STIGQter: STIG Summary: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.

DISA Rule

SV-213504r615939_rule

Vulnerability Number

V-213504

Group Title

SRG-APP-000090-AS-000051

Rule Version

JBOS-AS-000085

Severity

CAT II

CCI(s)

CCI-000171 - The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.

Weight

Fix Recommendation

Obtain documented approvals from ISSM, and assign the appropriate personnel into the "Auditor" role.

Check Contents

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.
Run the command:

For a Managed Domain configuration:
"ls host=master/server/<SERVERNAME>/core-service=management/access=authorization/role-mapping=Auditor/include="

For a Standalone configuration:
"ls /core-service=management/access=authorization/role-mapping=Auditor/include="

If the list of users in the Auditors group is not approved by the ISSM, this is a finding.

JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments