STIGQter STIGQter: STIG Summary: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The Java Security Manager must be enabled for the JBoss application server.

DISA Rule

SV-213497r615939_rule

Vulnerability Number

V-213497

Group Title

SRG-APP-000033-AS-000024

Rule Version

JBOS-AS-000030

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

For a domain installation:
Enable the respective JAVA_OPTS flag in both the domain.conf and the domain.conf.bat files.

For a standalone installation:
Enable the respective JAVA_OPTS flag in both the standalone.conf and the standalone.conf.bat files.

Check Contents

To determine if the Java Security Manager is enabled for JBoss, you must examine the startup commands. JBoss can be configured to run in either "domain" or a "standalone" mode. JBOSS_HOME is the variable home directory for the JBoss installation. Use relevant OS commands to navigate the file system.

A. For a managed domain installation, review the domain.conf and domain.conf.bat files:

JBOSS_HOME/bin/domain.conf
JBOSS_HOME/bin/domain.conf.bat

In domain.conf file, ensure there is a JAVA_OPTS flag that loads the Java Security Manager as well as a relevant Java Security policy. The following is an example:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true"

In domain.conf.bat file, ensure JAVA_OPTS flag is set. The following is an example:

set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true"

B. For a standalone installation, review the standalone.conf and standalone.conf.bat files:

JBOSS_HOME/bin/standalone.conf
JBOSS_HOME/bin/standalone.conf.bat

In the standalone.conf file, ensure the JAVA_OPTS flag is set. The following is an example:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=$JBOSS_HOME -Djboss.modules.policy-permissions=true"

In the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. The following is an example:

set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME% -Djboss.modules.policy-permissions=true"

If the security manager is not enabled and a security policy not defined, this is a finding.

Vulnerability Number

V-213497

Documentable

False

Rule Version

JBOS-AS-000030

Severity Override Guidance

To determine if the Java Security Manager is enabled for JBoss, you must examine the startup commands. JBoss can be configured to run in either "domain" or a "standalone" mode. JBOSS_HOME is the variable home directory for the JBoss installation. Use relevant OS commands to navigate the file system.

A. For a managed domain installation, review the domain.conf and domain.conf.bat files:

JBOSS_HOME/bin/domain.conf
JBOSS_HOME/bin/domain.conf.bat

In domain.conf file, ensure there is a JAVA_OPTS flag that loads the Java Security Manager as well as a relevant Java Security policy. The following is an example:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true"

In domain.conf.bat file, ensure JAVA_OPTS flag is set. The following is an example:

set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true"

B. For a standalone installation, review the standalone.conf and standalone.conf.bat files:

JBOSS_HOME/bin/standalone.conf
JBOSS_HOME/bin/standalone.conf.bat

In the standalone.conf file, ensure the JAVA_OPTS flag is set. The following is an example:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=$JBOSS_HOME -Djboss.modules.policy-permissions=true"

In the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. The following is an example:

set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME% -Djboss.modules.policy-permissions=true"

If the security manager is not enabled and a security policy not defined, this is a finding.

Check Content Reference

M

Target Key

3987

Comments