STIGQter STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018:

The WebSphere Application Server files must be owned by the non-root WebSphere user ID.

DISA Rule

SV-95985r1_rule

Vulnerability Number

V-81271

Group Title

SRG-APP-000141-AS-000095

Rule Version

WBSP-AS-000920

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Note: executing this fix without proper planning regarding file ownership can render your installation inoperable. See vulnerability discussion before executing this fix.

Ensure all WebSphere related files and folders are owned by the WebSphere OS user.

Ensure OS group membership is restricted.

File ownership changes for UNIX systems:
chown -R <user> <WAS_HOME>
chown -R <user> <PROFILE_HOME>,
chown -R <user> <OTHER_HOME>, <OTHER_HOME> may be zero or more directories for other files

Group ownership changes for UNIX systems:
chgrp -R <user> <WAS_HOME>
chgrp -R <user> <PROFILE_HOME>,
chgrp -R <user> <OTHER_HOME>, where <OTHER_HOME> may be zero or more root directories for other files

File ownership changes for Windows systems:
"takeown /r /u <user> /f <directory /p <password of user>", where the <directory> is <WAS_HOME>, <PROFILE_HOME>, or <OTHER_HOME>

Check Contents

Review System Security Plan documentation.

Interview the system administrator.

Determine the OS user and group information associated with the WebSphere processes.

Identify the paths, files, and folders associated with the WebSphere installation.

These include:
- <WAS_HOME>: where you installed WebSphere.

<WAS_HOME> default location:

For UNIX: /opt/IBM/WebSphere/AppServer
For Windows: C:\Program Files\IBM\WebSphere\AppServer

- <PROFILE_HOME>: where the appserver instance resides. The default location is under "<WAS_HOME>/profiles".

- <OTHER_HOME>: any additional files that may reside outside of <WAS_HOME>. Examples include:
- shared library .jar files
- Resource Adapter .rar files
- Key and trust store files (.jks and .p12)
- Other files such as jdbc drivers

For Linux, use the command "find <directory> -user root" to find files owned by root user.

On windows use the "dir /Q /S" command from the root directories to show the owners of all files.

Examine the output for files owned by the administrator or root account.

If any WebSphere file or additional files as described above are owned by root or the administrator, this is a finding.

Vulnerability Number

V-81271

Documentable

False

Rule Version

WBSP-AS-000920

Severity Override Guidance

Review System Security Plan documentation.

Interview the system administrator.

Determine the OS user and group information associated with the WebSphere processes.

Identify the paths, files, and folders associated with the WebSphere installation.

These include:
- <WAS_HOME>: where you installed WebSphere.

<WAS_HOME> default location:

For UNIX: /opt/IBM/WebSphere/AppServer
For Windows: C:\Program Files\IBM\WebSphere\AppServer

- <PROFILE_HOME>: where the appserver instance resides. The default location is under "<WAS_HOME>/profiles".

- <OTHER_HOME>: any additional files that may reside outside of <WAS_HOME>. Examples include:
- shared library .jar files
- Resource Adapter .rar files
- Key and trust store files (.jks and .p12)
- Other files such as jdbc drivers

For Linux, use the command "find <directory> -user root" to find files owned by root user.

On windows use the "dir /Q /S" command from the root directories to show the owners of all files.

Examine the output for files owned by the administrator or root account.

If any WebSphere file or additional files as described above are owned by root or the administrator, this is a finding.

Check Content Reference

M

Target Key

3399

Comments