{"stig":{"title":"zOS WebsphereMQ for TSS Security Technical Implementation Guide","version":"7","release":"1"},"checks":[{"vulnId":"V-225623","ruleId":"SV-225623r958408_rule","severity":"high","ruleTitle":"WebSphere MQ channel security must be implemented in accordance with security requirements.","description":"WebSphere MQ Channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. Secure Sockets Layer (SSL) uses encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers.\n\nFailure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.\n\nSatisfies: SRG-OS-000505, SRG-OS-000555","checkContent":"Refer to the following report produced by the z/OS Data Collection:\n\n- MQSRPT(ssid)\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nCollect the following Information for WebSphere MQ and MQSeries queue manager.\n\n- If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries.\n\nAutomated Analysis requires Additional Analysis.\nAutomated Analysis\nRefer to the following report produced by the z/OS Data Collection:\n\n- PDI(ZWMQ0011)\n\nIf the following guidelines are true for each channel definition displayed from the DISPLAY CHANNEL command, this is not a finding.\n\n___ Verify that each WebSphere MQ channel is using SSL by checking for the SSLCIPH parameter, which must specify a FIPS 140-2 compliant value of the following: (Note: Both ends of the channel must specify the same cipher specification.)\n\nECDHE_ECDSA_AES_128_CBC_SHA256\nECDHE_ECDSA_AES_256_CBC_SHA384\nECDHE_RSA_AES_128_CBC_SHA256\nECDHE_RSA_AES_256_CBC_SHA384\nTLS_RSA_WITH_3DES_EDE_CBC_SHA\nTLS_RSA_WITH_AES_128_CBC_SHA\nTLS_RSA_WITH_AES_128_CBC_SHA256\nTLS_RSA_WITH_AES_256_CBC_SHA\nTLS_RSA_WITH_AES_256_CBC_SHA256\n\n___ Repeat the above step for each queue manager ssid identified.","fixText":"The system programmer and the ISSO will review the WebSphere MQ Screen interface invoked by the REXX CSQOREXX. Reviewing the channel's SSLCIPH setting.\n\nDisplay the channel properties and look for the \"SSL Cipher Specification\" value.\n\nEnsure that a FIPS 140-2 compliant value is shown.\n\nECDHE_ECDSA_AES_128_CBC_SHA256\nECDHE_ECDSA_AES_256_CBC_SHA384\nECDHE_RSA_AES_128_CBC_SHA256\nECDHE_RSA_AES_256_CBC_SHA384\nTLS_RSA_WITH_3DES_EDE_CBC_SHA\nTLS_RSA_WITH_AES_128_CBC_SHA\nTLS_RSA_WITH_AES_128_CBC_SHA256\nTLS_RSA_WITH_AES_256_CBC_SHA\nTLS_RSA_WITH_AES_256_CBC_SHA256\n\nNote that both ends of the channel must specify the same cipher specification. \n\nRepeat these steps for each queue manager ssid identified.","ccis":["SV-7259"]},{"vulnId":"V-225624","ruleId":"SV-225624r958868_rule","severity":"medium","ruleTitle":"WebSphere MQ channel security is not implemented in accordance with security requirements.","description":"WebSphere MQ channel security can be configured to provide authentication, message privacy, and message integrity between queue managers. WebSphere MQ channels use SSL encryption techniques, digital signatures and digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers.\n\nFailure to properly secure a WebSphere MQ channel may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of some system services, applications, and customer data.","checkContent":"a) Refer to the following report produced by the z/OS Data Collection:\n\n- MQSRPT(ssid)\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier). To determine which Release of WebSphere MQ, review ssid reports for message CSQU000I.\n\nCollect the following Information for WebSphere MQ queue manager\n\n- If a WebSphere MQ queue manager communicates with a MQSeries queue manager, provide the WebSphere MQ queue manager and channel names used to connect with MQSeries.\n- If any WebSphere MQ channels are used to communicate within the enclave, provide a list of channels and provide documentation regarding the sensitivity of the information on the channel.\n\nb) Review the ssid report(s) and perform the following steps:\n\n1) Find the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions.\n2) Verify that each WebSphere MQ 5.3 queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id)\n3) Issue the following TSS commands, where ssidCHIN is the Acid for the WebSphere MQ Channel Initiator's userid and sslkeyring-id is obtained from the above action:\n\nTSS LIST(ssidCHIN) KEYRING(sslkeyring-id)\n\nNOTE: The sslkeyring-id is case sensitive.\n\nIn the output find the DIGICERT field for ACID(ssidCHIN). Use this DIGICERT in the following command:\n\nTSS LIST(ssidCHIN) DIGICERT(digicert)\n\nNOTE: The digicert is case sensitive.\n\nReview the ISSUER DISTINGUISHED NAME field in the resulting output for information of any of the following:\n\nOU=PKI.OU=DoD.O=U.S. Government.C=US\nOU=ECA.O=U.S. Government.C=US\n\n4) Repeat these steps for each queue manager ssid identified.\n\nc) If the all of the items in (b) above are true, there is no finding.\n\nd) If any of the items in (b) above are untrue, this is a finding.","fixText":"Refer to the following report produced by the z/OS Data Collection:\n\n- MQSRPT(ssid)\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier). \n\n1)\tFind the DISPLAY QMGR SSLKEYR command to locate the start of the Queue Manager definitions.\n2)\tVerify that each WebSphere MQ queue manager is using a digital certificate by reviewing the SSLKEYR parameter to ensure that a keyring is identified. i.e. SSLKEYR(sslkeyring-id)\n3)\tIssue the following TSS commands, where ssidCHIN is the lid for the WebSphere MQ Channel Initiator's userid and sslkeyring-id is obtain from the above action:\n\nTSS LIST(ssidCHIN) KEYRING(sslkeyring-id)\n\nNOTE: The sslkeyring-id is case sensitive.\n\nIn the output find the DIGICERT field for ACID(ssidCHIN). Use this DIGICERT in the following command:\n\nTSS LIST(ssidCHIN) DIGICERT(digicert)\n\nNOTE: The Certificate Label Name is case sensitive.\n\nReview the Issuer's Name field in the resulting output for information of any of the following:\n\nOU=PKI.OU=DoD.O=U.S. Government.C=US\nOU=ECA.O=U.S. Government.C=US\n\n4)\tRepeat these steps for each queue manager ssid identified.\n\nTo implement the requirements stated above, the following two items are provided which attempt to assist with (1) Technical \"how to\" information and (2) A DISA Point of contact for obtaining SSL certificates for CSD WebSphere MQ channels:\n\n1. Review the information available on setting up SSL, Keyrings, and Digital Certificates in the CA TSS Cookbook regarding usage of the TSS commands to administer PKI Certificates as well as the WebSphere MQ Security manual. Also review the information contained in the documentation provided as part of the install package from the DISA SSO Resource Management Factory (formerly Software Factory).\n\n2. For information on obtaining an SSL certificate in the DISA CSD environment, send email inquiry to disaraoperations@disa.mil for more info. \n\n","ccis":["SV-111901"]},{"vulnId":"V-225625","ruleId":"SV-225625r959010_rule","severity":"medium","ruleTitle":"Production WebSphere MQ Remotes must utilize Certified Name Filters (CNF).","description":"IBM WebSphere MQ can use a user ID associated with an ACP certificate as a channel user ID. When an entity at one end of an SSL channel receives a certificate from a remote connection, the entity asks The ACP if there is a user ID associated with that certificate. The entity uses that user ID as the channel user ID. If there is no user ID associated with the certificate, the entity uses the user ID under which the channel initiator is running. Without a validly defined Certificate Name Filter for the entity IBM WebSphere MQ will set the channel user ID to the default.","checkContent":"Validate that the list of all Production WebSphere MQ Remotes exist, and contains approved Certified Name Filters and associated USERIDS.\n\nIf the filter(s) is (are) defined, accurate and has been approved by Vulnerability ICER0030 and the associated USERID(s) is only granted need to know permissions and authority to resources and commands, this is not a finding. \n\nIf there is no Certificate Name Filter for WebSphere MQ Remotes this is a finding.\n\nNote: Improper use of CNF filters for MQ Series will result in the following Message ID.\n\nCSQX632I found in the following example:\n\nCSQX632I csect-name SSL certificate has no\nassociated user ID, remote channel\nchannel-name - channel initiator user ID\nused","fixText":"The responsible MQ System programmer(s) shall create and maintain a spread sheet that contains a list of all Production WebSphere MQ Remotes, associated individual USERIDs with corresponding valid Certified Name Filters (CNF). This documentation will be reviewed and validated annually by responsible MQ System programmer(s) and forwarded for approval by the ISSM.\n\nThe ISSO will define the associated USERIDs, the CNF, and grant the minimal need to know access, by granting only the required resources and Commands for each USERID in the ACP. See IBM WebSphere MQ Security manual for details on defining CNF for WebSphere MQ.\n\nGeneric access shall not be granted such as resource permission at the SSID. MQ resource level.\n","ccis":["SV-41848"]},{"vulnId":"V-225626","ruleId":"SV-225626r1070323_rule","severity":"medium","ruleTitle":"User timeout parameter values for WebSphere MQ queue managers are not specified in accordance with security requirements.\n","description":"Users signed on to a WebSphere MQ queue manager could leave their terminals unattended for long periods of time.  This may allow unauthorized individuals to gain access to WebSphere MQ resources and application data.  This exposure could compromise the availability, integrity, and confidentiality of some system services and application data.","checkContent":"Refer to the following report produced by the z/OS Data Collection:\n\n-\tMQSRPT(ssid)\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nAutomated Analysis\nRefer to the following report produced by the z/OS Data Collection:\n\n-\tPDI(ZWMQ0020)\n\nReview the ssid report(s) and perform the following steps:\n\n1. Find the DISPLAY SECURITY command to locate the start of the security parameter settings.\n2. Review the CSQH015I and CSQH016I messages to determine the Timeout and Interval parameter settings respectively.\n3. Repeat these steps for each queue manager ssid.\n\nThe standard values are:\n\nTIMEOUT(15)\nINTERVAL(5)\n\nIf the Timeout and Interval values conform to the standard values, this is not a finding.\n\nIf the Timeout and/or Interval values do not conform to the standard values, this is a finding.","fixText":"Review the WebSphere MQ System Setup Guide and the information on the ALTER SECURITY command in the WebSphere MQ Script (MQSC) Command Reference.\n\nEnsure the values for the TIMEOUT and INTERVAL parameters are specified in accordance with security requirements.","ccis":["V-3903"]},{"vulnId":"V-225627","ruleId":"SV-225627r958482_rule","severity":"medium","ruleTitle":"WebSphere MQ started tasks are not defined in accordance with the proper security requirements.","description":"Started tasks are used to execute WebSphere MQ queue manager services.  Improperly defined WebSphere MQ started tasks may result in inappropriate access to application resources and the loss of accountability.  This exposure could compromise the availability of some system services and application data.","checkContent":"Refer to the following reports produced by the TSS Data Collection:\n\n-\tTSSCMDS.RPT(#STC)\n-\tTSSCMDS.RPT(@ACIDS)\n-\tTSSCMDS.RPT(FACLIST) - Preferred report containing all control option values in effect including default values.\n-\tTSSCMDS.RPT(TSSPRMFL) - Alternate report containing only control option values explicitly coded at TSS startup.\n\nNOTE:\tThe FACLIST report must be created by security personnel.  The TSSPRMFL report can be used if security personnel have not executed the required steps documented in the TSS Data Collection.\n\nProvide a list of all WebSphere MQ Subsystem Ids (Queue managers) and Release levels.\n\nReview WebSphere MQ started tasks and ensure the following items are in effect:\n\nNOTE:\tssid is the queue manager name (a.k.a., subsystem identifier).\nssidMSTR is the name of a queue manager STC.\nssidCHIN is the name of a distributed queuing (a.k.a., channel initiator) STC.\n\n1)\tEach ssidMSTR and ssidCHIN started task is associated with a unique ACID.\n2)\tEach ssidMSTR and ssidCHIN started task is defined to the STC record with a unique ACID.\n3)\tEach ssidMSTR started task ACID has a corresponding WebSphere MQ MASTFAC defined.\n4)\tWebSphere MQ queue manager facilities is defined to the Facility Matrix Table using the following sample commands:\n\nFAC(USERxx=NAME=ssidMSTR,MODE=FAIL,PGM=CSQ,ID=xx,ACTIVE)\nFAC(ssidMSTR=SHRPRF,ASUBM,NOABEND,MULTUSER,XDEF,LUMSG)\nFAC(ssidMSTR=STMSG,SIGN(S),INSTDATA,NORNDPW,AUTHINIT)\nFAC(ssidMSTR=NOPROMPT,NOAUDIT,RES,WARNPW,NOTSOC)\nFAC(ssidMSTR=LCFTRANS,IJU,MSGLC,NOTRACE,NOEODINIT)\nFAC(ssidMSTR=NODORMPW,NONPWR)\nFAC(ssidMSTR=LOG(INIT,SMF,MSG,SEC9))\nFAC(ssidMSTR=DOWN=GLOBAL,LOCKTIME=00,DEFACID=(*NONE*))","fixText":"Review WebSphere MQ started tasks and ensure the following items are in effect:\n\nNOTE: \n           ssid is the queue manager name (a.k.a., subsystem \n             identifier).\n           ssidMSTR is the name of a queue manager STC.\n           ssidCHIN is the name of a distributed queuing (a.k.a.,  \n             channel initiator) STC.\n\n1) Each WebSphere MQ started task is associated with a unique ACID.\n\n2) Each WebSphere MQ started task is defined to the STC record with a unique ACID.\n\n3) Each ssidMSTR STC ACID has a corresponding WebSphere MQ MASTFAC as defined in the z/OS.\n\ni.e. A Started Task Table entry exists for each queue manager started task procedure xxxxMSTR and distributed queuing started task procedure xxxxCHIN.  A corresponding userid for each started task exists.  Queue manager and channel initiator started tasks will not be defined with the BYPASS attribute.\n\n4) WebSphere MQ queue manager facilities are defined using the control options as specified below:\n\nDefine each queue manager xxxxMSTR to the TOP SECRET Facility Matrix Table using the following sample commands:\n\nFACILITY(USERxx=NAME=xxxxMSTR)\nFACILITY(xxxxMSTR=MODE=FAIL,PGM=CSQ,ID=xx)\nFACILITY(xxxxMSTR=ACTIVE,SHRPRF,ASUBM,NOABEND)\nFACILITY(xxxxMSTR=MULTUSER,XDEF,LUMSG,STMSG,SIGN(S))\nFACILITY(xxxxMSTR=INSTDATA,NORNDPW,AUTHINIT)\nFACILITY(xxxxMSTR=NOPROMPT,NOAUDIT,RES,WARNPW)\nFACILITY(xxxxMSTR=NOTSOC,LCFTRANS,IJU,MSGLC,NOTRACE)\nFACILITY(xxxxMSTR=NOEODINIT,NODORMPW,NONPWR)\n(INIT,SMF,MSG,SEC9))\nFACILITY(xxxxMSTR=DOWN=GLOBAL,LOCKTIME=00,DEFACID=(*NONE*))\n","ccis":["SV-7527"]},{"vulnId":"V-225628","ruleId":"SV-225628r1070326_rule","severity":"medium","ruleTitle":"WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted.","description":"MVS data sets provide the configuration, operational, and executable properties of WebSphere MQ. Some data sets are responsible for the security implementation of WebSphere MQ. Failure to properly protect these data sets may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the ACP Data Collection:\n\n-\tSENSITVE.RPT(MQSRPT)\n\nEnsure ACP data sets rules for MQSeries/WebSphere MQ system data sets (e.g., SYS2.MQM.) restrict access as follows:\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nREAD access to data sets referenced by the following DDnames is restricted to MQSeries/WebSphere MQ STCs, MQSeries/WebSphere MQ administrators, and system programming personnel. All access to these data sets is logged.\n\nDDname          Procedure             Description\nCSQINP1          ssidMSTR               Input parameters\nCSQINP2          ssidMSTR               Input parameters\nCSQXLIB          ssidCHIN                 User exit library\n\nNote: WRITE/UPDATE and/or ALLOCATE/ALTER access to these data sets is restricted to MQSeries/WebSphere MQ administrators and systems programming personnel.\n\nWRITE/UPDATE and/or ALLOCATE/ALTER access to data sets referenced by the following DDnames is restricted to MQSeries/WebSphere MQ STCs, MQSeries/WebSphere MQ administrators, and systems programming personnel. All WRITE and ALLOCATE access to these data sets is logged.\n\nDDname             Procedure          Description\nCSQPxxxx            ssidMSTR           Page data sets\nBSDSx                  ssidMSTR           Bootstrap data sets\nCSQOUTx            ssidMSTR           SYSOUT data sets\nCSQSNAP            ssidMSTR            DUMP data set\n(See note)          ssidMSTR            Log data sets\n\nNote: To determine the log data set names, review the JESMSGLG file of the ssidMSTR active task(s). Find CSQJ001I messages to obtain DSNs.\n\nALLOCATE/ALTER access to archive data sets is restricted to MQSeries/WebSphere MQ STCs, MQSeries/WebSphere MQ administrator, and system programming personnel. All ALLOCATE/ALTER access to these data sets is logged.\n\nNote: To determine the archive data sets names, review the JESMSGLG file of the ssidMSTR active task(s). Find the CSQY122I message to obtain the ARCPRFX1 and ARCPRFX2 DSN HLQs.\n\nExcept for the specific data set requirements just mentioned, WRITE/UPDATE and/or ALLOCATE/ALTER access to all other MQSeries/WebSphere MQ system data sets is restricted to the MQSeries/WebSphere MQ administrator and system programming personnel.\n\nIf all the above are true, this is not a finding.\n\nIf any item above is untrue, this is a finding.","fixText":"The systems programmer will have the ISSO  ensure that all update and alter access to MQSeries/WebSphere MQ product and system data sets are restricted to WebSphere MQ administrators, systems programmers, and MQSeries/WebSphere MQ started tasks.\n\nThe installation requires that the following data sets be APF authorized. \n\nhlqual.SCSQAUTH\nhlqual.SCSQLINK\nhlqual.SCSQANLx\nhlqual.SCSQSNL\nhlqual.SCSQMVR1\nhlqual.SCSQMVR2\n\nRead access to data sets referenced by the CSQINP1, CSQINP2, and CSQXLIB DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all access to these data sets.\n\nWrite and allocate access to data set profiles protecting all page sets, logs, bootstrap data sets (BSDS), and data sets referenced by the CSQOUTX and CSQSNAP DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all write and allocate access to these data sets.\n\nAllocate access to all archive data sets in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all allocate access to these data sets.\n","ccis":["SV-3905"]},{"vulnId":"V-225629","ruleId":"SV-225629r1055911_rule","severity":"medium","ruleTitle":"WebSphere MQ security class(es) must not be defined improperly.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the TSS Data Collection:<br /><br />- TSSCMDS.RPT(#RDT)<br />- TSSCMDS.RPT(WHOOMADM)<br />- TSSCMDS.RPT(WHOOMCMD)<br />- TSSCMDS.RPT(WHOOMCON)<br />- TSSCMDS.RPT(WHOOMNLI)<br />- TSSCMDS.RPT(WHOOMPRO)<br />- TSSCMDS.RPT(WHOOMQUE)<br />- TSSCMDS.RPT(WHOOXADM)<br />- TSSCMDS.RPT(WHOOXNLI)<br />- TSSCMDS.RPT(WHOOXPRO)<br />- TSSCMDS.RPT(WHOOXQUE)<br />- TSSCMDS.RPT(WHOOXTOP)<br /><br />If the following WebSphere MQ resource classes are not defined to the TSS RDT, this is a finding.<br /><br />MQADMIN<br />MQCONN<br />MQCMDS<br />MQNLIST<br />MQPROC<br />MQQUEUE<br /><br />When SCYCASE is set to mixed, and the following WebSphere MQ resource classes are not defined to the TSS RDT, this is a finding.<br /><br />MXADMIN<br />MXNLIST<br />MXPROC<br />MXQUEUE<br />MXTOPIC<br /><br />NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).<br /><br />NOTE: If both MQADMIN and MXADMIN resource classes are not defined to the RDT record, no security checking is performed.","fixText":"Ensure that all WebSphere MQ resources are defined to TSS.\n\nThe following should be defined to the RDT:\n\nMQADMIN\nMQCONN\nMQCMDS\nMQNLIST\nMQPROC\nMQQUEUE\n\nWhen SCYCASE is set to mixed,  and the following WebSphere MQ resource classes should be defined to the TSS RDT.\n\nMXADMIN\nMXNLIST\nMXPROC\nMXQUEUE\nMXTOPIC\n\nUse the following commands to define (establish ownership of) resources for each WebSphere MQ subsystem to TSS:\n\nTSS ADD(deptname) MQADMIN(ssid.)\nTSS ADD(deptname) MQCMDS(ssid.)\nTSS ADD(deptname) MQCONN(ssid.)\nTSS ADD(deptname) MQNLIST(ssid.)\nTSS ADD(deptname) MQPROC(ssid.)\nTSS ADD(deptname) MQQUEUE(ssid.)\n\nWhen SCYCASE is set to mixed, CLASMAP Definitions must include the following entries:\n\nTSS ADD(deptname) MXADMIN(ssid.)\nTSS ADD(deptname) MXNLIST(ssid.)\nTSS ADD(deptname) MXPROC(ssid.)\nTSS ADD(deptname) MXQUEUE(ssid.)\nTSS ADD(deptname) MXTOPIC(ssid.)\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nAnother method to ensure protection is to assign the DEFPROT attribute to the resource class in the RDT record by using the following command:\n\nTSS REP(RDT) RESCLASS(MQADMIN) ATTR(DEFPROT)\nTSS REP(RDT) RESCLASS(MQCMDS) ATTR(DEFPROT)\nTSS REP(RDT) RESCLASS(MQCONN) ATTR(DEFPROT)\nTSS REP(RDT) RESCLASS(MQNLIST) ATTR(DEFPROT)\nTSS REP(RDT) RESCLASS(MQPROC) ATTR(DEFPROT)\nTSS REP(RDT) RESCLASS(MQQUEUE) ATTR(DEFPROT)\n\nWhen SCYCASE is set to mixed.\n\nTSS REP(RDT) RESCLASS(MXADMIN) ATTR(DEFPROT)\nTSS REP(RDT) RESCLASS(MXNLIST) ATTR(DEFPROT)\nTSS REP(RDT) RESCLASS(MXPROC) ATTR(DEFPROT)\nTSS REP(RDT) RESCLASS(MXQUEUE) ATTR(DEFPROT)\nTSS REP(RDT) RESCLASS(MXTOPIC) ATTR(DEFPROT)","ccis":["SV-7535"]},{"vulnId":"V-225630","ruleId":"SV-225630r1050725_rule","severity":"high","ruleTitle":"WebSphere MQ switch profiles must be properly defined to the appropriate ADMIN class.\n\n","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"a) Refer to the following report produced by the z/OS Data Collection:\n\n- MQSRPT(ssid)\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nAutomated Analysis requires Additional Analysis.\nAutomated Analysis\nRefer to the following report produced by the z/OS Data Collection:\n\n- PDI(ZWMQ0051)\n\nb) Review the Security switches identified in response to the DISPLAY SECURITY command in each ssid report(s). If all of the following switches specify ON, there is no finding.\n\nSUBSYSTEM\nCONNECTION\nCOMMAND\nCONTEXT\nALTERNATE USER\nPROCESS\nNAMELIST\nQUEUE\nCOMMAND RESOURCES\n\nc) If SUBSYSTEM specifies OFF, this is a finding with a severity of Category I.\n\nd) If any of the other above switches specify OFF (other than the exception mentioned below), this is a finding. Downgrade the severity to a Category II.\n\ne) If COMMAND RESOURCE Security switch specifies OFF, there is no finding.\n\nNOTE: At the discretion of the ISSO, COMMAND RESOURCE Security switch may specify OFF by defining ssid.NO.CMD.RESC.CHECKS in the MQADMIN resource class.","fixText":"Switch profiles are special WebSphere MQ profiles that are used to turn on/off security checking for a type of resource. Due to the security exposure this creates, no profiles with the first two qualifiers of ssid.NO will be defined to the MQADMIN or MXADMIN class, with one exception. Due to the fact that (1) all sensitive WebSphere MQ commands are restricted to queue managers, channel initiators, and designated systems personnel, and (2) no command resource checking is performed on DISPLAY commands, at the discretion of the ISSO a ssid.NO.CMD.RESC.CHECKS switch profile may be defined to the MQADMIN or MXADMIN class. \n\n1. Identify if any switch profile permissions exist using the sample TSS command: \n \nSR CLASS(MQADMIN) NOMASK FILTER(*.NO.**)\n\n2. Use the \"RDEL MQADMIN <SwitchProfileName>\" to remove the profile and follow up with a \"SETR RACL(MQADMIN) REF\".\n\n3. An additional refresh to an active WebSphere MQ queue manager may be required. A sample is shown below using the value QMD1 as the queue manager name.\n\nFrom the Console:\n\n>QMD1 REFRESH SECURITY(*)","ccis":["V-6960"]},{"vulnId":"V-225631","ruleId":"SV-225631r1070329_rule","severity":"medium","ruleTitle":"WebSphere MQ connection class resources must be protected properly.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the TSS Data Collection:\n\n-\t SENSITVE.RPT(WHOHMCON)\n\nReview the following connection resources defined to the connection resource class:\n\nResource       Authorized Users\nssid.BATCH       TSO and batch job ACIDs\nssid.CICS       CICS region ACIDs\nssid.IMS       IMS region ACIDs\nssid.CHIN       Channel initiator ACIDs\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nFor all connection resources defined to the MQCONN or MXCONN resource class, ensure the following items are in effect:\n\n1. Access authorization restricts access to the appropriate users as indicated above.\n2. All access FAILUREs are logged.\n\nIf all the items above are true, this is not a finding.\n\nIf any item is untrue, this is a finding.","fixText":"Review the following connection resources defined to the MQCONN or MXCONN resource class:\n\nResource       Authorized Users\nssid.BATCH       TSO and batch job ACIDs\nssid.CICS       CICS region ACIDs\nssid.IMS       IMS region ACIDs\nssid.CHIN       Channel initiator ACIDs\n\nNote: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nFor all connection resources defined to the MQCONN or MXCONN resource class, ensure the following items are in effect:\n\n1. Access authorization restricts access to the appropriate users as indicated above.\n2. All access FAILUREs are logged.\n\nThe following is a sample of the commands required to allow a batch user (USER1) to connect to a queue manager (QM1):\n\nTSS ADD(USER1) FAC(QM1MSTR)\nTSS PER(USER1) MQCONN(QM1.BATCH) ACC(READ)","ccis":["SV-7542"]},{"vulnId":"V-225632","ruleId":"SV-225632r958482_rule","severity":"medium","ruleTitle":"WebSphere MQ dead letter and alias dead letter queues are not properly defined.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"a) Refer to the following report produced by the  z/OS Data Collection:\n\n- MQSRPT(ssid)\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nb) Review the ssid report(s) and perform the following steps:\n\n1) Find the DISPLAY QMGR DEADQ command to locate the start of the dead-letter queue information. Review the DEADQ parameter to obtain the name of the real dead-letter queue.\n\n2) From the top of the report, find the QUEUE(dead-letter.queue.name) entry to locate the start of the real dead-letter queue definition. Review the GET and PUT parameters to determine their values, and ensure they conform to the specified security requirements.\n\nThe  standard values are:\n\nGET(ENABLED)\nPUT(ENABLED)\n\nNOTE: Dead-letter.queue.name is the value of the DEADQ parameter determined in Step 1.\n \n3) From the top of the report, find the QUEUE(dead-letter.queue.name.PUT) entry to locate the start of the alias dead-letter queue definition. Review the GET and PUT parameters to determine their values, and ensure they conform to those specified in the security requirements.\n\nThe standard values are:\n\nGET(DISABLED)\nPUT(ENABLED)\n\nNOTE 1: Dead-letter.queue.name is the value of the DEADQ parameter determined in Step 1.\n\nNOTE 2: The TARGQ parameter value for the alias queue will be the real dead letter queue name.