IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2017-06-06

Updated At: 2018-09-23 19:13:33

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-89401r1_rule MQMH-AS-000010 CCI-000166 MEDIUM The MQ Appliance messaging server must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. Non-repudiation of actions taken is required in order to messaging service application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or s
    SV-89403r1_rule MQMH-AS-000020 CCI-001199 MEDIUM The MQ Appliance messaging server must implement cryptography mechanisms to protect the integrity of the remote access session. Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the messaging server configuration. The use of cryptography for ensuring integrity of remote acc
    SV-89415r1_rule MQMH-AS-000150 CCI-001851 MEDIUM The MQ Appliance messaging server must off-load log records onto a different system or media from the system being logged. Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/p
    SV-89417r1_rule MQMH-AS-000160 CCI-002046 LOW The MQ Appliance messaging server must synchronize internal MQ Appliance messaging server clocks to an authoritative time source when the time difference is greater than the organization-defined time period. Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronization of internal messaging server clocks is needed in order to correctly correlate
    SV-89419r1_rule MQMH-AS-000170 CCI-001891 LOW The MQ Appliance messaging server must compare internal MQ Appliance messaging server clocks at least every 24 hours with an authoritative time source. Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronization of system clocks is needed in order to correctly correlate the timing of event
    SV-89421r1_rule MQMH-AS-000180 CCI-002450 MEDIUM The MQ Appliance messaging server must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. NSA has developed Type 1 algorithms for prote
    SV-89423r1_rule MQMH-AS-000190 CCI-002007 MEDIUM The MQ Appliance WebGUI interface to the messaging server must prohibit the use of cached authenticators after one hour. When the messaging server is using PKI authentication, a local revocation cache must be stored for instances when the revocation cannot be authenticated through the network, but if cached authentication information is out of date, the validity of the auth
    SV-89475r1_rule MQMH-AS-000640 CCI-001855 MEDIUM The MQ Appliance messaging server must provide an immediate warning to the SA and ISSO, at a minimum, when allocated log record storage volume reaches 75% of maximum log record storage capacity. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being rea
    SV-89479r1_rule MQMH-AS-000680 CCI-002361 MEDIUM The MQ Appliance messaging server must automatically terminate a SSH user session after organization-defined conditions or trigger events requiring a session disconnect. An attacker can take advantage of CLI user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the messaging server must be configured to close the sessions when a con
    SV-89487r1_rule MQMH-AS-000720 CCI-002361 MEDIUM The MQ Appliance must automatically terminate a WebGUI user session after 600 seconds of idle time. An attacker can take advantage of WebGUI user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the messaging server must be configured to close the sessions when a
    SV-89489r1_rule MQMH-AS-000730 CCI-002007 MEDIUM The MQ Appliance SSH interface to the messaging server must prohibit the use of cached authenticators after 600 seconds. When the messaging server is using PKI authentication, a local revocation cache must be stored for instances when the revocation cannot be authenticated through the network, but if cached authentication information is out of date, the validity of the auth
    SV-89501r1_rule MQMH-AS-000790 CCI-002470 MEDIUM The MQ Appliance messaging server must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected (messaging) sessions. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate
    SV-89505r1_rule MQMH-AS-000810 CCI-002605 MEDIUM The MQ Appliance messaging server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to
    SV-89509r1_rule MQMH-AS-000830 CCI-002450 MEDIUM The MQ Appliance messaging server must use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates. Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates
    SV-89521r1_rule MQMH-AS-001330 CCI-002385 MEDIUM The MQ Appliance messaging server, when categorized as a high level system, must be in a high-availability (HA) cluster. A high level system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A high level system must maintain the highest level of integrity and availability. By HA clustering t
    SV-89523r1_rule MQMH-AS-001320 CCI-000068 MEDIUM The MQ Appliance messaging server must use encryption strength in accordance with the categorization of the management data during remote access management sessions. Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the messaging server via a network for the purposes of managing the messaging server. If cryptography is not used, then the sessi
    SV-89525r1_rule MQMH-AS-001310 CCI-001851 MEDIUM The MQ Appliance messaging server must, at a minimum, transfer the logs of interconnected systems in real time, and transfer the logs of standalone systems weekly. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can track and understand what may have occurred. Off-loading sh
    SV-89527r1_rule MQMH-AS-001300 CCI-001844 MEDIUM The MQ Appliance messaging server must provide centralized management and configuration of the content to be captured in log records generated by all application components. A clustered messaging server is made up of several servers working together to provide the user a failover and increased computing capability. To facilitate uniform logging in the event of an incident and later forensic investigation, the record format a
    SV-89533r1_rule MQMH-AS-001250 CCI-002421 MEDIUM The MQ Appliance messaging server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission. Preventing the disclosure or modification of transmitted information requires that messaging servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through t
    SV-89535r1_rule MQMH-AS-001240 CCI-002418 MEDIUM The MQ Appliance messaging server must remove all export ciphers to protect the confidentiality and integrity of transmitted information. During the initial setup of a Transport Layer Security (TLS) connection to the messaging server, the client sends a list of supported cipher suites in order of preference. The messaging server will reply with the cipher suite it will use for communicatio
    SV-89537r1_rule MQMH-AS-001230 CCI-002418 MEDIUM The MQ Appliance messaging server must protect the confidentiality and integrity of transmitted information through the use of an approved TLS version. Preventing the disclosure of transmitted information requires that the messaging server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Tran
    SV-89551r1_rule MQMH-AS-000210 CCI-000130 MEDIUM The MQ Appliance messaging server must produce log records containing information to establish what type of events occurred. Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify th
    SV-89553r1_rule MQMH-AS-000450 CCI-000172 MEDIUM The MQ Appliance messaging server must identify potentially security-relevant error conditions. The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and
    SV-89557r1_rule MQMH-AS-000610 CCI-000139 MEDIUM The MQ Appliance messaging server must alert the SA and ISSO, at a minimum, in the event of a log processing failure. Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident. When log processing fails, the events during the failure can be lost. To minimize the timeframe of the log failure
    SV-89559r1_rule MQMH-AS-000650 CCI-000054 MEDIUM The MQ Appliance messaging server must protect against or limit the effects of all types of Denial of Service (DoS) attacks by employing operationally-defined security safeguards. DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. To reduce the possibility or effect of a DoS, the messaging server must
    SV-89561r1_rule MQMH-AS-000840 CCI-002011 LOW The MQ Appliance messaging server must accept FICAM-approved third-party credentials. Access may be denied to legitimate users if FICAM-approved third-party credentials are not accepted. This requirement typically applies to organizational information systems that are accessible to non-federal government agencies and other partners. This
    SV-89563r1_rule MQMH-AS-000870 CCI-001876 MEDIUM The MQ Appliance messaging server must provide a log reduction capability that supports on-demand reporting requirements. The ability to generate on-demand reports, including after the log data has been subjected to log reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incid
    SV-89565r1_rule MQMH-AS-000900 CCI-000140 MEDIUM The MQ Appliance messaging server must be configured to fail over to another system in the event of log subsystem failure. This requirement is dependent upon system MAC and availability. If the system MAC and availability do not specify redundancy requirements, this requirement is NA. It is critical that, when a system is at risk of failing to process logs as required, it de
    SV-89567r1_rule MQMH-AS-001260 CCI-001190 MEDIUM The MQ Appliance messaging server must provide a clustering capability. This requirement is dependent upon system criticality and confidentiality requirements. If the system categorization and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known secure state helps prevent
    SV-89569r1_rule MQMH-AS-001120 CCI-001184 MEDIUM The MQ Appliance messaging server must ensure authentication of both SSH client and server during the entire session. This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an application user's session. Web applications utilize session tok
    SV-89571r1_rule MQMH-AS-001000 CCI-000778 MEDIUM The MQ Appliance messaging server must uniquely identify all network-connected endpoint devices before establishing any connection. Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed messaging servers and components, the decisions regarding the validation of identification claims may be made by serv
    SV-89573r1_rule MQMH-AS-001010 CCI-000197 MEDIUM Access to the MQ Appliance messaging server must utilize encryption when using LDAP for authentication. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Messaging servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected
    SV-89575r1_rule MQMH-AS-001020 CCI-000187 MEDIUM The MQ Appliance messaging server must map the authenticated identity to the individual messaging user or group account for PKI-based authentication. The cornerstone of PKI is the private key used to encrypt or digitally sign information. The key by itself is a cryptographic value that does not contain specific user information, but the key can be mapped to a user. Without mapping the certificate used
    SV-89577r1_rule MQMH-AS-001080 CCI-000795 MEDIUM The MQ Appliance must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. Inactive identifiers pose a risk to systems and applications. Attackers that are able to exploit an inactive identifier can potentially obtain and maintain undetected access to the application. Owners of inactive accounts will not notice if unauthorized a
    SV-89579r1_rule MQMH-AS-001090 CCI-000764 MEDIUM The MQ Appliance messaging server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users). To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store which is either local (OS-based) or centralized (LDAP) in nature.
    SV-89581r1_rule MQMH-AS-001100 CCI-000048 MEDIUM The MQ Appliance messaging server management interface must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. Messaging servers are required to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system management interface, providing privacy and security notices consistent with applicable federal laws, Executive Orders, dir
    SV-89583r1_rule MQMH-AS-001110 CCI-000169 MEDIUM The MQ Appliance messaging server must generate log records for access and authentication events. Log records can be generated from various components within the messaging server. From a messaging server perspective, certain specific messaging server functionalities may be logged as well. The messaging server must allow the definition of what events a
    SV-89585r1_rule MQMH-AS-001150 CCI-001188 MEDIUM The MQ Appliance messaging server must generate a unique session identifier using a FIPS 140-2 approved random number generator. The messaging server will use session IDs to communicate between modules or applications within the messaging server and between the messaging server and users. The session ID allows the application to track the communications along with credentials that
    SV-89587r1_rule MQMH-AS-001160 CCI-001958 MEDIUM The MQ Appliance messaging server must authenticate all network-connected endpoint devices before establishing any connection. Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device. Device authentication is accomplished via the use of certificates and protocols such as SSL m
    SV-89589r1_rule MQMH-AS-001170 CCI-001967 HIGH The MQ Appliance messaging server must authenticate all endpoint devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device. Bidirectional authentication provides stronger safeguards to validate the identity of other d
    SV-89591r1_rule MQMH-AS-001180 CCI-002450 MEDIUM MQ Appliance messaging servers must use NIST-approved or NSA-approved key management technology and processes. An asymmetric encryption key must be protected during transmission. The public portion of an asymmetric key pair can be freely distributed without fear of compromise, and the private portion of the key must be protected. The messaging server will provide
    SV-89593r1_rule MQMH-AS-001200 CCI-000803 MEDIUM The MQ Appliance messaging server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use
    SV-89595r1_rule MQMH-AS-000480 CCI-000067 MEDIUM The MQ Appliance messaging server must provide access logging that ensures users who are granted a privileged role (or roles) have their privileged activity logged. In order to be able to provide a forensic history of activity, the messaging server must ensure users who are granted a privileged role or those who utilize a separate distinct account when accessing privileged functions or data have their actions logged.