SSH CLI access to the MQ Appliance management interface must be restricted to approved management workstations.

From IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide

Part of SRG-APP-000408-NDM-000314

Associated with: CCI-000366

SV-89699r1_rule SSH CLI access to the MQ Appliance management interface must be restricted to approved management workstations.

Vulnerability discussion

The approved method for authenticating to systems is via two-factor authentication. Two-factor authentication is defined as using something you have (e.g., CAC or token) and something you know (e.g., PIN). The SSH CLI in MQ does not have the native ability to use multifactor authentication. This increases the risk of user account compromise. Restricting access to the MQ SSH management interface helps to mitigate this risk. Access must be restricted to only those management workstations or networks that require access.

Check content

Log on to the MQ Appliance WebGUI as a privileged user. Go to the Network icon. Select Management >> SSH Service. Click "edit" next to the Access control list field. View the SSH ACL and obtain the list of authorized addresses. Ask the administrator for the list of approved addresses. If an authorized management network is in place, the SSH ACL can include a range of addresses within the authorized management network. If a firewall is used to isolate SSH traffic, request the IP addresses of the MQ appliance and the relevant firewall ruleset. If SSH traffic is not restricted to the list of approved addresses, this is a finding.

Fix text

Log on to the MQ Appliance WebGUI as a privileged user. Go to Network icon. Select Management >> SSH Service. Click "edit" next to the Access control list field. Edit the SSH ACL and add authorized workstations or management network segment. For a firewall solution, isolate the MQ SSH network interface behind the firewall and apply firewall rules to limit SSH access to only authorized management workstations or networks.

Pro Tips

Powered by sagemincer