The MQ Appliance messaging server must identify potentially security-relevant error conditions.

From IBM MQ Appliance V9.0 AS Security Technical Implementation Guide

Part of SRG-APP-000266-AS-000168

Associated with: CCI-000172 CCI-001312

SV-89553r1_rule The MQ Appliance messaging server must identify potentially security-relevant error conditions.

Vulnerability discussion

The structure and content of error messages need to be carefully considered by the organization and development team. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The extent to which the messaging server is able to identify and handle error conditions is guided by organizational policy and operational requirements. Adequate logging levels and system performance capabilities need to be balanced with data protection requirements.The structure and content of error messages needs to be carefully considered by the organization and development team.Messaging servers must have the capability to log at various levels which can provide log entries for potential security-related error events.An example is the capability for the messaging server to assign a criticality level to a failed logon attempt error message, a security-related error message being of a higher criticality.Instructions for using the amqsevt sample program to display instrumentation events may be found at the following URL: https://ibm.biz/BdsCzY.Satisfies: SRG-APP-000266-AS-000168, SRG-APP-000091-AS-000052

Check content

Establish an SSH command line session as an admin user. To access the MQ Appliance CLI, enter: mqcli To identify the queue managers, enter: dspmq Run the "runmqsc [queue mgr name]" command for each running queue manager. Once at the runmqsc prompt, enter: DIS QMGR AUTHOREV AUTHOREV(ENABLED) - should be the result. If "AUTHOREV" logging is not "ENABLED", this is a finding.

Fix text

For each queue manager on the MQ Appliance, enable authority (AUTHOREV) event logging. From the MQ Appliance CLI, enter the following: runmqsc [queue mgr name] ALTER QMGR AUTHOREV(ENABLED) end

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer