STIGQter: STIG Summary: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

JBoss process owner execution permissions must be limited.

DISA Rule

SV-213520r615939_rule

Vulnerability Number

V-213520

Group Title

SRG-APP-000141-AS-000095

Rule Version

JBOS-AS-000230

Severity

CAT I

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

Run the JBoss server with non-admin rights.

Check Contents

The script that is used to start JBoss determines the mode in which JBoss will operate, which will be in either in standalone mode or domain mode. Both scripts are installed by default in the <JBOSS_HOME>/bin/ folder.

In addition to running the JBoss server as an interactive script launched from the command line, JBoss can also be started as a service.

The scripts used to start JBoss are:
Red Hat:
standalone.sh
domain.sh

Windows:
standalone.bat
domain.bat

Use the relevant OS commands to determine JBoss ownership.

When running as a process:
Red Hat: "ps -ef|grep -i jboss".
Windows: "services.msc".

Search for the JBoss process, which by default is named "JBOSSEAP6".

If the user account used to launch the JBoss script or start the JBoss process has admin rights on the system, this is a finding.

JBoss process owner execution permissions must be limited.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments