IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2017-06-06
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
b
Access to the MQ Appliance network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
AC-10 - Medium - CCI-000054 - V-74923 - SV-89597r1_rule
RMF Control
AC-10
Severity
Medium
CCI
CCI-000054
Version
MQMH-ND-000010
Vuln IDs
  • V-74923
Rule IDs
  • SV-89597r1_rule
MQ Appliance device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of allowed administrators and sessions per administrator is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for administrative accounts and does not address concurrent sessions by a single administrator via multiple administrative accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
Checks: C-74781r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Verify the Authentication Method is set to LDAP. Review LDAP server configuration settings and verify the LDAP configuration limits the number of concurrent sessions. If MQ is not set to LDAP authentication or if LDAP is not configured to meet the requirement, this is a finding.

Fix: F-81539r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP and configure LDAP connection as required. Note: Implementation of concurrent session limitation must be enforced by the LDAP server's control of user logons.

b
Access to the MQ Appliance network element must use two or more authentication servers for the purpose of granting administrative access.
AC-2 - Medium - CCI-000015 - V-74925 - SV-89599r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000015
Version
MQMH-ND-000060
Vuln IDs
  • V-74925
Rule IDs
  • SV-89599r1_rule
All accounts used for access to the MQ Appliance network device are privileged or system-level accounts. Therefore, if account management functions are not automatically enforced, an attacker could gain privileged access to a vital element of the network security architecture. The use of Authentication, Authorization, and Accounting (AAA) affords the best methods for controlling user access, authorization levels, and activity logging. By enabling AAA on the routers in conjunction with an authentication server such as TACACS+ or RADIUS, the administrators can easily add or remove user accounts, add or remove command authorizations, and maintain a log of user activity. The use of an authentication server provides the capability to assign device administrators to tiered groups that contain their privilege level, which is used for authorization of specific commands. This control does not include emergency administration accounts that provide access to the MQ Appliance network device components in case of network failure. There must be only one such locally defined account. All other accounts must be defined. All other accounts must be created and managed on the site's authentication server (e.g., RADIUS, LDAP, or Active Directory). This requirement is applicable to account management functions provided by the MQ Appliance network device.
Checks: C-74783r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Review LDAP configuration. Verify the LDAP configuration includes a Load Balancer Group that includes two or more authentication servers. If the LDAP configuration does not include a Load Balancer Group that includes two or more authentication servers, this is a finding.

Fix: F-81541r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure a Load Balancer Group that includes two or more LDAP authentication servers. Configure LDAP server connection settings as required.

b
The MQ Appliance network device access must automatically disable accounts after a 35-day period of account inactivity.
AC-2 - Medium - CCI-000017 - V-74927 - SV-89601r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000017
Version
MQMH-ND-000080
Vuln IDs
  • V-74927
Rule IDs
  • SV-89601r1_rule
Since the accounts in the MQ Appliance network device are privileged or system-level accounts, account management is vital to the security of the MQ Appliance network device. Inactive accounts could be reactivated or compromised by unauthorized users, allowing exploitation of vulnerabilities and undetected access to the MQ Appliance network device. This control does not include emergency administration accounts, which are meant for access to the MQ Appliance network device components in case of network failure.
Checks: C-74785r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Verify the Authentication Method is set to LDAP. Review LDAP server settings and verify accounts are configured to be disabled after 35 days of inactivity. If MQ is not set to LDAP authentication or if LDAP is not configured to meet the requirement, this is a finding.

Fix: F-81543r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure LDAP server connection as required.

b
The MQ Appliance network device must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
AC-7 - Medium - CCI-000044 - V-74929 - SV-89603r1_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
MQMH-ND-000150
Vuln IDs
  • V-74929
Rule IDs
  • SV-89603r1_rule
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced.
Checks: C-74787r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Verify the Authentication Method is set to LDAP. Review LDAP server settings and verify the LDAP configuration limits three consecutive invalid logon attempts by a user during a 15-minute time period If MQ is not set to LDAP authentication or if LDAP is not configured to meet the requirement, this is a finding.

Fix: F-81545r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure LDAP connection as required. Note: Enforcing the limit of three consecutive invalid logon attempts during a 15-minute time period is the responsibility of the LDAP server.

b
The MQ Appliance network device must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
AC-8 - Medium - CCI-000048 - V-74931 - SV-89605r1_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
MQMH-ND-000160
Vuln IDs
  • V-74931
Rule IDs
  • SV-89605r1_rule
Display of the DoD-approved use notification before granting access to the MQ Appliance network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users.
Checks: C-74789r1_chk

Using a browser, navigate to the MQ Appliance logon page as a privileged user. Verify the logon page displays the Standard Mandatory DoD Notice and Consent Banner: For the WebGUI, the banner must read: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Logging in signifies acceptance of this agreement." For the SSH CLI, the banner must read: "I've read & consent to terms in IS user agreem't. Logging in signifies acceptance of this agreement." If the standard banner is not displayed in both the WebGUI and CLI interfaces, this is a finding.

Fix: F-81547r1_fix

Log on to the WebGUI as a privileged user. The custom banner must be set up as follows: 1. Click on the Administration (gear) icon. 2. Under Main, click on File Management. 3. Open the "Store" directory. 4. Scroll down to the file "ui-customization.xml". 5. Click in the box to the left of the file name. 6. At the top of the page, click on the Copy button. 7. Select "local:" as the New Directory Name. 8. Enter a New File Name, e.g., "ui-customization.xml". 9. Click Confirm copy. 10. Click Continue. 11. Edit the "ui-customization.xml" file. 12. Refresh the browser page. 13. Click "local:". 14. Click the "Edit" link to the right of "ui-customization.xml". 15. Click the "Edit" button. 16. Locate the XML Stanza named "MarkupBanner". 17. 'type="pre-login"'. 18. Replace the text "WebGUI pre-login message" with the text of the Standard Mandatory DoD Notice and Consent Banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. Logging in signifies acceptance of this agreement." 19. Locate the XML Stanza named "TextBanner". 20. 'type="pre-login"'. 21. Replace the text "Command line pre-login message" with the text of the Standard Mandatory DoD Notice and Consent Banner: "I've read & consent to terms in IS user agreem't. Logging in signifies acceptance of this agreement." 22. Click the "Submit" button. Configure the MQ Appliance to use the customized User Interface Customization file: In the WebGUI, click on the Gear icon (Administration) and then select Device >> System Settings. Scroll to "Custom user interface file" section at the bottom of the page and select the local:/// directory and then the "ui-customization.xml" from the drop-down list. Scroll to the top of the page. Click "Applyā€¯. Click "Save Configuration". Log out of the appliance.

b
The MQ Appliance network device must notify the administrator of changes to access and/or privilege parameters of the administrator account that occurred since the last logon.
CM-6 - Medium - CCI-000366 - V-74933 - SV-89607r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
MQMH-ND-000200
Vuln IDs
  • V-74933
Rule IDs
  • SV-89607r1_rule
Providing administrators with information regarding security-related changes to their account allows them to determine if any unauthorized activity has occurred. Changes to the account could be an indication of the account being compromised. Hence, without notification to the administrator, the compromise could go undetected if other controls were not in place to mitigate this risk. Using a syslog logging target, the MQ Appliance logs all changes to access or privilege parameters. Logging may be set to the following logging levels in descending order of criticality: debug, info, notice, warn, error, alert, emerg. The default is notice. It is the responsibility of the sysadmin to configure the triggers necessary to send alerts based upon information received at the syslog server. To meet the requirement, the sysadmin must trigger notification upon receiving the following audit event: 0x8240001f. Changes to access and/or privilege parameters will fall into this event category. Ask the admin to provide evidence these alerts are configured.
Checks: C-74791r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co show logging target All configured logging targets will be displayed. Verify: - This list includes a remote syslog notification target; and - It includes all of the following log event source and log-level parameters: event audit info event auth notice event mgmt notice event cli notice event user notice event system error In the WebGUI, Administration (gear icon) >> Access >> User Account, add a user. Verify the administrator receives notification of this event. If the event notifications are not configured, this is a finding.

