The issue reported in the latest post is that some event messages report the wrong user ID, the wrong command, the wrong permission, and omit the queue name altogether. The reason this is important is because it becomes impossible to move up the security maturity model.
The first thing in the security maturity model is authentication. Until CONNAUTH in v8.0 MQ had only certificates or exits for authentication. It had wonderfully granular authorization but if you didn't want to use certs or buy/write an exit the user could simply choose the identity they wanted to run as.
CONNAUTH was supposed to provide that authentication and it does - except that IBM forgot to bind the authentication to the authorization. If you use ADOPTCTX(NO) the user still gets to pick the ID they want to authorize as. If you pick ADOPTCTX(YES) the authorization is bound to the authentication, but only at the setmqaut level. ADOPTCTX(YES) disables all CHLAUTH mapping function and overrides MCAUSER settings, removing half the functionality of USERMAP rules and rendering ADDRMAP and PEERMAP rules almost useless.
But if you get past all that and decide you want to move up in the security maturity model, the next step is usually enforcing accountability and intrusion detection. These go together because they both rely on logging of security relevant events. As this post shows, MQ doesn't yet provide the means for reliable accountability enforcement and intrusion detection because event messages don't report accurately. _________________ -- T.Rob
Voice/SMS 704-443-TROB (8762)
https://t-rob.net https://linkedin.com/in/tdotrob
@tdotrob on Twitter
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum