STIGQter STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018:

The WebSphere Application Server users in a local user registry group must be authorized for that group.

DISA Rule

SV-95927r1_rule

Vulnerability Number

V-81213

Group Title

SRG-APP-000315-AS-000094

Rule Version

WBSP-AS-000150

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From administrative console, navigate to Users and Groups >> Administrative group roles.

Note: names of the groups and the roles assigned to each group.

Navigate back to User and Groups >> Manage Groups.

Click on every group.

For each group, click on users.

If there is any user who does not belong to the group based on the roles assigned to the group, click on the checkbox next to the user.

Click "Remove".

Restart the DMGR and all the JVMs.

Check Contents

If the systems user registry is managed by LDAP, this requirement is NA.

Review the System Security Plan documentation.

Interview the system administrator.

Obtain a list of authorized users.

In the administrative console, navigate to Users and Groups >> Manage Groups.

Select each group.

Select the "Members" tab.

Validate the members of the group are authorized.

If users in the group are not authorized by the ISSO/ISSM, this is a finding.

Vulnerability Number

V-81213

Documentable

False

Rule Version

WBSP-AS-000150

Severity Override Guidance

If the systems user registry is managed by LDAP, this requirement is NA.

Review the System Security Plan documentation.

Interview the system administrator.

Obtain a list of authorized users.

In the administrative console, navigate to Users and Groups >> Manage Groups.

Select each group.

Select the "Members" tab.

Validate the members of the group are authorized.

If users in the group are not authorized by the ISSO/ISSM, this is a finding.

Check Content Reference

M

Target Key

3399

Comments