Fix: F-81549r1_fix

Log on to the MQ Appliance CLI as a privileged user. Configure a syslog target by using the command line interface (CLI). To enter global configuration mode, enter "config". To create a syslog target, enter: logging target <logging target name> type syslog admin-state enabled local-address <MQ Appliance IP> remote-address <syslog server IP> remote-port <syslog server port> event audit info event auth notice event mgmt notice event cli notice event user notice event system error exit write mem y

b
The MQ Appliance network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
AU-3 - Medium - CCI-000130 - V-74935 - SV-89609r1_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
MQMH-ND-000210
Vuln IDs
  • V-74935
Rule IDs
  • SV-89609r1_rule
This requirement supports non-repudiation of actions taken by an administrator and is required in order to maintain the integrity of the configuration management process. All configuration changes to the MQ Appliance network device are logged, and administrators authenticate with two-factor authentication before gaining administrative access. Together, these processes will ensure the administrators can be held accountable for the configuration changes they implement. Using a syslog logging target, the MQ Appliance logs configuration changes to the device. Logging may be set to the following logging levels in descending order of criticality: debug, info, notice, warn, error, alert, emerg. The default is notice. Satisfies: SRG-APP-000080-NDM-000220, SRG-APP-000095-NDM-000225, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000100-NDM-000230, SRG-APP-000319-NDM-000283
Checks: C-74793r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co show logging target All configured logging targets will be displayed. Verify: - This list includes a remote syslog notification target; and - It includes all of the following log event source and log level parameters: event audit info event auth notice event mgmt notice event cli notice event user notice event system error If these events are not configured, this is a finding.

Fix: F-81551r1_fix

Log on to the MQ Appliance CLI as a privileged user. Configure a syslog target. To enter global configuration mode, enter "config". To create a syslog target, enter: logging target <logging target name> type syslog admin-state enabled local-address <MQ Appliance IP> remote-address <syslog server IP> remote-port <syslog server port> event audit info event auth notice event mgmt notice event cli notice event user notice event system error exit write mem y

b
The MQ Appliance network device must alert the Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) in the event of an audit processing failure.
AU-5 - Medium - CCI-000139 - V-74937 - SV-89611r1_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
MQMH-ND-000340
Vuln IDs
  • V-74937
Rule IDs
  • SV-89611r1_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Using a syslog logging target, the MQ Appliance logs audit events, including audit processing failures. Logging may be set to the following logging levels in descending order of criticality: debug, info, notice, warn, error, alert, emerg. The default is notice. The MQ appliance is configured to create the event in the logs that will be used to send an alert. The alerting process must be performed by a third-party alerting utility, centralized log management, or SIEM.
Checks: C-74795r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co show logging target All configured logging targets will be displayed. Verify: - This list includes a remote syslog notification target; and - It includes all desired log event source and log level parameters: event audit info event auth notice event mgmt notice event cli notice event user notice event system error Configuring notification of events occurring at the external logging server is the responsibility of the administrator. Ask the system admin to provide evidence the required alert triggers for the following event codes: 0x80c0006a, 0x82400067, 0x00330034, 0x80400080 have been set up and the ISSO and SA at a minimum are alerted. If there is no evidence that alerts are sent in the event of an audit processing failure, this is a finding.

Fix: F-81553r1_fix

Log on to the MQ Appliance CLI as a privileged user. Configure a syslog target. To enter global configuration mode, enter "config". To create a syslog target, enter: logging target <logging target name> type syslog admin-state enabled local-address <MQ Appliance IP> remote-address <syslog server IP> remote-port <syslog server port> event audit info event auth notice event mgmt notice event cli notice event user notice event system error exit write mem y At the syslog server, set up event notification triggers for the following event codes: 0x80c0006a, 0x82400067, 0x00330034, 0x80400080.

b
The MQ Appliance network device must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
AU-9 - Medium - CCI-001348 - V-74939 - SV-89613r1_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
MQMH-ND-000430
Vuln IDs
  • V-74939
Rule IDs
  • SV-89613r1_rule
Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to assure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. Using a syslog logging target, the MQ Appliance logs audit events, including the continuous backup of audit records. Logging may be set to the following logging levels in descending order of criticality: debug, info, notice, warn, error, alert, emerg. The default is notice.
Checks: C-74797r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co show logging target All configured logging targets will be displayed. Verify: - This list of log targets includes an appropriate syslog notification target; - The log target is enabled; and - It includes all desired log event source and log level parameters, e.g., event audit debug. If any of these conditions is not true, this is a finding.

Fix: F-81555r1_fix

Log on to the MQ Appliance CLI as a privileged user. Configure a syslog target. To enter global configuration mode, enter "config". To create a syslog target, enter: logging target <logging target name> type syslog admin-state enabled local-address <MQ Appliance IP> remote-address <syslog server IP> remote-port <syslog server port> event audit info event auth notice event mgmt notice event cli notice event user notice event system error exit write mem y

b
The MQ Appliance network device must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
IA-2 - Medium - CCI-000764 - V-74941 - SV-89615r1_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
MQMH-ND-000480
Vuln IDs
  • V-74941
Rule IDs
  • SV-89615r1_rule
To assure accountability and prevent unauthenticated access to the MQ Appliance, organizational administrators must be uniquely identified and authenticated for all network management accesses to prevent potential misuse and compromise of the system.
Checks: C-74799r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP. If MQ is not set to LDAP authentication, this is a finding.

Fix: F-81557r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure the LDAP connection as required.

b
In the event the authentication server is unavailable, the MQ Appliance must provide one local account created for emergency administration use.
AC-2 - Medium - CCI-001358 - V-74943 - SV-89617r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001358
Version
MQMH-ND-000490
Vuln IDs
  • V-74943
Rule IDs
  • SV-89617r1_rule
Authentication for administrative (privileged level) access to the MQ Appliance is required at all times. An account can be created on the device's local database for use in an emergency, such as when the authentication server is down or connectivity between the device and the authentication server is not operable. This account is also referred to as the account of last resort since the emergency administration account is strictly intended to be used only as a last resort and immediate administrative access is absolutely necessary. The number of emergency administration accounts is restricted to at least one, but no more than operationally required as determined by the Information System Security Officer (ISSO). The emergency administration account logon credentials must be stored in a sealed envelope and kept in a safe. MQ provides the Fallback user account to provide access to the MQ appliance in the event the centralized authentication server is not available.v
Checks: C-74801r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP. Verify at least one Fallback user is configured. If MQ authentication is not set to LDAP and if the Fallback user is not created, this is a finding.

Fix: F-81559r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure one Fallback user. Configure the LDAP connection as required.

b
The MQ Appliance network device must use multifactor authentication for network access to privileged accounts.
IA-2 - Medium - CCI-000765 - V-74945 - SV-89619r1_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000765
Version
MQMH-ND-000500
Vuln IDs
  • V-74945
Rule IDs
  • SV-89619r1_rule
Multifactor authentication requires using two or more factors to achieve authenticated access to the MQ Appliance. Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the Internet).
Checks: C-74803r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Verify the MQ Appliance PKI-based user authentication is configured to support multifactor authentication for network access to privileged accounts. Click on the Network (gear) icon. Under Management, click on "Web Management Service". Expand the settings under "Advanced". Click the pencil icon to the right of the custom SSL Server Profile. Scroll to "Validation Credentials". Click on the pencil icon to the right. For each certificate name listed, click the pencil to the right and then click "Details" to display the certificate properties. Verify all listed client certificates are authorized to access the MQ Appliance. If certificate-based multifactor authentication is not used, this is a finding.

Fix: F-81561r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Configure MQ Appliance PKI-based user authentication to support multifactor authentication for network access to privileged accounts. Step 1: Create Crypto Certificate Object: - Click on the "Objects" icon. - Select Crypto Configuration >> Crypto Certificate >> New. - Provide a new crypto certificate name in the "Name" field. - Select "cert:///" from "File Name". - Click the "Upload" button. - Browse to the certificate file, select file, and click "Open". - Click "Upload". - Repeat process for additional certificate files as needed. Step 2: Create Crypto Key Object: - Select Crypto Configuration >> Crypto Key >> New. - Provide a new crypto key name in the "Name" field. - Select "cert:///" from "File Name". - Click the "Upload" button. - Browse to the key file, select file, and click "Open". - Click "Upload". - Repeat process for all additional certificate files previously uploaded. Step 3: Create Identification Credentials: - Select Crypto Configuration >> Crypto Identification Credentials >> New. - Provide a new identification credential name in the "Name" field. - Select a previously created crypto key object. - Select a previously created crypto certificate object. - Click on "Apply". Step 4: Create Crypto Validation Credentials: - Select Crypto Configuration >> Crypto Validation Credentials >> New. - Provide a new validation credential name in the "Name" field. - Click the "Add" button. - Select a crypto certificate object from the drop-down menu. - Repeat the Add function as needed. - Select Certificate Validation Mode >> Full Certificate Chain Checking. - Click on "Apply". Step 5: Create SSL Server Profile: - Select Crypto Configuration >> SSL Server Profile >> New. - Provide a new SSL Server Profile name in the "Name" field. - Scroll down to "Identification Credentials" and select the identification credential object. - Under "Client Authentication", check the following check boxes: --Request Client Authentication check box --Require Client Authentication check box --Validate Client Certificate check box - Select "Validation Credentials". - Select the validation credential object. - Click "Apply". Step 6: Associate SSL Server Profile with Web Management Interface: - Click on the Network icon. - Select Management >> Web Management Service. - Specify the unique IP address for the web management interface. - Expand "Advanced". - From the "Custom SSL Server Type" drop-down menu, select "Server Profile". - From the "Custom SSL Server Profile" drop-down menu, select the SSL Server profile previously created. - Click "Apply". - At the top of the page click "Save Changes".

