JBoss EAP 6.3 Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R4

Published: 2019-09-30

Updated At: 2019-11-11 10:45:46

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-76563r1_rule JBOS-AS-000010 CCI-000068 MEDIUM HTTP management session traffic must be encrypted. Types of management interfaces utilized by the JBoss EAP application server include web-based HTTP interfaces as well as command line-based management interfaces. In the event remote HTTP management is required, the access must be via HTTPS. This requir
    SV-76705r1_rule JBOS-AS-000015 CCI-001453 MEDIUM HTTPS must be enabled for JBoss web interfaces. Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. The use of cryptography for ensuring integrity of remote a
    SV-76707r1_rule JBOS-AS-000025 CCI-000213 HIGH Java permissions must be set for hosted applications. The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM. The JVM requires a security policy in order
    SV-76709r1_rule JBOS-AS-000040 CCI-000213 MEDIUM Users in JBoss Management Security Realms must be in the appropriate role. Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they are "management realm" and "application realm". Management realm stores authentication information for
    SV-76711r1_rule JBOS-AS-000045 CCI-000213 HIGH Silent Authentication must be removed from the Default Application Security Realm. Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis. By default $localuser is a Superuser. This introduces a
    SV-76713r1_rule JBOS-AS-000050 CCI-000213 HIGH Silent Authentication must be removed from the Default Management Security Realm. Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis. By default $localuser is a Superuser. This introduces a
    SV-76715r1_rule JBOS-AS-000030 CCI-000213 HIGH The Java Security Manager must be enabled for the JBoss application server. The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM. The Java Security Manager uses a security p
    SV-76717r1_rule JBOS-AS-000035 CCI-000213 HIGH The JBoss server must be configured with Role Based Access Controls. By default, the JBoss server is not configured to utilize role based access controls (RBAC). RBAC provides the capability to restrict user access to their designated management role, thereby limiting access to only the JBoss functionality that they are s
    SV-76719r1_rule JBOS-AS-000075 CCI-000213 HIGH JBoss management interfaces must be secured. JBoss utilizes the concept of security realms to secure the management interfaces used for JBoss server administration. If the security realm attribute is omitted or removed from the management interface definition, access to that interface is no longer
    SV-76721r1_rule JBOS-AS-000080 CCI-000169 MEDIUM The JBoss server must generate log records for access and authentication events to the management interface. Log records can be generated from various components within the JBoss application server. The minimum list of logged events should be those pertaining to access and authentication events to the management interface as well as system startup and shutdown
    SV-76723r1_rule JBOS-AS-000085 CCI-000171 MEDIUM JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged. The JBoss server must be configured to select which personnel are assigned the role of selecting which loggable events are to be logged. In JBoss, the role designated for selecting auditable events is the "Auditor" role. The personnel or roles that can se
    SV-76725r1_rule JBOS-AS-000095 CCI-001464 MEDIUM JBoss must be configured to initiate session logging upon startup. Session logging activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.
    SV-76727r1_rule JBOS-AS-000105 CCI-000130 MEDIUM JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster. Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify t
    SV-76729r1_rule JBOS-AS-000110 CCI-000130 MEDIUM JBoss must be configured to produce log records containing information to establish what type of events occurred. Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify t
    SV-76731r1_rule JBOS-AS-000115 CCI-000131 MEDIUM JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred. Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important d
    SV-76733r1_rule JBOS-AS-000120 CCI-000132 MEDIUM JBoss must be configured to produce log records that establish which hosted application triggered the events. Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. By default, no web logging is enabled in JBoss. Logging can be configur
    SV-76735r1_rule JBOS-AS-000125 CCI-000133 MEDIUM JBoss must be configured to record the IP address and port information used by management interface network traffic. Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is import
    SV-76737r1_rule JBOS-AS-000130 CCI-000134 MEDIUM The application server must produce log records that contain sufficient information to establish the outcome of events. Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/p
    SV-76739r1_rule JBOS-AS-000135 CCI-001487 MEDIUM JBoss ROOT logger must be configured to utilize the appropriate logging level. Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event
    SV-76741r1_rule JBOS-AS-000165 CCI-000162 MEDIUM File permissions must be configured to protect log information from any type of unauthorized read access. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. When not configured to use a centralized logging solution lik
