV-225631r1070329_rule	2025-02-24	7

Description
WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.

Description

WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.

ℹ️ Check
Refer to the following report produced by the TSS Data Collection: - SENSITVE.RPT(WHOHMCON) Review the following connection resources defined to the connection resource class: Resource Authorized Users ssid.BATCH TSO and batch job ACIDs ssid.CICS CICS region ACIDs ssid.IMS IMS region ACIDs ssid.CHIN Channel initiator ACIDs Note: ssid is the queue manager name (a.k.a., subsystem identifier). For all connection resources defined to the MQCONN or MXCONN resource class, ensure the following items are in effect: 1. Access authorization restricts access to the appropriate users as indicated above. 2. All access FAILUREs are logged. If all the items above are true, this is not a finding. If any item is untrue, this is a finding.

ℹ️ Check

Refer to the following report produced by the TSS Data Collection: - SENSITVE.RPT(WHOHMCON) Review the following connection resources defined to the connection resource class: Resource Authorized Users ssid.BATCH TSO and batch job ACIDs ssid.CICS CICS region ACIDs ssid.IMS IMS region ACIDs ssid.CHIN Channel initiator ACIDs Note: ssid is the queue manager name (a.k.a., subsystem identifier). For all connection resources defined to the MQCONN or MXCONN resource class, ensure the following items are in effect: 1. Access authorization restricts access to the appropriate users as indicated above. 2. All access FAILUREs are logged. If all the items above are true, this is not a finding. If any item is untrue, this is a finding.

✔️ Fix
Review the following connection resources defined to the MQCONN or MXCONN resource class: Resource Authorized Users ssid.BATCH TSO and batch job ACIDs ssid.CICS CICS region ACIDs ssid.IMS IMS region ACIDs ssid.CHIN Channel initiator ACIDs Note: ssid is the queue manager name (a.k.a., subsystem identifier). For all connection resources defined to the MQCONN or MXCONN resource class, ensure the following items are in effect: 1. Access authorization restricts access to the appropriate users as indicated above. 2. All access FAILUREs are logged. The following is a sample of the commands required to allow a batch user (USER1) to connect to a queue manager (QM1): TSS ADD(USER1) FAC(QM1MSTR) TSS PER(USER1) MQCONN(QM1.BATCH) ACC(READ)

✔️ Fix

Review the following connection resources defined to the MQCONN or MXCONN resource class: Resource Authorized Users ssid.BATCH TSO and batch job ACIDs ssid.CICS CICS region ACIDs ssid.IMS IMS region ACIDs ssid.CHIN Channel initiator ACIDs Note: ssid is the queue manager name (a.k.a., subsystem identifier). For all connection resources defined to the MQCONN or MXCONN resource class, ensure the following items are in effect: 1. Access authorization restricts access to the appropriate users as indicated above. 2. All access FAILUREs are logged. The following is a sample of the commands required to allow a batch user (USER1) to connect to a queue manager (QM1): TSS ADD(USER1) FAC(QM1MSTR) TSS PER(USER1) MQCONN(QM1.BATCH) ACC(READ)