b
When connecting to the MQ Appliance network device using the WebGUI, it must implement replay-resistant authentication mechanisms for network access to privileged accounts.
IA-2 - Medium - CCI-001941 - V-74947 - SV-89621r1_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001941
Version
MQMH-ND-000530
Vuln IDs
  • V-74947
Rule IDs
  • SV-89621r1_rule
A replay attack may enable an unauthorized user to gain access to the MQ Appliance. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Checks: C-74805r1_chk

Log on to the MQ Appliance CLI as a privileged user. Verify the MQ Appliance PKI-based user authentication is configured to support multifactor authentication to provide replay-resistant authentication. Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter: co show web-mgmt [Note the name of the ssl-server] Display the parameters of the ssl-server (CLI). Enter: co crypto ssl-server &lt;ssl-server name&gt; show [Note the name of the valcred] Display the certificates in the ValCred (CLI). Enter: co crypto valcred &lt;name of valcred&gt; show Verify all listed client certificates are authorized to access the MQ Appliance. If any are not authorized, this is a finding.

Fix: F-81563r1_fix

Log on to the MQ Appliance CLI as a privileged user. Configure MQ Appliance PKI-based user multifactor authentication to provide replay-resistant authentication. Assign the WebGUI to one management port (CLI). Enter: co web-mgmt <mgmt port IP addr> 9090 <timeout in seconds> write mem y Import to cert directory MQ Appliance private key and cert and client cert(s) (WebGUI): - Log on to the WebGUI as a privileged user. - Click on the Administration (gear) icon. - Under Main, click on File Management. - Click cert directory. - Click Actions. - Upload files. - Browse to select MQ Appl privkey. - Add. - Browse to select MQ Appl cert. - Add. - Browse to select client cert. - Add. - [Repeat Browse and Add for all desired client certs.] - Upload. - Continue. Create cert aliases (CLI). Enter: co crypto certificate <MQAppl CryptoCert alias: appliance name> cert:///<MQAppl cert file name> certificate <client CryptoCert alias: subject field fm client cert> cert:///<client cert file name> [Repeat certificate command for any additional client certs.] exit write mem y Create MQAppl private key alias (CLI). Enter: co crypto key <MQAppl CryptoKey alias> cert:///<MQAppl privkey file name> exit write mem y Create MQAppl ID Credential (CLI). Enter: co crypto idcred <MQAppl IDCred name> <MQAppl CryptoKey alias> <MQAppl CryptoCert alias> exit write mem y Create a client Validation Credential (CLI). Enter: co crypto valcred <Client ValCred name> certificate <Client CryptoCert alias> [Add additional client certificates as required] exit exit write mem y Create SSL Server Profile (CLI). Enter: co crypto ssl-server <SSL Svr Profile name> admin-state enabled idcred <MQAppl IDCred name> protocols TLSv1d2 valcred <Client ValCred name> request-client-auth on require-client-auth on send-client-auth-ca-list on exit exit write mem y Associate SSL Server Profile with WebGUI (CLI). Enter: co web-mgmt ssl-config-type server ssl-server <SSL Svr Profile name> exit write mem y

b
The MQ Appliance network device must enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000205 - V-74949 - SV-89623r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
MQMH-ND-000560
Vuln IDs
  • V-74949
Rule IDs
  • SV-89623r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. For LDAP authentication, the authentication server is responsible for enforcing password policy. When the LDAP server is not available, password policy is enforced by the MQ Appliance's RBM password policy.
Checks: C-74807r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP. Expand Password Policy. Verify the (local) Password Policy for the Fallback user minimum length is set to 15. If MQ is not set to LDAP authentication or if the local password policy is not configured to meet the requirement, this is a finding.

Fix: F-81565r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure the LDAP server connection as required. Expand Password Policy. In Password Policy, set minimum password length to 15.

b
The MQ Appliance network device must prohibit password reuse for a minimum of five generations.
IA-5 - Medium - CCI-000200 - V-74951 - SV-89625r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
MQMH-ND-000570
Vuln IDs
  • V-74951
Rule IDs
  • SV-89625r1_rule
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. If the MQ Appliance network device allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. For LDAP authentication, the authentication server is responsible for enforcing password policy. When the LDAP server is not available, password policy is enforced by the MQ Appliance's RBM Password Policy.MQMH-ND-000570In the MQ Appliance WebGUI, go to Administration >> Access >> RBM Settings.
Checks: C-74809r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP. Expand Password Policy. Verify the (local) MQ Password Policy Reuse History is set to a minimum of "5". If MQ is not set to LDAP authentication or if the local password policy is not configured to meet the requirement, this is a finding.

Fix: F-81567r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access> > RBM Settings. Set Authentication Method to LDAP. Configure LDAP server connection as required. Expand Password Policy. In Password Policy, check the Control Reuse check box and set reuse history to a minimum of "5".

b
The MQ Appliance network device must enforce password complexity by requiring that at least one upper-case character be used.
IA-5 - Medium - CCI-000192 - V-74953 - SV-89627r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
MQMH-ND-000580
Vuln IDs
  • V-74953
Rule IDs
  • SV-89627r1_rule
Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. For LDAP authentication, the authentication server is responsible for enforcing password policy. When the LDAP server is not available, password policy is enforced by the MQ Appliance's RBM Password Policy.
Checks: C-74811r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP. Expand Password Policy. Verify the (local) Password Policy Require Mixed Case check box is checked. If MQ is not set to LDAP authentication or if the local password policy is not configured to meet the requirement, this is a finding.

Fix: F-81569r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure LDAP server connection as required. Expand Password Policy. In Password Policy, check the Require Mixed Case check box.

b
The MQ Appliance network device must enforce password complexity by requiring that at least one lower-case character be used.
IA-5 - Medium - CCI-000193 - V-74955 - SV-89629r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
MQMH-ND-000590
Vuln IDs
  • V-74955
Rule IDs
  • SV-89629r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. For LDAP authentication, the authentication server is responsible for enforcing password policy. When the LDAP server is not available, password policy is enforced by the MQ Appliance's RBM Password Policy.MQMH-ND-000590Configure LDAP connection as required.
Checks: C-74813r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP. Expand Password Policy. Verify the (local) Password Policy Require Mixed Case check box is checked. If MQ is not set to LDAP authentication or if the local password policy is not configured to meet the requirement, this is a finding.

Fix: F-81571r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure LDAP server connection as required. Expand Password Policy. Check the Require Mixed Case check box.

b
The MQ Appliance network device must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-74957 - SV-89631r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
MQMH-ND-000600
Vuln IDs
  • V-74957
Rule IDs
  • SV-89631r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. For LDAP authentication, the authentication server is responsible for enforcing password policy. When the LDAP server is not available, password policy is enforced by the MQ Appliance's RBM Password Policy.
Checks: C-74815r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP. Expand Password Policy. Verify the (local) Password Policy Require Number check box is checked. If MQ is not set to LDAP authentication or if the local password policy is not configured to meet the requirement, this is a finding.

Fix: F-81573r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set the Authentication Method to LDAP. Configure LDAP server connection as required. Expand Password Policy. Check the Password Policy Require Mixed Case check box.

b
The MQ Appliance network device must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-74959 - SV-89633r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
MQMH-ND-000610
Vuln IDs
  • V-74959
Rule IDs
  • SV-89633r1_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. For LDAP authentication, the authentication server is responsible for enforcing password policy. When the LDAP server is not available, password policy is enforced by the MQ Appliance's RBM Password Policy.
Checks: C-74817r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP. Expand Password Policy. Verify the (local) Password Policy Require Non-alphanumeric check box is checked. If MQ is not set to LDAP authentication or if the local password policy is not configured to meet the requirement, this is a finding.

Fix: F-81575r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure LDAP server connection as required. Expand Password Policy. Check the Require Non-alphanumeric check box.

b
Authorization for access to the MQ Appliance network device must enforce a 60-day maximum password lifetime restriction.
IA-5 - Medium - CCI-000199 - V-74961 - SV-89635r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
MQMH-ND-000660
Vuln IDs
  • V-74961
Rule IDs
  • SV-89635r1_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and periodically change them. If the MQ Appliance network device does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the passwords could be compromised. This requirement does not include emergency administration accounts meant for access to the MQ Appliance network device in case of failure. These accounts are not required to have maximum password lifetime restrictions. For LDAP authentication, the authentication server is responsible for enforcing password policy.
Checks: C-74819r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP. Expand Password Policy. Verify the (local) Password Policy Enable Aging check box is selected. If MQ is not set to LDAP authentication or if the local password policy is not configured to meet the requirement, this is a finding.

Fix: F-81577r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure LDAP connection as required. Expand Password Policy. Check the "Enable Aging" check box.

b
WebGUI access to the MQ Appliance network device, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
IA-5 - Medium - CCI-000185 - V-74969 - SV-89643r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
MQMH-ND-000670
Vuln IDs
  • V-74969
Rule IDs
  • SV-89643r1_rule
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.
Checks: C-74821r1_chk

Log on to the MQ Appliance CLI as a privileged user. Verify the MQ Appliance is configured to support PKI-based user authentication. Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter: co show web-mgmt [Note the name of the ssl-server] Display the parameters of the ssl-server (CLI). Enter: co crypto ssl-server &lt;ssl-server name&gt; show [Note the name of the valcred] Display the certificates in the ValCred (CLI). Enter: co crypto valcred &lt;name of valcred&gt; show Verify all listed client certificates are authorized to access the MQ Appliance. If any listed client certificates are not authorized to access the MQ Appliance, this is a finding.

Fix: F-81585r1_fix

Log on to the MQ Appliance CLI as a privileged user. Configure MQ Appliance to support PKI-based user authentication. Assign the WebGUI to one management port (CLI). Enter: co web-mgmt <mgmt port IP addr> 9090 <timeout in seconds> write mem y Import to cert directory MQ Appliance private key and cert, and client cert(s) (WebGUI): - Log on to the WebGUI as a privileged user. - Click on the Administration (gear) icon. - Under Main, click on File Management. - Click cert directory. - Click Actions. - Upload files. - Browse to select MQ Appl privkey. - Add. - Browse to select MQ Appl cert. - Add. - Browse to select client cert. - Add. - [Repeat Browse and Add for all desired client certs.] - Upload. - Continue. Create cert aliases (CLI). Enter: co crypto certificate <MQAppl CryptoCert alias: appliance name> cert:///<MQAppl cert file name> certificate <client CryptoCert alias: subject field fm client cert> cert:///<client cert file name> [Repeat certificate command for any additional client certs.] exit write mem y Create MQAppl private key alias (CLI). Enter: co crypto key <MQAppl CryptoKey alias> cert:///<MQAppl privkey file name> exit write mem y Create MQAppl ID Credential (CLI). Enter: co crypto idcred <MQAppl IDCred name> <MQAppl CryptoKey alias> <MQAppl CryptoCert alias> exit write mem y Create a client Validation Credential (CLI). Enter: co crypto valcred <Client ValCred name> certificate <Client CryptoCert alias> [Add additional client certificates as required] exit exit write mem y Create SSL Server Profile (CLI). Enter: co crypto ssl-server <SSL Svr Profile name> admin-state enabled idcred <MQAppl IDCred name> protocols TLSv1d2 valcred <Client ValCred name> request-client-auth on require-client-auth on send-client-auth-ca-list on exit exit write mem y Associate SSL Server Profile with WebGUI (CLI). Enter: co web-mgmt ssl-config-type server ssl-server <SSL Svr Profile name> exit write mem y

b
WebGUI access to the MQ Appliance network device must map the authenticated identity to the user account for PKI-based authentication.
IA-5 - Medium - CCI-000187 - V-74971 - SV-89645r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000187
Version
MQMH-ND-000690
Vuln IDs
  • V-74971
Rule IDs
  • SV-89645r1_rule
Authorization for access to any MQ Appliance network device requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is implemented.
Checks: C-74823r1_chk

Log on to the MQ Appliance CLI as a privileged user. Verify the MQ Appliance is configured to support PKI-based user authentication. Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter: co show web-mgmt [Note the name of the ssl-server] Display the parameters of the ssl-server (CLI). Enter: co crypto ssl-server &lt;ssl-server name&gt; show [Note the name of the valcred] Display the certificates in the ValCred (CLI). Enter: co crypto valcred &lt;name of valcred&gt; show Verify all listed client certificates are authorized to access the MQ Appliance. If any are not authorized, this is a finding. Spot-check access to the appliance: Attempt to access the appliance from a browser enabled with an authorized certificate. If authorized access does not succeed, this is a finding. Attempt to access the appliance from a browser not enabled with an authorized client certificate. If unauthorized access succeeds, this is a finding.

Fix: F-81587r1_fix

Log on to the MQ Appliance CLI as a privileged user. Configure MQ Appliance to support PKI-based user authentication. Assign the WebGUI to one management port (CLI). Enter: co web-mgmt <mgmt port IP addr> 9090 <timeout in seconds> write mem y Import to cert directory MQ Appliance private key and cert and client cert(s) (WebGUI): - Log on to the WebGUI as a privileged user. - Click on the Administration (gear) icon. - Under Main, click on File Management. - Click cert directory. - Click Actions. - Upload files. - Browse to select MQ Appl privkey. - Add. - Browse to select MQ Appl cert. - Add. - Browse to select client cert. - Add. - [Repeat Browse and Add for all desired client certs.] - Upload. - Continue, Create cert aliases (CLI). Enter: co crypto certificate <MQAppl CryptoCert alias: appliance name> cert:///<MQAppl cert file name> certificate <client CryptoCert alias: subject field fm client cert> cert:///<client cert file name> [Repeat certificate command for any additional client certs.] exit write mem y Create MQAppl private key alias (CLI). Enter: co crypto key <MQAppl CryptoKey alias> cert:///<MQAppl privkey file name> exit write mem y Create MQAppl ID Credential (CLI). Enter: co crypto idcred <MQAppl IDCred name> <MQAppl CryptoKey alias> <MQAppl CryptoCert alias> exit write mem y Create a client Validation Credential (CLI). Enter: co crypto valcred <Client ValCred name> certificate <Client CryptoCert alias> [Add additional client certificates as required.] exit exit write mem y Create SSL Server Profile (CLI). Enter: co crypto ssl-server <SSL Svr Profile name> admin-state enabled idcred <MQAppl IDCred name> protocols TLSv1d2 valcred <Client ValCred name> request-client-auth on require-client-auth on send-client-auth-ca-list on exit exit write mem y Associate SSL Server Profile with WebGUI (CLI). Enter: co web-mgmt ssl-config-type server ssl-server <SSL Svr Profile name> exit write mem y

b
The MQ Appliance network device must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
IA-7 - Medium - CCI-000803 - V-74973 - SV-89647r1_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
MQMH-ND-000720
Vuln IDs
  • V-74973
Rule IDs
  • SV-89647r1_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. MQ Appliance network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.
Checks: C-74825r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: config crypto show crypto-mode The result should be: fips-140-2-l1 If it is not, this is a finding.

Fix: F-81589r1_fix

Log on to the MQ Appliance CLI as a privileged user. Enable FIPS 140-2 Level 1 mode at the next reload of the firmware. Enter: config crypto crypto-mode-set fips-140-2-l1 The following message will appear: "Crypto Mode Successfully set to fips-140-2-l1 for next boot."

b
The WebGUI of the MQ Appliance network device must terminate all sessions and network connections when nonlocal device maintenance is completed.
MA-4 - Medium - CCI-000879 - V-74975 - SV-89649r1_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-000879
Version
MQMH-ND-000730
Vuln IDs
  • V-74975
Rule IDs
  • SV-89649r1_rule
If an MQ Appliance device management session or connection remains open after management is completed, it may be hijacked by an attacker and used to compromise or damage the MQ Appliance network device. Nonlocal MQ Appliance device management and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. In the event the remote node has abnormally terminated or an upstream link from the managed device is down, the management session will be terminated, thereby freeing device resources and eliminating any possibility of an unauthorized user being orphaned to an open idle session of the managed device.
Checks: C-74827r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co web-mgmt show If the idle-timeout value is not 600 seconds or less, this is a finding.

Fix: F-81591r1_fix

Log on to the MQ Appliance CLI as a privileged user. Enter: co web-mgmt idle-timeout <600 seconds or less> exit write mem y

b
The WebGUI of the MQ Appliance network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SC-10 - Medium - CCI-001133 - V-74977 - SV-89651r1_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
MQMH-ND-000750
Vuln IDs
  • V-74977
Rule IDs
  • SV-89651r1_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-74829r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co web-mgmt show If the idle-timeout value is not 600 seconds or less, this is a finding.

