STIGQter STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018:

The WebSphere Application Server process must not be started from the command line with the -password option.

DISA Rule

SV-95983r1_rule

Vulnerability Number

V-81269

Group Title

SRG-APP-000141-AS-000095

Rule Version

WBSP-AS-000910

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

When starting WebSphere commands, such as wsadmin, stopManager, stopNode, stopServer, or syncNode; do not use the "-password <password>" option.

Use the interactive mode instead; you will be prompted for user id and password.

For scripts, you may configure user id and password in the "connector properties" files. These files are under "Profile_Root/Properties" folder.

- soap.client.props: for default SOAP
- sas.client.props : for RMI and JSR160RMI connectors
- ipc.client.props: for IPC connector

Check Contents

Review System Security Plan documentation.

Interview the system administrator.

Access operating system to list commands currently running.

For UNIX: run "ps -ef | grep -i wsadmin.sh"

For windows: from a DOS prompt as admin user run "WMIC path win32_process where "caption='wsadmin.exe'" get CommandLine"

If the results show "wsadmin.sh(exe) -user <username> -password <password>", this is a finding.

Vulnerability Number

V-81269

Documentable

False

Rule Version

WBSP-AS-000910

Severity Override Guidance

Review System Security Plan documentation.

Interview the system administrator.

Access operating system to list commands currently running.

For UNIX: run "ps -ef | grep -i wsadmin.sh"

For windows: from a DOS prompt as admin user run "WMIC path win32_process where "caption='wsadmin.exe'" get CommandLine"

If the results show "wsadmin.sh(exe) -user <username> -password <password>", this is a finding.

Check Content Reference

M

Target Key

3399

Comments