UCF STIG Viewer Logo

IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide


Overview

Date Finding Count (49)
2017-06-06 CAT I (High): 0 CAT II (Med): 49 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-74945 Medium The MQ Appliance network device must use multifactor authentication for network access to privileged accounts.
V-74947 Medium When connecting to the MQ Appliance network device using the WebGUI, it must implement replay-resistant authentication mechanisms for network access to privileged accounts.
V-74941 Medium The MQ Appliance network device must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
V-74943 Medium In the event the authentication server is unavailable, the MQ Appliance must provide one local account created for emergency administration use.
V-75007 Medium Applications used for nonlocal maintenance sessions using the MQ Appliance WebGUI must implement cryptographic mechanisms to protect the confidentiality and integrity of nonlocal maintenance and diagnostic communications.
V-75005 Medium The MQ Appliance network device must prohibit the use of cached authenticators after an organization-defined time period.
V-74949 Medium The MQ Appliance network device must enforce a minimum 15-character password length.
V-74961 Medium Authorization for access to the MQ Appliance network device must enforce a 60-day maximum password lifetime restriction.
V-74957 Medium The MQ Appliance network device must enforce password complexity by requiring that at least one numeric character be used.
V-74969 Medium WebGUI access to the MQ Appliance network device, when using PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
V-74953 Medium The MQ Appliance network device must enforce password complexity by requiring that at least one upper-case character be used.
V-75021 Medium The MQ Appliance network device must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
V-74993 Medium The MQ Appliance network device must generate an immediate alert when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
V-74991 Medium The MQ Appliance network device must notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the result, date and time of the last logon (access).
V-74997 Medium The MQ Appliance network device must synchronize internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period.
V-74951 Medium The MQ Appliance network device must prohibit password reuse for a minimum of five generations.
V-74995 Medium The MQ Appliance network device must compare internal information system clocks at least every 24 hours with an authoritative time server.
V-74999 Medium The MQ Appliance network device must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
V-75009 Medium The MQ Appliance network device must generate audit records when concurrent logons from different workstations occur.
V-74935 Medium The MQ Appliance network device must protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
V-74979 Medium The SSH CLI of the MQ Appliance network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
V-74937 Medium The MQ Appliance network device must alert the Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) in the event of an audit processing failure.
V-74971 Medium WebGUI access to the MQ Appliance network device must map the authenticated identity to the user account for PKI-based authentication.
V-74933 Medium The MQ Appliance network device must notify the administrator of changes to access and/or privilege parameters of the administrator account that occurred since the last logon.
V-75025 Medium SSH CLI access to the MQ Appliance management interface must be restricted to approved management workstations.
V-74931 Medium The MQ Appliance network device must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
V-74939 Medium The MQ Appliance network device must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
V-75011 Medium The MQ Appliance network device must generate audit records for all account creations, modifications, disabling, and termination events.
V-74955 Medium The MQ Appliance network device must enforce password complexity by requiring that at least one lower-case character be used.
V-74975 Medium The WebGUI of the MQ Appliance network device must terminate all sessions and network connections when nonlocal device maintenance is completed.
V-74977 Medium The WebGUI of the MQ Appliance network device must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
V-75019 Medium Access to the MQ Appliance network device must employ automated mechanisms to centrally apply authentication settings.
V-74959 Medium The MQ Appliance network device must enforce password complexity by requiring that at least one special character be used.
V-75003 Medium WebGUI access to the MQ Appliance network device must electronically verify Personal Identity Verification (PIV) credentials.
V-75001 Medium WebGUI access to the MQ Appliance network device must accept Personal Identity Verification (PIV) credentials.
V-75017 Medium Administrative accounts for device management must be configured on the authentication server and not the MQ Appliance network device itself (except for the emergency administration account).
V-74981 Medium The MQ Appliance network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.
V-74983 Medium The MQ Appliance network device must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
V-74985 Medium The MQ Appliance network device must generate account activity alerts that are forwarded to the administrators and Information System Security Officer (ISSO). Activity includes, creation, removal, modification and re-enablement after being previously disabled.
V-74987 Medium The MQ Appliance network device must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
V-75013 Medium The MQ Appliance network device must off-load audit records onto a different system or media than the system being audited.
V-74989 Medium The MQ Appliance network device must terminate shared/group account credentials when members leave the group.
V-75015 Medium The MQ Appliance network device must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in association with CJCSM 6510.01B.
V-75023 Medium The MQ Appliance network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
V-74973 Medium The MQ Appliance network device must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
V-74923 Medium Access to the MQ Appliance network device must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type.
V-74927 Medium The MQ Appliance network device access must automatically disable accounts after a 35-day period of account inactivity.
V-74925 Medium Access to the MQ Appliance network element must use two or more authentication servers for the purpose of granting administrative access.
V-74929 Medium The MQ Appliance network device must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.