Fix: F-81593r1_fix

Log on to the MQ Appliance CLI as a privileged user. Enter: co web-mgmt idle-timeout <600 seconds or less> exit write mem y

b
The SSH CLI of the MQ Appliance network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SC-10 - Medium - CCI-001133 - V-74979 - SV-89653r1_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
MQMH-ND-000760
Vuln IDs
  • V-74979
Rule IDs
  • SV-89653r1_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-74831r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co rbm show If the idle-timeout value is not 600 seconds or less, this is a finding.

Fix: F-81595r1_fix

Log on to the MQ Appliance CLI as a privileged user. Enter: co rbm idle-timeout <600 seconds or less> exit write mem y

b
The MQ Appliance network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.
SC-23 - Medium - CCI-001188 - V-74981 - SV-89655r1_rule
RMF Control
SC-23
Severity
Medium
CCI
CCI-001188
Version
MQMH-ND-000790
Vuln IDs
  • V-74981
Rule IDs
  • SV-89655r1_rule
Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. This requirement is applicable to devices that use a web interface for MQ Appliance device management.
Checks: C-74833r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: config crypto show crypto-mode If the result is not fips-140-2-l1, this is a finding.

Fix: F-81597r1_fix

Log on to the MQ Appliance CLI as a privileged user. Enable FIPS 140-2 Level 1 mode at the next reload of the firmware. Enter: config crypto crypto-mode-set fips-140-2-l1 The following message will appear: "Crypto Mode Successfully set to fips-140-2-l1 for next boot." Reboot MQ appliance.

b
The MQ Appliance network device must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
CM-6 - Medium - CCI-000366 - V-74983 - SV-89657r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
MQMH-ND-000830
Vuln IDs
  • V-74983
Rule IDs
  • SV-89657r1_rule
Predictable failure prevention requires organizational planning to address device failure issues. If components key to maintaining the device's security fail to function, the device could continue operating in an insecure state. If appropriate actions are not taken when an MQ Appliance network device failure occurs, a denial of service condition may occur, which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of MQ Appliance network device security components, the MQ Appliance network device must activate a system alert message, send an alarm, or shut down. With failure notification enabled, an error report can be sent to a designated recipient or uploaded to a specific location after the appliance returns to service from an unscheduled outage. This error report can contain diagnostic details. Intrusion detection will provide a warning and restart in Fail-Safe mode. (See https://ibm.biz/Bd4NJ5)
Checks: C-74835r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: failure-notification show failure-notification Examine the configured parameters to verify the current configuration, including the notification address. If the MQ Appliance is not configured to send an alert when a component failure is detected, this is a finding.

Fix: F-81599r1_fix

Log on to the MQ Appliance CLI as a privileged user. Enter: co failure-notification admin-state enabled upload-report <on or off> location-id <String to identify the issuing device> use-smtp on protocol smtp email-address <destination notification email address> remote-address <remote SMTP server address> internal-state on ffdc packet-capture on ffdc event-log on ffdc memory-trace on always-on-startup on always-on-shutdown on report-history <Max. # of local error rpts to maintain> exit write mem y

b
The MQ Appliance network device must generate account activity alerts that are forwarded to the administrators and Information System Security Officer (ISSO). Activity includes, creation, removal, modification and re-enablement after being previously disabled.
AC-2 - Medium - CCI-001683 - V-74985 - SV-89659r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001683
Version
MQMH-ND-000840
Vuln IDs
  • V-74985
Rule IDs
  • SV-89659r1_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail that documents the creation of accounts and notifies administrators and ISSOs. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. Using a syslog logging target, the MQ Appliance logs audit events, including when accounts are created. Logging may be set to the following logging levels in descending order of criticality: debug, info, notice, warn, error, alert, emerg. The default is notice. It is the responsibility of the sysadmin to configure the triggers necessary to send alerts based upon information received at the syslog server. To meet the current requirement, the sysadmin must configure trigger notifications upon receiving the following audit events in the syslog server: 0x8240001f and 0x810001f0. Changes to access and/or privilege parameters will fall into this event category. Satisfies: SRG-APP-000291-NDM-000275, SRG-APP-000292-NDM-000276, SRG-APP-000293-NDM-000277, SRG-APP-000294-NDM-000278, SRG-APP-000319-NDM-000283, SRG-APP-000320-NDM-000284
Checks: C-74837r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co show logging target All configured logging targets will be displayed. Verify: - This list includes a remote syslog notification target; and - It includes all desired log event source and log level parameters: event audit info event auth notice event mgmt notice event cli notice event user notice event system error Ask the system admin to provide evidence that alerts are sent based on the following audit events: 0x8240001f and 0x810001f0. Account administration events will fall into this event category and be written to the audit logs. If alerts are not sent when accounts on the MQ appliance are created, modified, deleted, or re-enabled, this is a finding.

Fix: F-81601r1_fix

Log on to the MQ Appliance CLI as a privileged user. To enter global configuration mode, enter "config". To creates a syslog target, enter: logging target <logging target name> type syslog admin-state enabled local-address <MQ Appliance IP> remote-address <syslog server IP> remote-port <syslog server port> event audit info event auth notice event mgmt notice event cli notice event user notice event system error exit write mem y Configure alerts that will trigger off of syslog audit events: 0x8240001f and 0x810001f0.

b
The MQ Appliance network device must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
AC-12 - Medium - CCI-002361 - V-74987 - SV-89661r1_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
MQMH-ND-000880
Vuln IDs
  • V-74987
Rule IDs
  • SV-89661r1_rule
Automatic session termination addresses the termination of administrator-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever an administrator (or process acting on behalf of a user) accesses an MQ Appliance network device. Such administrator sessions can be terminated (and thus terminate network administrator access) without terminating network sessions. Session termination terminates all processes associated with an administrator's logical session, except processes specifically created by the administrator (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. These conditions will vary across environments and MQ Appliance network device types.
Checks: C-74839r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co web-mgmt show If the idle-timeout value is not 600 seconds or less, this is a finding.

Fix: F-81603r1_fix

Log on to the MQ Appliance CLI as a privileged user. Enter: co web-mgmt idle-timeout <600 seconds or less> exit write mem y

b
The MQ Appliance network device must terminate shared/group account credentials when members leave the group.
AC-2 - Medium - CCI-002142 - V-74989 - SV-89663r1_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002142
Version
MQMH-ND-000910
Vuln IDs
  • V-74989
Rule IDs
  • SV-89663r1_rule
A shared/group account credential is a shared form of authentication that allows multiple individuals to access the MQ Appliance network device using a single account. If shared/group account credentials are not terminated when individuals leave the group, the user that left the group can still gain access even though they are no longer authorized. The only local account on the MQ Appliance should be the emergency admin account of last resort referred to as the "Fallback user". This account is automatically inactive and not accessible as long as LDAP access is enabled. If network access to the LDAP server is lost, the MQ appliance will automatically enable the Fallback user account to allow for emergency administrative access. If a former admin knows the Fallback user password, still has network access, and can force the MQ appliance to not communicate with the LDAP server, they could access the MQ appliance using the Fallback user credentials. The Fallback user account password must be changed whenever MQ administrators leave the group/team or if their roles change and they no longer require access.
Checks: C-74841r1_chk

Log on to the MQ appliance WebGUI as an admin user. Click Administration (gear icon) &gt;&gt; Access. Select User Account and User Group options. Review user names that are displayed. Local user accounts should not be shared. The only exception is the local "Fallback" user account of last resort, which is used for emergency access. Verify that no user accounts other than the designated Fallback user emergency account exist or are shared. Verify the local Fallback user password is changed whenever MQ administrators leave the team and no longer have a need to access the MQ device. If any user accounts other than the Fallback user exist or are shared, or if the local Fallback user password is not changed when MQ admins leave the team/group, this is a finding.

Fix: F-81605r1_fix

Log on to the MQ appliance WebGUI as an admin user. Click Administration (gear icon) >> Access. Select User Account and User Group options. Configure no local accounts other than the Fallback user emergency account. Change the local Fallback user account password whenever MQ admin team members leave the group or no longer require access.

b
The MQ Appliance network device must notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the result, date and time of the last logon (access).
CM-6 - Medium - CCI-000366 - V-74991 - SV-89665r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
MQMH-ND-001010
Vuln IDs
  • V-74991
Rule IDs
  • SV-89665r1_rule
Administrators need to be aware of activity that occurs regarding their account. Providing them with information deemed important by the organization may aid in the discovery of unauthorized access or thwart a potential attacker. Organizations should consider the risks to the specific information system being accessed and the threats presented by the device to the environment when configuring this option. An excessive or unnecessary amount of information presented to the administrator at logon is not recommended. MQ provides logon information including date, time and source IP information in event logs. A third party log monitoring solution that monitors the logs for unsuccessful logons and corresponding date, time and location information must be utilized to provide the notification.
Checks: C-74843r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP. Request third-party log monitoring alarming information that provides the notification alerts regarding logons, dates, times, and source IP addresses. If it is not set to LDAP and third-party alarming notifications are not used, this is a finding.

