ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Inaccurate MQ auths event messages

Post new topic  Reply to topic
 Inaccurate MQ auths event messages « View previous topic :: View next topic » 
Author Message
T.Rob
PostPosted: Tue Nov 01, 2016 1:51 pm    Post subject: Inaccurate MQ auths event messages Reply with quote

Acolyte

Joined: 16 Oct 2001
Posts: 56
Location: Charlotte, NC

There's more MQ security research posted:
https://t-rob.net/2016/11/01/inaccurate-mq-auths-event-messages/

The issue reported in the latest post is that some event messages report the wrong user ID, the wrong command, the wrong permission, and omit the queue name altogether. The reason this is important is because it becomes impossible to move up the security maturity model.

The first thing in the security maturity model is authentication. Until CONNAUTH in v8.0 MQ had only certificates or exits for authentication. It had wonderfully granular authorization but if you didn't want to use certs or buy/write an exit the user could simply choose the identity they wanted to run as.

CONNAUTH was supposed to provide that authentication and it does - except that IBM forgot to bind the authentication to the authorization. If you use ADOPTCTX(NO) the user still gets to pick the ID they want to authorize as. If you pick ADOPTCTX(YES) the authorization is bound to the authentication, but only at the setmqaut level. ADOPTCTX(YES) disables all CHLAUTH mapping function and overrides MCAUSER settings, removing half the functionality of USERMAP rules and rendering ADDRMAP and PEERMAP rules almost useless.

But if you get past all that and decide you want to move up in the security maturity model, the next step is usually enforcing accountability and intrusion detection. These go together because they both rely on logging of security relevant events. As this post shows, MQ doesn't yet provide the means for reliable accountability enforcement and intrusion detection because event messages don't report accurately.
_________________
-- T.Rob
Voice/SMS 704-443-TROB (8762)
https://t-rob.net
https://linkedin.com/in/tdotrob
@tdotrob on Twitter
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » IBM MQ Security » Inaccurate MQ auths event messages
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.