\n\nNOTE 3:  If an alias queue is not used in place of the dead-letter queue, then the ACP rules for the dead-letter queue must be coded to restrict unauthorized users and systems from reading the messages on the file.\n\nc) If all of the items in (b) are true, there is no finding.\n\nd) If any item in (b) is untrue, this is a finding.","fixText":"The systems programmer responsible for supporting MQSeries/WebSphere MQ will ensure that the dead-letter queue and its alias are properly defined.\n\nThe following scenario describes how to securely define a dead-letter queue:\n\n(1)\tDefine the real dead-letter queue with attributes PUT(ENABLED) and GET(ENABLED).\n\n(2)\tGive update authority for the dead-letter queue to CKTI (the MQSeries/WebSphere MQ-supplied CICS task initiator), channel initiators, and any automated application used for dead-letter queue maintenance.\n\n(3)\tDefine an alias queue that resolves to the real dead-letter queue, but give the alias queue the attributes PUT(ENABLED) and GET(DISABLED).\n\n(4)\tTo put a message on the dead-letter queue, an application uses the alias queue. The application does the following:\n\n(a)\tRetrieve the name of the real dead-letter queue. To do this, it opens the queue manager object using MQOPEN, and then issues an MQINQ to get the dead-letter queue name.\n\n(b)\tBuild the name of the alias queue by appending the characters \".PUT\" to this name, in this case, ssid.DEAD.QUEUE.PUT.\n\n(c)\tOpen the alias queue, ssid.DEAD.QUEUE.PUT.\n\n(d)\tPut the message on the real dead-letter queue by issuing an MQPUT against the alias queue.\n\n(5)\tGive the userid associated with the application update authority to the alias, but no access to the real dead-letter queue.\n\nNOTE:\tIf an alias queue is not used in place of the dead-letter queue, then the ACP rules for the dead-letter queue will be coded to restrict unauthorized users and systems from reading the messages on the file.\n\nUndeliverable messages can be routed to a dead-letter queue. Two levels of access should be established for these queues. The first level allows applications, as well as some MQSeries / WebSphere MQ objects, to put messages to this queue. The second level restricts the ability to get messages from this queue and protects sensitive data. This will be accomplished by defining an alias queue that resolves to the real dead-letter queue, but defines the alias queue with the attributes PUT(ENABLED) and GET(DISABLED). The ability to get messages from the dead-letter queue will be restricted to message channel agents (MCAs), CKTI (MQSeries/WebSphere MQ-supplied CICS task initiator), channel initiators utility, and any automated application used for dead-letter queue maintenance.\n\n\n","ccis":["V-6964"]},{"vulnId":"V-225633","ruleId":"SV-225633r1050731_rule","severity":"medium","ruleTitle":"WebSphere MQ queue resource defined to the appropriate resource class must be protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"Refer to the following report produced by the z/OS Data Collection:\n\n- MQSRPT(ssid)\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier). \n\nRefer to the following report produced by the Data Set and Resource Data Collection:\n\n- SENSITVE.RPT(WHOHMQUE)\n\nFor all queue identified by the DISPLAY QUEUE(*) ALL command in the MQSRPT(ssid), these queues will be prefixed by ssid to identify the resources to be protected. Ensure these queue resources are defined to the MQQUEUE or MXQUEUE resource class. If the following guidance is true, this is not a finding.\n\n1) For message queues (i.e., ssid.queuename), access authorization restricts access to users requiring the ability to get messages from and put messages to message queues. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list. Decentralized MQ Administrators, non-DECC datacenter users, can have up to ALTER access to the user message queues.\n\n2) For system queues (i.e., ssid.SYSTEM.queuename), access authorization restricts UPDATE and/or ALTER access to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, and CICS regions running WebSphere MQ applications.\n\n3) For the following system queues, ensure that UPDATE access is restricted to auditors and users that require access to review message queues.\nssid.SYSTEM.COMMAND.INPUT\nssid.SYSTEM.COMMAND.REPLY\nssid.SYSTEM.CSQOREXX.*\nssid.SYSTEM.CSQUTIL.*\n\n4) For the real dead-letter queue (to determine queue name refer to ZWMQ0053), ALTER access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, CICS regions running WebSphere MQ applications, and any automated application used for dead-letter queue maintenance.\n\n5) For the alias dead-letter queue (to determine queue name refer to ZWMQ0053), UPDATE access authorization restricts access to users requiring the ability to put messages to the dead-letter queue.  This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.","fixText":"For all queue resources defined to the MQQUEUE or MXQUEUE resource class, ensure the following items are in effect:\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nFor message queues (i.e., ssid.queuename), access authorization restricts access to users requiring the ability to get messages from and put messages to message queues. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.\n\nFor system queues (i.e., ssid.SYSTEM.queuename), access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, and CICS regions running WebSphere MQ applications.\n\nFor the following system queues ensure that UPDATE access is restricted to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, CICS regions running WebSphere MQ applications, auditors, and users that require access to review message queues.\n\nssid.SYSTEM.COMMAND.INPUT\nssid.SYSTEM.COMMAND.REPLY\nssid.SYSTEM.CSQOREXX.*\n\nFor the following system queues (i.e., ssid.SYSTEM.CSQUTIL.*) ensure that UPDATE access is restricted to WebSphere MQ STCs, WebSphere MQ administrators, systems programming personnel, CICS regions running WebSphere MQ applications, and auditors.\n\nFor the real dead-letter queue (to determine queue name, refer to ZWMQ0053), access authorization restricts access to WebSphere MQ STCs, WebSphere MQ administrators, CICS regions running WebSphere MQ applications, and any automated application used for dead-letter queue maintenance.\n\nFor the alias dead-letter queue (to determine queue name, refer to ZWMQ0053), access authorization restricts access to users requiring the ability to put messages to the dead-letter queue. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.\n\nNOTE: If an alias queue is not used in place of the dead-letter queue, the RACF rules for the dead-letter queue will be coded to restrict unauthorized users and systems from reading the messages on the file.\n\nThe following is a sample of the commands required to allow a user (USER1) to get messages from or put messages to queues beginning with (PAY.) on subsystem (QM1):\n\nTSS PER(USER1) MQQUEUE(QM1.PAY.) ACC(UPDATE)","ccis":["SV-7545"]},{"vulnId":"V-225634","ruleId":"SV-225634r1055912_rule","severity":"medium","ruleTitle":"WebSphere MQ Process resources must be protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"a) Refer to the following report produced by the TSS Data Collection:\n\n- SENSITVE.RPT(WHOHMPRO)\n\nb) For all process resources (i.e., ssid.processname) defined to MQPROC or MXPROC resource class, ensure access authorization restricts access to users requiring the ability to make process inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nc) If (b) is true, there is no finding.\n\nd) If (b) is untrue, this is a finding.","fixText":"For all process resources (i.e., ssid.processname) defined to MQPROC or MXPROC resource class, ensure access authorization restricts access to users requiring the ability to make process inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.<br /><br />NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).<br /><br />The following is a sample of the commands required to allow a user (USER1) to inquire on processes beginning with the letter V on queue manager (QM1):<br /><br />TSS ADD(USER1) FAC(QM1MSTR)<br />TSS PER(USER1) MQPROC(QM1.V) ACC(READ) <br />      ACTION(AUDIT)","ccis":["SV-7547"]},{"vulnId":"V-225635","ruleId":"SV-225635r1055913_rule","severity":"medium","ruleTitle":"WebSphere MQ Namelist resources must be protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"a) Refer to the following report produced by the TSS Data Collection:\n\n- SENSITVE.RPT(WHOHMNLI)\n\nb) For all namelist resources (i.e., ssid.namelist) defined to MQNLIST or MXNLIST resource class, ensure access authorization restricts access to users requiring the ability to make namelist inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nc) If (b) is true, there is no finding.\n\nd) If (b) is untrue, this is a finding.\n","fixText":"For all namelist resources (i.e., ssid.namelist) defined to MQNLIST or MXNLIST resource class, ensure access authorization restricts access to users requiring the ability to make namelist inquiries. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.<br /><br />NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).<br /><br />The following is a sample of the commands required to allow a user (USER1) to inquire on namelist TST1 on queue manager (QM1):<br /><br />TSS ADD(USER1) FAC(QM1MSTR)<br />TSS PER(USER1) MQNLIST(QM1.TST1.) ACC(READ) <br />      ACTION(AUDIT)","ccis":["V-6967"]},{"vulnId":"V-225636","ruleId":"SV-225636r1055914_rule","severity":"medium","ruleTitle":"WebSphere MQ alternate user resources defined to appropriate ADMIN resource class must be protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"a) Refer to the following report produced by the TSS Data Collection:\n\n- SENSITVE.RPT(WHOHMADM)\n\nb) For all alternate user resources (i.e., ssid.ALTERNATE.USER.alternatelogonid) defined to MQADMIN or MXADMIN resource class, ensure access authorization restricts access to users requiring the ability to use the alternate userid. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nc) If (b) is true, there is no finding.\n\nd) If (b) is untrue, this is a finding.\n","fixText":"For all alternate user resources (i.e., ssid.ALTERNATE.USER.alternateuserid) defined to MQADMIN or MXADMIN resource class, ensure access authorization restricts access to users requiring the ability to use the alternate userid. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.<br /><br />NOTE: ssid is the queue manager name (a.k.a., subsystem identifier).