Fix: F-81607r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure LDAP connection as required. Configure notification alerts in third party event notification solution.

b
The MQ Appliance network device must generate an immediate alert when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
AU-5 - Medium - CCI-001855 - V-74993 - SV-89667r1_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001855
Version
MQMH-ND-001040
Vuln IDs
  • V-74993
Rule IDs
  • SV-89667r1_rule
If security personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity expansion. This could lead to the loss of audit information. Note that while the MQ Appliance network device must generate the alert, notification may be done by a management server. At the syslog server, set up event notification triggers for the following event codes: 0x80c0006a, 0x82400067, 0x00330034, 0x80400080. Note: The above notifications will occur if there is an interruption in logging information being sent to its intended external logging target. Configuring notification of storage capacity events occurring at the external logging server (e.g., 75 percent capacity) is the responsibility of that server's server administrator. Satisfies: SRG-APP-000359-NDM-000294, SRG-APP-000360-NDM-000295
Checks: C-74845r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co show logging target All configured logging targets will be displayed. Verify: - This list includes a remote syslog notification target; and - It includes all desired log event source and log level parameters: event audit info event auth notice event mgmt notice event cli notice event user notice event system error Ask the system admin to provide evidence the following alert triggers have been set up: 0x80c0006a, 0x82400067, 0x00330034, 0x80400080. Verify alerts are immediately sent when syslog storage capacity reaches 75% of maximum audit record storage capacity. If any is not true, this is a finding.

Fix: F-81609r2_fix

Log on to the MQ Appliance CLI as a privileged user. To enter global configuration mode, enter "config". To create a syslog target, enter: logging target <logging target name> type syslog admin-state enabled local-address <MQ Appliance IP> remote-address <syslog server IP> remote-port <syslog server port> event audit info event auth notice event mgmt notice event cli notice event user notice event system error exit write mem y At the syslog server, set up event notification triggers for the following event codes: 0x80c0006a, 0x82400067, 0x00330034, 0x80400080. Set up notifications to immediately alert when audit record storage utilization exceeds 75% of storage capacity.

b
The MQ Appliance network device must compare internal information system clocks at least every 24 hours with an authoritative time server.
AU-8 - Medium - CCI-001891 - V-74995 - SV-89669r1_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001891
Version
MQMH-ND-001060
Vuln IDs
  • V-74995
Rule IDs
  • SV-89669r1_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Additionally, unnecessary synchronization may have an adverse impact on system performance and may indicate malicious activity. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Checks: C-74847r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. On the Manage Appliance tab, select Network &gt;&gt; Interface/NTP Service. Verify: - NTP server destinations are configured; - The NTP servers are located in different geographic regions; and - Status (at the top of the page) is "up". If any is not true, this is a finding.

Fix: F-81611r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Click on the Network icon (third from the top). Select "Interface/NTP Service". Click the "Add" button to add multiple NTP servers. Click "Enable administrative state". Click the "Apply" button. Add one or more additional NTP servers, at least one of which is from a different geographic region. The result should be: "Status:up" Click "Save configuration".

b
The MQ Appliance network device must synchronize internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.
AU-8 - Medium - CCI-002046 - V-74997 - SV-89671r1_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-002046
Version
MQMH-ND-001070
Vuln IDs
  • V-74997
Rule IDs
  • SV-89671r1_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in CCI-001891 because a comparison must be done in order to determine the time difference. The organization-defined time period will depend on multiple factors, most notably the granularity of time stamps in audit logs. For example, if time stamps only show to the nearest second, there is no need to have accuracy of a tenth of a second in clocks.
Checks: C-74849r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. On the Manage Appliance tab, select Network &gt;&gt; Interface/NTP Service. Verify: - NTP server destinations are configured; - The NTP servers are located in different geographic regions; and - Status (at the top of the page) is "up". If any is not true, this is a finding.

Fix: F-81613r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Click on the Network icon (third from the top). Select "Interface/NTP Service". Click the "Add" button to add multiple NTP servers. Click "Enable administrative state". Click the "Apply" button. Add one or more additional NTP servers, at least one of which is from a different geographic region. The result should be: "Status:up" Click "Save configuration".

b
The MQ Appliance network device must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
CM-6 - Medium - CCI-000366 - V-74999 - SV-89673r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
MQMH-ND-001080
Vuln IDs
  • V-74999
Rule IDs
  • SV-89673r1_rule
The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. Multiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The MQ Appliance network device must use an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891. DoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.
Checks: C-74851r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. On the Manage Appliance tab, select Network &gt;&gt; Interface/NTP Service. Verify: - NTP server destinations are configured; * The NTP servers are located in different geographic regions; and * Status (at the top of the page) is "up". If any is not true, this is a finding.

Fix: F-81615r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Click on the Network icon (third from the top). Select "Interface/NTP Service". Click the "Add" button to add multiple NTP servers. Click "Enable administrative state". Click the "Apply" button. Add one or more additional NTP servers, at least one of which is from a different geographic region. The result should be: "Status:up" Click "Save configuration".

b
WebGUI access to the MQ Appliance network device must accept Personal Identity Verification (PIV) credentials.
IA-2 - Medium - CCI-001953 - V-75001 - SV-89675r1_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001953
Version
MQMH-ND-001160
Vuln IDs
  • V-75001
Rule IDs
  • SV-89675r1_rule
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.
Checks: C-74853r1_chk

Log on to the MQ Appliance CLI as a privileged user. Verify MQ Appliance PKI-based user authentication is configured. Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter: co show web-mgmt [Note the name of the ssl-server] Display the parameters of the ssl-server (CLI). Enter: co crypto ssl-server &lt;ssl-server name&gt; show [Note the name of the valcred] Display the certificates in the ValCred (CLI). Enter: co crypto valcred &lt;name of valcred&gt; show Verify all listed client certificates are authorized to access the MQ Appliance. If any are not authorized, this is a finding. Spot-check access to the appliance: Attempt to access the appliance from a browser enabled with an authorized certificate. If authorized access does not succeed, this is a finding. Attempt to access the appliance from a browser not enabled with an authorized client certificate. If unauthorized access succeeds, this is a finding.

Fix: F-81617r1_fix

Log on to the MQ Appliance CLI as a privileged user. Configure MQ Appliance PKI-based user authentication. Assign the WebGUI to one management port (CLI). Enter: co web-mgmt <mgmt port IP addr> 9090 <timeout in seconds> write mem y Import to cert directory MQ Appliance private key and cert and client cert(s) (WebGUI): - Log on to the WebGUI as a privileged user. - Click on the Administration (gear) icon. - Under Main, click on File Management. - Click cert directory. - Click Actions. - Upload files. - Browse to select MQ Appl privkey. - Add. - Browse to select MQ Appl cert. - Add. - Browse to select client cert. - Add. - [Repeat Browse and Add for all desired client certs.] - Upload. - Continue. Create cert aliases (CLI). Enter: co crypto certificate <MQAppl CryptoCert alias: appliance name> cert:///<MQAppl cert file name> certificate <client CryptoCert alias: subject field fm client cert> cert:///<client cert file name> [Repeat certificate command for any additional client certs.] exit write mem y Create MQAppl private key alias (CLI). Enter: co crypto key <MQAppl CryptoKey alias> cert:///<MQAppl privkey file name> exit write mem y Create MQAppl ID Credential (CLI). Enter: co crypto idcred <MQAppl IDCred name> <MQAppl CryptoKey alias> <MQAppl CryptoCert alias> exit write mem y Create a client Validation Credential (CLI). Enter: co crypto valcred <Client ValCred name> certificate <Client CryptoCert alias> [Add additional client certificates as required] exit exit write mem y Create SSL Server Profile (CLI). Enter: co crypto ssl-server <SSL Svr Profile name> admin-state enabled idcred <MQAppl IDCred name protocols TLSv1d2 valcred <Client ValCred name> request-client-auth on require-client-auth on send-client-auth-ca-list on exit exit write mem y Associate SSL Server Profile with WebGUI (CLI). Enter: co web-mgmt ssl-config-type server ssl-server <SSL Svr Profile name> exit write mem y

b
WebGUI access to the MQ Appliance network device must electronically verify Personal Identity Verification (PIV) credentials.
IA-2 - Medium - CCI-001954 - V-75003 - SV-89677r1_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001954
Version
MQMH-ND-001180
Vuln IDs
  • V-75003
Rule IDs
  • SV-89677r1_rule
The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under HSPD 12, as well as a primary component of layered protection for national security systems.
Checks: C-74855r1_chk

Log on to the MQ Appliance CLI as a privileged user. Verify MQ Appliance PKI-based user authentication is configured. Verify an SSL Server Profile is associated with the WebGUI (CLI). Enter: co show web-mgmt [Note the name of the ssl-server] Display the parameters of the ssl-server (CLI). Enter: co crypto ssl-server &lt;ssl-server name&gt; show [Note the name of the valcred] Display the certificates in the ValCred (CLI). Enter: co crypto valcred &lt;name of valcred&gt; show Verify all listed client certificates are authorized to access the MQ Appliance. Spot-check access to the appliance: Attempt to access the appliance from a browser enabled with an authorized certificate. Attempt to access the appliance from a browser not enabled with an authorized client certificate. If unauthorized access succeeds, this is a finding.

