STIGQter STIGQter: STIG Summary: JBoss EAP 6.3 Security Technical Implementation Guide

Version: 1

Release: 4 Benchmark Date: 25 Oct 2019

CheckedNameTitle
SV-76563r1_ruleHTTP management session traffic must be encrypted.
SV-76705r1_ruleHTTPS must be enabled for JBoss web interfaces.
SV-76707r1_ruleJava permissions must be set for hosted applications.
SV-76709r1_ruleUsers in JBoss Management Security Realms must be in the appropriate role.
SV-76711r1_ruleSilent Authentication must be removed from the Default Application Security Realm.
SV-76713r1_ruleSilent Authentication must be removed from the Default Management Security Realm.
SV-76715r1_ruleThe Java Security Manager must be enabled for the JBoss application server.
SV-76717r1_ruleThe JBoss server must be configured with Role Based Access Controls.
SV-76719r1_ruleJBoss management interfaces must be secured.
SV-76721r1_ruleThe JBoss server must generate log records for access and authentication events to the management interface.
SV-76723r1_ruleJBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.
SV-76725r1_ruleJBoss must be configured to initiate session logging upon startup.
SV-76727r1_ruleJBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.
SV-76729r1_ruleJBoss must be configured to produce log records containing information to establish what type of events occurred.
SV-76731r1_ruleJBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.
SV-76733r1_ruleJBoss must be configured to produce log records that establish which hosted application triggered the events.
SV-76735r1_ruleJBoss must be configured to record the IP address and port information used by management interface network traffic.
SV-76737r1_ruleThe application server must produce log records that contain sufficient information to establish the outcome of events.
SV-76739r1_ruleJBoss ROOT logger must be configured to utilize the appropriate logging level.
SV-76741r1_ruleFile permissions must be configured to protect log information from any type of unauthorized read access.
SV-76743r1_ruleFile permissions must be configured to protect log information from unauthorized modification.
SV-76745r1_ruleFile permissions must be configured to protect log information from unauthorized deletion.
SV-76747r1_ruleJBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.
SV-76749r1_rulemgmt-users.properties file permissions must be set to allow access to authorized users only.
SV-76751r1_ruleJBoss process owner interactive access must be restricted.
SV-76753r1_ruleGoogle Analytics must be disabled in EAP Console.
SV-76755r1_ruleJBoss process owner execution permissions must be limited.
SV-76757r1_ruleJBoss QuickStarts must be removed.
SV-76759r1_ruleRemote access to JMX subsystem must be disabled.
SV-76761r1_ruleWelcome Web Application must be disabled.
SV-76763r1_ruleAny unapproved applications must be removed.
SV-76765r1_ruleJBoss application and management ports must be approved by the PPSM CAL.
SV-76767r1_ruleThe JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.
SV-76769r1_ruleThe JBoss Server must be configured to use certificates to authenticate admins.
SV-76771r1_ruleThe JBoss server must be configured to use individual accounts and not generic or shared accounts.
SV-76773r1_ruleThe JBoss server must be configured to bind the management interfaces to only management networks.
SV-76775r1_ruleJBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.
SV-76777r2_ruleThe JBoss Password Vault must be used for storing passwords or other sensitive configuration information.
SV-76779r1_ruleJBoss KeyStore and Truststore passwords must not be stored in clear text.
SV-76781r1_ruleLDAP enabled security realm value allow-empty-passwords must be set to false.
SV-76783r1_ruleJBoss must utilize encryption when using LDAP for authentication.
SV-76785r1_ruleThe JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.
SV-76787r1_ruleThe JBoss server must separate hosted application functionality from application server management functionality.
SV-76789r1_ruleJBoss file permissions must be configured to protect the confidentiality and integrity of application files.
SV-76791r1_ruleAccess to JBoss log files must be restricted to authorized users.
SV-76793r1_ruleNetwork access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller.
SV-76795r1_ruleThe application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
SV-76797r1_ruleThe JBoss server must be configured to log all admin activity.
SV-76799r2_ruleThe JBoss server must be configured to utilize syslog logging.
SV-76801r1_ruleProduction JBoss servers must not allow automatic application deployment.
SV-76803r1_ruleProduction JBoss servers must log when failed application deployments occur.
SV-76805r1_ruleProduction JBoss servers must log when successful application deployments occur.
SV-76807r1_ruleJBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
SV-76809r1_ruleThe JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.
SV-76811r2_ruleJBoss must be configured to use an approved TLS version.
SV-76813r2_ruleJBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.
SV-76815r1_ruleProduction JBoss servers must be supported by the vendor.
SV-76817r1_ruleThe JRE installed on the JBoss server must be kept up to date.
SV-76819r1_ruleJBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur.
SV-76821r1_ruleJBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur.
SV-76823r1_ruleJBoss must be configured to generate log records when successful/unsuccessful logon attempts occur.
SV-76825r1_ruleJBoss must be configured to generate log records for privileged activities.
SV-76827r1_ruleJBoss must be configured to generate log records that show starting and ending times for access to the application server management interface.
SV-76829r1_ruleJBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface.
SV-76831r1_ruleJBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events.
SV-76833r1_ruleThe JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
SV-76835r1_ruleJBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.