The MQ Appliance must automatically terminate a WebGUI user session after 600 seconds of idle time.

From IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

Associated with: CCI-002361

SV-89487r1_rule The MQ Appliance must automatically terminate a WebGUI user session after 600 seconds of idle time.

Vulnerability discussion

An attacker can take advantage of WebGUI user sessions that are left open, thus bypassing the user authentication process.To thwart the vulnerability of open and unused user sessions, the messaging server must be configured to close the sessions when a configured condition or trigger event is met.Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated.Conditions or trigger events requiring automatic session termination can include, for example, periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.

Check content

Log on to the MQ Appliance CLI as a privileged user. To access the MQ Appliance CLI, enter: mqcli To enter configuration mode, enter: co web-mgmt show If the idle-timeout value is not "600" seconds or less, this is a finding.

Fix text

Log on to the MQ Appliance CLI as a privileged user. To access the MQ Appliance CLI, enter: mqcli To enter configuration mode, enter: co web-mgmt idle-timeout <600 seconds or less> exit write mem y

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.