STIGQter: STIG Summary: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

The JBoss server must separate hosted application functionality from application server management functionality.

DISA Rule

SV-213535r615939_rule

Vulnerability Number

V-213535

Group Title

SRG-APP-000211-AS-000146

Rule Version

JBOS-AS-000355

Severity

CAT II

CCI(s)

• CCI-001082 - The information system separates user functionality (including user interface services) from information system management functionality.

Weight

10

Fix Recommendation

Start the application server with a -bmanagement and a -b flag so that admin management functionality and hosted applications are separated.

Refer to section 4.9 in the JBoss EAP 6.3 Installation Guide for specific instructions on how to start the JBoss server as a service.

Check Contents

If JBoss is not started with separate management and public interfaces, this is a finding.

Review the network design documents to identify the IP address space for the management network.

Use relevant OS commands and administrative techniques to determine how the system administrator starts the JBoss server. This includes interviewing the system admin, using the "ps -ef|grep" command for UNIX like systems or checking command line flags and properties on batch scripts for Windows systems.

Ensure the startup syntax used to start JBoss specifies a management network address and a public network address.

The "-b" flag specifies the public address space.
The "-bmanagement" flag specifies the management address space.

Example:
<JBOSS_HOME>/bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25

If JBoss is not started with separate management and public interfaces, this is a finding.

Vulnerability Number

V-213535

Documentable

False

Rule Version

JBOS-AS-000355

Severity Override Guidance

If JBoss is not started with separate management and public interfaces, this is a finding.

Review the network design documents to identify the IP address space for the management network.

Use relevant OS commands and administrative techniques to determine how the system administrator starts the JBoss server. This includes interviewing the system admin, using the "ps -ef|grep" command for UNIX like systems or checking command line flags and properties on batch scripts for Windows systems.

Ensure the startup syntax used to start JBoss specifies a management network address and a public network address.

The "-b" flag specifies the public address space.
The "-bmanagement" flag specifies the management address space.

Example:
<JBOSS_HOME>/bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25

If JBoss is not started with separate management and public interfaces, this is a finding.

Check Content Reference

M

Target Key

3987

Comments