WebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system datasets are not properly restricted.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-224359	SRG-OS-000080	ZWMQ0040	SV-224359r1144162_rule	2025-09-27	7

Description
MVS datasets provide the configuration, operational, and executable properties of WebSphere MQ. Some datasets are responsible for the security implementation of WebSphere MQ. Failure to properly protect these datasets may lead to unauthorized access. This exposure could compromise the availability, integrity, and confidentiality of system services, applications, and customer data.

ℹ️ Check
Refer to the following report produced by the ACP Data Collection: - SENSITVE.RPT(MQSRPT). Verify ACP datasets rules for WebSphere MQ system datasets (e.g., SYS2.MQM.) restrict access as follows. If the following guidance is true, this is not a finding. Note: ssid is the queue manager name (a.k.a., subsystem identifier). If the following guidance is true, this is not a finding. The ACP dataset rules for the datasets restrict READ access to datasets referenced by the following DDnames, restricted to WebSphere MQ STCs, WebSphere MQ administrators, and systems programming personnel. All access to these datasets is logged. DDname Procedure Description CSQINP1 ssidMSTR Input parameters CSQINP2 ssidMSTR Input parameters CSQXLIB ssidCHIN User exit library The ACP dataset rules for the datasets restrict WRITE and/or greater access to the above datasets to WebSphere MQ administrators and systems programming personnel. The ACP dataset rules for the datasets restrict WRITE and/or greater access to datasets referenced by the following DDnames, restricted to WebSphere MQ STCs, WebSphere MQ administrators, and systems programming personnel. All WRITE and/or greater access to these datasets is logged. DDname Procedure Description CSQPxxxx ssidMSTR Page datasets BSDSx ssidMSTR Bootstrap datasets CSQOUTx ssidMSTR SYSOUT datasets CSQSNAP ssidMSTR DUMP dataset (See note) ssidMSTR Log datasets Note: To determine the log dataset names, review the JESMSGLG file of the ssidMSTR active task(s). Find CSQJ001I messages to obtain dataset names. The ACP dataset rules for the datasets restrict ALTER access to archive datasets, restricted to WebSphere MQ STCs, WebSphere MQ administrator, and systems programming personnel. All ALTER access to these datasets is logged. Note: To determine the archive datasets names, review the JESMSGLG file of the ssidMSTR active task(s). Find the CSQY122I message to obtain the ARCPRFX1 and ARCPRFX2 dataset high-level qualifiers. Except for the specific dataset requirements just mentioned, WRITE and/or greater access to all other WebSphere MQ system datasets is restricted to the WebSphere MQ administrator and systems programming personnel.

ℹ️ Check

Refer to the following report produced by the ACP Data Collection: - SENSITVE.RPT(MQSRPT). Verify ACP datasets rules for WebSphere MQ system datasets (e.g., SYS2.MQM.) restrict access as follows. If the following guidance is true, this is not a finding. Note: ssid is the queue manager name (a.k.a., subsystem identifier). If the following guidance is true, this is not a finding. The ACP dataset rules for the datasets restrict READ access to datasets referenced by the following DDnames, restricted to WebSphere MQ STCs, WebSphere MQ administrators, and systems programming personnel. All access to these datasets is logged. DDname Procedure Description CSQINP1 ssidMSTR Input parameters CSQINP2 ssidMSTR Input parameters CSQXLIB ssidCHIN User exit library The ACP dataset rules for the datasets restrict WRITE and/or greater access to the above datasets to WebSphere MQ administrators and systems programming personnel. The ACP dataset rules for the datasets restrict WRITE and/or greater access to datasets referenced by the following DDnames, restricted to WebSphere MQ STCs, WebSphere MQ administrators, and systems programming personnel. All WRITE and/or greater access to these datasets is logged. DDname Procedure Description CSQPxxxx ssidMSTR Page datasets BSDSx ssidMSTR Bootstrap datasets CSQOUTx ssidMSTR SYSOUT datasets CSQSNAP ssidMSTR DUMP dataset (See note) ssidMSTR Log datasets Note: To determine the log dataset names, review the JESMSGLG file of the ssidMSTR active task(s). Find CSQJ001I messages to obtain dataset names. The ACP dataset rules for the datasets restrict ALTER access to archive datasets, restricted to WebSphere MQ STCs, WebSphere MQ administrator, and systems programming personnel. All ALTER access to these datasets is logged. Note: To determine the archive datasets names, review the JESMSGLG file of the ssidMSTR active task(s). Find the CSQY122I message to obtain the ARCPRFX1 and ARCPRFX2 dataset high-level qualifiers. Except for the specific dataset requirements just mentioned, WRITE and/or greater access to all other WebSphere MQ system datasets is restricted to the WebSphere MQ administrator and systems programming personnel.

✔️ Fix
The systems programmer will have the ISSO ensure that all WRITE and/or greater access to WebSphere MQ product and system datasets are restricted to WebSphere MQ administrators, systems programmers, and WebSphere MQ started tasks. The installation requires that the following datasets be APF authorized. hlqual.SCSQAUTH hlqual.SCSQLINK hlqual.SCSQANLx hlqual.SCSQSNL hlqual.SCSQMVR1 hlqual.SCSQMVR2 READ access to datasets referenced by the CSQINP1, CSQINP2, and CSQXLIB DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all access to these datasets. WRITE and/or greater access to dataset profiles protecting all page sets, logs, bootstrap datasets (BSDS), and datasets referenced by the CSQOUTX and CSQSNAP DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all WRITE and/or greater access to these datasets. ALTER access to all archive datasets in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all ALTER access to these datasets.

✔️ Fix

The systems programmer will have the ISSO ensure that all WRITE and/or greater access to WebSphere MQ product and system datasets are restricted to WebSphere MQ administrators, systems programmers, and WebSphere MQ started tasks. The installation requires that the following datasets be APF authorized. hlqual.SCSQAUTH hlqual.SCSQLINK hlqual.SCSQANLx hlqual.SCSQSNL hlqual.SCSQMVR1 hlqual.SCSQMVR2 READ access to datasets referenced by the CSQINP1, CSQINP2, and CSQXLIB DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all access to these datasets. WRITE and/or greater access to dataset profiles protecting all page sets, logs, bootstrap datasets (BSDS), and datasets referenced by the CSQOUTX and CSQSNAP DDs in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all WRITE and/or greater access to these datasets. ALTER access to all archive datasets in the queue manager's procedure will be restricted to the queue manager userid, WebSphere MQ administrator, and systems programming personnel. Log all ALTER access to these datasets.