<br /><br />The following is a sample of the commands required to allow payroll server (PAYSRV1) to specify alternate userids starting with the characters PS on queue manager (QM1):<br /><br />TSS ADD(USER1) FAC(QM1MSTR)<br />TSS PER(USER1) MQADMIN(QM1.ALTERNATE.USER.PS) <br />      ACC(UPDATE) ACTION(AUDIT)","ccis":["V-6969"]},{"vulnId":"V-225637","ruleId":"SV-225637r1050743_rule","severity":"medium","ruleTitle":"WebSphere MQ context resources defined to the appropriate ADMIN resource class must be protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"a) Refer to the following report produced by the TSS Data Collection:\n\n- SENSITVE.RPT(WHOHMADM)\n\nb) For all context resources (i.e., ssid.CONTEXT) defined to the MQADMIN MXADMIN resource class, ensure access authorization restricts access to users requiring the ability to pass or set identity and/or origin data for a message. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nc) If (b) is true, there is no finding.\n\nd) If (b) is untrue, this is a finding.\n","fixText":"For all context resources (i.e., ssid.CONTEXT) defined to the MQADMIN or MXADMIN resource class, ensure access authorization restricts access to users requiring the ability to pass or set identity and/or origin data for a message. This is difficult to determine. However, an item for concern may be a profile with * READ specified in the access list.\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nThe following is a sample of the commands required to allow a systems programming group (SYS1) to offload and reload messages for queue manager (QM1):\n\nTSS ADD(SYS1) FAC(QM1MSTR)\nTSS PER(SYS1) MQADMIN(QM1.CONTEXT) ACC(UPDATE) ACTION(AUDIT)","ccis":["SV-7553"]},{"vulnId":"V-225638","ruleId":"SV-225638r958472_rule","severity":"medium","ruleTitle":"WebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists.  Some resources provide the ability to disable or bypass security checking.  Failure to properly protect WebSphere MQ resources may result in unauthorized access.  This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"a)\tRefer to the following report produced by the Data Set and Resource Data Collection:\n\n-\tSENSITVE.RPT(WHOHMCMD)\n\nb)\tFor all command resources (i.e., ssid.command) defined to MQCMDS resource class, ensure the following items are in effect:\n\nNOTE:\tssid is the queue manager name (a.k.a., subsystem identifier).\n\n1)\tAccess authorization restricts access to the appropriate personnel as designated in the Websphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum.\n2)\tAll command access is logged as designated in the Websphere MQ COMMAND SECURITY CONTROLS Table in the z/OS STIG Addendum.\n\nc)\tIf both of the items in (b) are true, there is NO FINDING.\n\nd)\tIf either item in (b) is untrue, this is a FINDING.","fixText":"Command security validates userids authorized to issue MQSeries/WebSphere MQ commands.  Command security will be active, and all profiles will be defined to the MQCMDS class.\n\nFor all command resources (i.e., ssid.command) defined to MQCMDS resource class, ensure the following items are in effect:\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\n    1) Access authorization restricts access to the appropriate personnel as designated in the table entitled \"Websphere MQ Command Security Controls \" in the zOS STIG Addendum. \n\n2) All command access is logged as designated in the table entitled \"Websphere MQ Command Security Controls \" in the zOS STIG Addendum.\n\nThe following is a sample of the commands required to allow a systems programming group (SYS1) to issue the command CLEAR QLOCAL in subsystem QM1:\n\nTSS ADD(SYS1) FAC(QM1MSTR)\nTSS PER(SYS1) MQCMDS(QM1.CLEAR.LOCAL) ACC(ALTER)\n\t\tACTION(AUDIT)\n\n\n","ccis":["SV-7555"]},{"vulnId":"V-225639","ruleId":"SV-225639r1050746_rule","severity":"medium","ruleTitle":"WebSphere MQ RESLEVEL resources in the appropriate ADMIN resource class must be protected in accordance with security requirements.","description":"WebSphere MQ resources allow for the control of administrator functions, connections, commands, queues, processes, and namelists. Some resources provide the ability to disable or bypass security checking. Failure to properly protect WebSphere MQ resources may result in unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.","checkContent":"a) Refer to the following report produced by the Data Set and Resource Data Collection:\n\n- SENSITVE.RPT(WHOHMADM)\n\nAutomated Analysis\nRefer to the following report produced by the Data Set and Resource Data Collection:\n\n- PDI(ZWMQ0060)\n\nb) Access authorization to these RESLEVEL resources restricts all access. No users are permitted access to ssid.RESLEVEL resources in the MQADMIN or MXADMIN resource class.\n\nNOTE: ssid is the queue manager name (a.k.a., subsystem identifier).\n\nc) If (b) is true, there is no finding.\n\nd) If (b) is untrue, this is a finding.\n","fixText":"RESLEVEL security profiles control the number of userids checked for API resource security. RESLEVEL security will not be implemented due to the following exposures and limitations:\n\n1) RESLEVEL is a powerful option that can cause the bypassing of all security checks.\n\n2) Security audit records are not created when the RESLEVEL profile is utilized.\n\n3) If the WARNING option is specified on a RESLEVEL profile, no warning messages are produced.\n\nTo protect against any profile in the MQADMIN or MXADMIN class, such as ssid.**, resolving to a RESLEVEL profile, an ssid.RESLEVEL permission will be created for each queue manager with an access of none.\n\nThe following sample command prevents access to ssid.RESLEVEL:\n\n TSS PER(ALL) MQADMIN(ssid.RESLEVEL) ACCESS(NONE)","ccis":["V-6975"]}]}