Fix: F-81619r1_fix

Log on to the MQ Appliance CLI as a privileged user. Configure MQ Appliance PKI-based user authentication. Assign the WebGUI to one management port (CLI). Enter: co web-mgmt <mgmt port IP addr> 9090 <timeout in seconds> write mem y Import to cert directory MQ Appliance private key and cert and client cert(s) (WebGUI): - Log on to the WebGUI as a privileged user. - Click on the Administration (gear) icon. - Under Main, click on File Management. - Click cert directory. - Click Actions. - Upload files. - Browse to select MQ Appl privkey. - Add. - Browse to select MQ Appl cert. - Add. - Browse to select client cert. - Add. - [Repeat Browse and Add for all desired client certs.] - Upload. - Continue Create cert aliases (CLI). Enter: co crypto certificate <MQAppl CryptoCert alias: appliance name> cert:///<MQAppl cert file name> certificate <client CryptoCert alias: subject field fm client cert> cert:///<client cert file name> [Repeat certificate command for any additional client certs.] exit write mem y Create MQAppl private key alias (CLI). Enter: co crypto key <MQAppl CryptoKey alias> cert:///<MQAppl privkey file name> exit write mem y Create MQAppl ID Credential (CLI). Enter: co crypto idcred <MQAppl IDCred name> <MQAppl CryptoKey alias> <MQAppl CryptoCert alias> exit write mem y Create a client Validation Credential (CLI). Enter: co crypto valcred <Client ValCred name> certificate <Client CryptoCert alias> [Add additional client certificates as required] exit exit write mem y Create SSL Server Profile (CLI). Enter: co crypto ssl-server <SSL Svr Profile name> admin-state enabled idcred <MQAppl IDCred name> protocols TLSv1d2 valcred <Client ValCred name> request-client-auth on require-client-auth on send-client-auth-ca-list on exit exit write mem y Associate SSL Server Profile with WebGUI (CLI). Enter: co web-mgmt ssl-config-type server ssl-server <SSL Svr Profile name> exit write mem y

b
The MQ Appliance network device must prohibit the use of cached authenticators after an organization-defined time period.
IA-5 - Medium - CCI-002007 - V-75005 - SV-89679r1_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-002007
Version
MQMH-ND-001240
Vuln IDs
  • V-75005
Rule IDs
  • SV-89679r1_rule
Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out of date, the validity of the authentication information may be questionable. The organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.
Checks: C-74857r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP and the cache setting is defined and specifies the organization-defined time period. If the Authentication Method is not set to LDAP and the cache setting does not specify the organization-defined time period, this is a finding.

Fix: F-81621r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Limit cache settings to an organization-defined time period. Configure other LDAP connection settings as required.

b
Applications used for nonlocal maintenance sessions using the MQ Appliance WebGUI must implement cryptographic mechanisms to protect the confidentiality and integrity of nonlocal maintenance and diagnostic communications.
MA-4 - Medium - CCI-002890 - V-75007 - SV-89681r1_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-002890
Version
MQMH-ND-001260
Vuln IDs
  • V-75007
Rule IDs
  • SV-89681r1_rule
This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of maintenance sessions. Satisfies: SRG-APP-000411-NDM-000330, SRG-APP-000412-NDM-000331
Checks: C-74859r1_chk

Log on to the MQ Appliance CLI as a privileged user. Display the SSL Server Profile associated with the WebGUI (CLI). Enter: co show web-mgmt Verify the following: An ssl-server is associated with the WebGUI. [Note the name of the ssl-server.] List parameters of the SSL Server (CLI). Enter: co crypto ssl-server &lt;ssl-server name&gt; show Verify the following: protocols TLSv1d2 If TLS protocol is not configured for use with the ssl-server, this is a finding.

Fix: F-81623r1_fix

Log on to the MQ Appliance CLI as a privileged user. Display the SSL Server Profile associated with the WebGUI (CLI). Enter: co show web-mgmt [Note the name of the ssl-server.] Define the cache parameters of the SSL Server (CLI). Enter: co crypto ssl-server <ssl-server name> protocols TLSv1d2 exit exit write mem y

b
The MQ Appliance network device must generate audit records when concurrent logons from different workstations occur.
AU-12 - Medium - CCI-000172 - V-75009 - SV-89683r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
MQMH-ND-001370
Vuln IDs
  • V-75009
Rule IDs
  • SV-89683r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Using a syslog logging target, the MQ Appliance logs all logons to the device-, including the source, time and date, and identity of the user. Logging may be set to the following logging levels in descending order of criticality: debug, info, notice, warn, error, alert, emerg. The default is notice. Audit records can be generated from various components within the MQ Appliance network device (e.g., module or policy filter). It is the responsibility of the sysadmin to configure the triggers necessary to send alerts based upon information received at the syslog server. The sysadmin can trigger notifications upon receiving the following audit event: 0x81000033. This is the logon event.
Checks: C-74861r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co show logging target All configured logging targets will be displayed. Verify: - This list includes a remote syslog notification target; and - It includes all desired log event source and log level parameters: event audit info event auth notice event mgmt notice event cli notice event user notice event system error Log onto the MQ appliance from two different workstations simultaneously. Request a copy of the audit logs and verify both events were recorded in the logs. If log events were not created, this is a finding.

Fix: F-81625r1_fix

Log on to the MQ Appliance CLI as a privileged user. To enter global configuration mode, enter "config". To create a syslog target, enter: logging target <logging target name> type syslog admin-state enabled local-address <MQ Appliance IP> remote-address <syslog server IP> remote-port <syslog server port> event audit info event auth notice event mgmt notice event cli notice event user notice event system error exit write mem y

b
The MQ Appliance network device must generate audit records for all account creations, modifications, disabling, and termination events.
AU-12 - Medium - CCI-000172 - V-75011 - SV-89685r1_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
MQMH-ND-001380
Vuln IDs
  • V-75011
Rule IDs
  • SV-89685r1_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Using a syslog logging target, the MQ Appliance logs all audit events, including account creations, modifications, disabling, and termination events. Logging may be set to the following logging levels in descending order of criticality: debug, info, notice, warn, error, alert, emerg. The default is notice. Audit records can be generated from various components within the MQ Appliance network device (e.g., module or policy filter).
Checks: C-74863r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co show logging target All configured logging targets will be displayed. Verify: - This list includes a remote syslog notification target; and - It includes all desired log event source and log level parameters, e.g., event audit info. In the WebGUI, Manage Appliance/User access. Create, disable or modify an account. Verify the administrator receives notification of this event. If any is not true, this is a finding.

Fix: F-81627r1_fix

Configure a syslog target by using the command line interface (CLI). Log on as an administrative user. To enter global configuration mode, enter "config". To create a syslog target, enter: logging target <logging target name> type syslog admin-state enabled local-address <MQ Appliance IP> remote-address <syslog server IP> remote-port <syslog server port> event audit info event auth notice event mgmt notice event cli notice event user notice event system error exit write mem y It is the responsibility of the sysadmin to configure the triggers necessary to send alerts based upon information received at the syslog server. To meet the current requirement, the sysadmin should trigger notification upon receiving the following audit events: 0x8240001f and 0x810001f0. All account creations, modifications, disabling, and termination events fall into this event category.

b
The MQ Appliance network device must off-load audit records onto a different system or media than the system being audited.
AU-4 - Medium - CCI-001851 - V-75013 - SV-89687r1_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
MQMH-ND-001390
Vuln IDs
  • V-75013
Rule IDs
  • SV-89687r1_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Using a syslog logging target, the MQ Appliance logs all audit records to the syslog. Logging may be set to the following logging levels in descending order of criticality: debug, info, notice, warn, error, alert, emerg. The default is notice. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-74865r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co show logging target All configured logging targets will be displayed. Verify: - This list includes a remote syslog notification target; and - It includes all desired log event source and log level parameters: event audit info event auth notice event mgmt notice event cli notice event user notice event system error Ask the system admin to provide logs from syslog server and verify the MQ appliance is logging to the syslog server. If the logs are not off-loaded, this is a finding.

Fix: F-81641r1_fix

Log on to the MQ Appliance CLI as a privileged user. To enter global configuration mode, enter "config". To create a syslog target, enter: logging target <logging target name> type syslog admin-state "enabled" local-address <MQ Appliance IP> remote-address <syslog server IP> remote-port <syslog server port> event audit debug event auth debug event mgmt debug event cli debug event user debug event system error exit write mem y Configure the MQ appliance to off-load audit records to a remote syslog server.

b
The MQ Appliance network device must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in association with CJCSM 6510.01B.
CM-6 - Medium - CCI-000366 - V-75015 - SV-89689r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
MQMH-ND-001420
Vuln IDs
  • V-75015
Rule IDs
  • SV-89689r1_rule
By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the MQ Appliance network device. An example of a mechanism to facilitate this would be through the use of SNMP traps. Using a syslog logging target, the MQ Appliance logs all audit and system events. Logging may be set to the following logging levels in descending order of criticality: debug, info, notice, warn, error, alert, emerg. The default is notice. It is the responsibility of the sysadmin to configure the triggers necessary to send alerts based upon information received at the syslog server.
Checks: C-74867r1_chk

Log on to the MQ Appliance CLI as a privileged user. Enter: co show logging target All configured logging targets will be displayed. Verify: - This list includes a remote syslog notification target; and - It includes all desired log event source and log level parameters: event audit info event auth notice event mgmt notice event cli notice event user notice event system error Ask the system admin to provide evidence the required alert triggers have been set up. If any is not true, this is a finding.

Fix: F-81629r1_fix

Log on to the MQ Appliance CLI as a privileged user. To enter global configuration mode, enter "config". To create a syslog target, enter: logging target <logging target name> type syslog admin-state enabled local-address <MQ Appliance IP> remote-address <syslog server IP> remote-port <syslog server port> event audit info event auth notice event mgmt notice event cli notice event user notice event system error exit write mem y It is the responsibility of the sysadmin to configure the triggers necessary to send alerts based upon information received at the syslog server. To meet the current requirement, the sysadmin must specify threat event patterns that should trigger alerts. Then, the sysadmin must configure alerts that will occur in response to those event patterns. Ideas for trigger event patterns can be gained from an examination of the existing syslog.

b
Administrative accounts for device management must be configured on the authentication server and not the MQ Appliance network device itself (except for the emergency administration account).
CM-6 - Medium - CCI-000366 - V-75017 - SV-89691r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
MQMH-ND-001450
Vuln IDs
  • V-75017
Rule IDs
  • SV-89691r1_rule
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network MQ Appliance device management. Maintaining local administrator accounts for daily usage on each MQ Appliance network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some MQ Appliance network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. Administrative accounts for network MQ Appliance device management must be configured on the authentication server and not the MQ Appliance network device itself. The only exception is for the emergency administration account (also known as the account of last resort), which is configured locally on each device. Note that more than one emergency administration account may be permitted if approved.
Checks: C-74869r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP. Verify only one Fallback user is specified. If administrative accounts other than the Fallback user are on the local MQ appliance, this is a finding.

Fix: F-81631r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure LDAP server connection requirements as required. Specify one privileged Fallback user. Remove unauthorized Fallback users or admin accounts.

b
Access to the MQ Appliance network device must employ automated mechanisms to centrally apply authentication settings.
CM-6 - Medium - CCI-000366 - V-75019 - SV-89693r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
MQMH-ND-001460
Vuln IDs
  • V-75019
Rule IDs
  • SV-89693r1_rule
The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network MQ Appliance device management. Maintaining local administrator accounts for daily usage on each MQ Appliance network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some MQ Appliance network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion. Satisfies: SRG-APP-000516-NDM-000337, SRG-APP-000516-NDM-000338, SRG-APP-000325-NDM-000285
Checks: C-74871r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) &gt;&gt; Access &gt;&gt; RBM Settings. Verify the Authentication Method is set to LDAP. If MQ is not set to LDAP authentication, this is a finding.

Fix: F-81633r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Administration (gear icon) >> Access >> RBM Settings. Set Authentication Method to LDAP. Configure LDAP server connection requirements as required.

b
The MQ Appliance network device must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
CM-6 - Medium - CCI-000366 - V-75021 - SV-89695r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
MQMH-ND-001490
Vuln IDs
  • V-75021
Rule IDs
  • SV-89695r1_rule
System-level information includes default and customized settings and security attributes, including ACLs that relate to the MQ Appliance network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component. This control requires the MQ Appliance network device to support the organizational central backup process for system-level information associated with the MQ Appliance network device. This function may be provided by the MQ Appliance network device itself; however, the preferred best practice is a centralized backup rather than each MQ Appliance network device performing discrete backups.
Checks: C-74873r1_chk

Interview the system admin and determine how the MQ system is backed up. The MQ Appliance provides three features for providing system backup: - High Availability (HA) configuration of paired appliances https://ibm.biz/Bd43aV - Disaster Recovery (DR) configuration using a paired off-site appliance https://ibm.biz/Bd43au - Manual backup and restore https://ibm.biz/Bd43ah If manual backup and restore is used verify backups are performed when changes to the system occur or at least weekly. If none of the above methods are employed or if no backups exist, this is a finding.

Fix: F-81635r1_fix

Configure the MQ appliance to use one of the following backup solutions. - High Availability (HA) configuration of paired appliances - Disaster Recovery (DR) configuration using a paired off-site appliance - Manual backup and restore

b
The MQ Appliance network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
CM-6 - Medium - CCI-000366 - V-75023 - SV-89697r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
MQMH-ND-001520
Vuln IDs
  • V-75023
Rule IDs
  • SV-89697r1_rule
For user certificates, each organization obtains certificates from an approved, shared service provider as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.
Checks: C-74875r1_chk

Log on to the MQ Appliance CLI as a privileged user. To verify certs, enter: co crypto show certificate [lists all defined cert aliases] Verify the following: All certificate aliases point to standard DoD cert files and none are self-generated. If the certificates were not generated by a DoD approved CA, or if they are self-signed certificates, this is a finding.

Fix: F-81637r1_fix

Obtain MQ Appliance and client certs from an approved CA or ECA as required by DoD policy. Log on to the MQ Appliance WebGUI as a privileged user. Import approved certs to the cert directory: - Click on the Administration (gear) icon. - Under Main, click on File Management. - Click cert directory. - Click Actions. - Upload files. - Browse to select MQ Appl cert. - Add. - Browse to select client cert. - Add. - [Repeat Browse and Add for all desired client certs.] - Upload. - Continue. Create cert aliases for use in MQ Appliance configurations (CLI). Enter: co crypto certificate <MQAppliance CryptoCert alias> cert:///<MQAppl cert file name> certificate <client CryptoCert alias> cert:///<client cert file name> [Repeat certificate command for any additional client certs.] exit write mem y

b
SSH CLI access to the MQ Appliance management interface must be restricted to approved management workstations.
CM-6 - Medium - CCI-000366 - V-75025 - SV-89699r1_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
MQMH-ND-001530
Vuln IDs
  • V-75025
Rule IDs
  • SV-89699r1_rule
The approved method for authenticating to systems is via two-factor authentication. Two-factor authentication is defined as using something you have (e.g., CAC or token) and something you know (e.g., PIN). The SSH CLI in MQ does not have the native ability to use multifactor authentication. This increases the risk of user account compromise. Restricting access to the MQ SSH management interface helps to mitigate this risk. Access must be restricted to only those management workstations or networks that require access.
Checks: C-74877r1_chk

Log on to the MQ Appliance WebGUI as a privileged user. Go to the Network icon. Select Management &gt;&gt; SSH Service. Click "edit" next to the Access control list field. View the SSH ACL and obtain the list of authorized addresses. Ask the administrator for the list of approved addresses. If an authorized management network is in place, the SSH ACL can include a range of addresses within the authorized management network. If a firewall is used to isolate SSH traffic, request the IP addresses of the MQ appliance and the relevant firewall ruleset. If SSH traffic is not restricted to the list of approved addresses, this is a finding.

Fix: F-81639r1_fix

Log on to the MQ Appliance WebGUI as a privileged user. Go to Network icon. Select Management >> SSH Service. Click "edit" next to the Access control list field. Edit the SSH ACL and add authorized workstations or management network segment. For a firewall solution, isolate the MQ SSH network interface behind the firewall and apply firewall rules to limit SSH access to only authorized management workstations or networks.