STIGQter: STIG Summary: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The JBoss server must be configured to use individual accounts and not generic or shared accounts.

DISA Rule

SV-213528r615939_rule

Vulnerability Number

V-213528

Group Title

SRG-APP-000153-AS-000104

Rule Version

JBOS-AS-000275

Severity

CAT II

CCI(s)

• CCI-000770 - The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

Weight

10

Fix Recommendation

Configure the application server so required users are individually authenticated by creating individual user accounts. Utilize an LDAP server that is configured according to DOD policy.

Check Contents

If the application server management interface is configured to use LDAP authentication this requirement is NA.

Determine the mode in which the JBoss server is operating by authenticating to the OS, changing to the <JBOSS_HOME>/bin/ folder and executing the jboss-cli script.
Connect to the server and authenticate.
Run the command: "ls" and examine the "launch-type" setting.

User account information is stored in the following files for a JBoss server configured in standalone mode. The command line flags passed to the "standalone" startup script determine the standalone operating mode:
<JBOSS_HOME>/standalone/configuration/standalone.xml
<JBOSS_HOME>/standalone/configuration/standalone-full.xml
<JBOSS_HOME>/standalone/configuration/standalone.-full-ha.xml
<JBOSS_HOME>/standalone/configuration/standalone.ha.xml

For a Managed Domain:
<JBOSS_HOME>/domain/configuration/domain.xml.

Review both files for generic or shared user accounts.

Open each xml file with a text editor and locate the <management-interfaces> section.
Review the <user name = "xxxxx"> sub-section where "xxxxx" will be a user name.

Have the system administrator identify the user of each user account.

If user accounts are not assigned to individual users, this is a finding.

Vulnerability Number

V-213528

Documentable

False

Rule Version

JBOS-AS-000275

Severity Override Guidance

If the application server management interface is configured to use LDAP authentication this requirement is NA.

Determine the mode in which the JBoss server is operating by authenticating to the OS, changing to the <JBOSS_HOME>/bin/ folder and executing the jboss-cli script.
Connect to the server and authenticate.
Run the command: "ls" and examine the "launch-type" setting.

User account information is stored in the following files for a JBoss server configured in standalone mode. The command line flags passed to the "standalone" startup script determine the standalone operating mode:
<JBOSS_HOME>/standalone/configuration/standalone.xml
<JBOSS_HOME>/standalone/configuration/standalone-full.xml
<JBOSS_HOME>/standalone/configuration/standalone.-full-ha.xml
<JBOSS_HOME>/standalone/configuration/standalone.ha.xml

For a Managed Domain:
<JBOSS_HOME>/domain/configuration/domain.xml.

Review both files for generic or shared user accounts.

Open each xml file with a text editor and locate the <management-interfaces> section.
Review the <user name = "xxxxx"> sub-section where "xxxxx" will be a user name.

Have the system administrator identify the user of each user account.

If user accounts are not assigned to individual users, this is a finding.

Check Content Reference

M

Target Key

3987

Comments