    SV-76743r1_rule JBOS-AS-000170 CCI-000163 MEDIUM File permissions must be configured to protect log information from unauthorized modification. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. When not configured to use a centralized logging solution lik
    SV-76745r1_rule JBOS-AS-000175 CCI-000164 MEDIUM File permissions must be configured to protect log information from unauthorized deletion. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. When not configured to use a centralized logging solution like
    SV-76747r1_rule JBOS-AS-000195 CCI-001348 MEDIUM JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days. JBoss logs by default are written to the local file system. A centralized logging solution like syslog should be used whenever possible; however, any log data stored to the file system needs to be off-loaded. JBoss EAP does not provide an automated back
    SV-76749r1_rule JBOS-AS-000210 CCI-001499 MEDIUM mgmt-users.properties file permissions must be set to allow access to authorized users only. The mgmt-users.properties file contains the password hashes of all users who are in a management role and must be protected. Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server mus
    SV-76751r1_rule JBOS-AS-000220 CCI-000381 HIGH JBoss process owner interactive access must be restricted. JBoss does not require admin rights to operate and should be run as a regular user. In addition, if the user account was to be compromised and the account was allowed interactive logon rights, this would increase the risk and attack surface against the J
    SV-76753r1_rule JBOS-AS-000225 CCI-000381 MEDIUM Google Analytics must be disabled in EAP Console. The Google Analytics feature aims to help Red Hat EAP team understand how customers are using the console and which parts of the console matter the most to the customers. This information will, in turn, help the team to adapt the console design, features,
    SV-76755r1_rule JBOS-AS-000230 CCI-000381 HIGH JBoss process owner execution permissions must be limited. JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate. If the
    SV-76757r1_rule JBOS-AS-000235 CCI-000381 MEDIUM JBoss QuickStarts must be removed. JBoss QuickStarts are demo applications that can be deployed quickly. Demo applications are not written with security in mind and often open new attack vectors. QuickStarts must be removed.
    SV-76759r1_rule JBOS-AS-000240 CCI-000381 MEDIUM Remote access to JMX subsystem must be disabled. The JMX subsystem allows you to trigger JDK and application management operations remotely. In a managed domain configuration, the JMX subsystem is removed by default. For a standalone configuration, it is enabled by default and must be removed.
    SV-76761r1_rule JBOS-AS-000245 CCI-000381 LOW Welcome Web Application must be disabled. The Welcome to JBoss web page provides a redirect to the JBoss admin console, which, by default, runs on TCP 9990 as well as redirects to the Online User Guide and Online User Groups hosted at locations on the Internet. The welcome page is unnecessary an
    SV-76763r1_rule JBOS-AS-000250 CCI-000381 MEDIUM Any unapproved applications must be removed. Extraneous services and applications running on an application server expands the attack surface and increases risk to the application server. Securing any server involves identifying and removing any unnecessary services and, in the case of an applicatio
    SV-76765r1_rule JBOS-AS-000255 CCI-000382 MEDIUM JBoss application and management ports must be approved by the PPSM CAL. Some networking protocols may not meet organizational security requirements to protect data and components. Application servers natively host a number of various features, such as management interfaces, httpd servers and message queues. These features al
    SV-76767r1_rule JBOS-AS-000260 CCI-000764 MEDIUM The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP. To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store that is either local (OS-based) or centralized (Active Directory/
    SV-76769r1_rule JBOS-AS-000265 CCI-000765 MEDIUM The JBoss Server must be configured to use certificates to authenticate admins. Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before succes
    SV-76771r1_rule JBOS-AS-000275 CCI-000770 MEDIUM The JBoss server must be configured to use individual accounts and not generic or shared accounts. To assure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application server users) must be individually identified and authenticated. A group authenticator is a generic account u
    SV-76773r1_rule JBOS-AS-000285 CCI-000778 MEDIUM The JBoss server must be configured to bind the management interfaces to only management networks. JBoss provides multiple interfaces for accessing the system. By default, these are called "public" and "management". Allowing non-management traffic to access the JBoss management interface increases the chances of a security compromise. The JBoss ser
    SV-76775r1_rule JBOS-AS-000290 CCI-000795 MEDIUM JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy. JBoss EAP provides a security realm called ManagementRealm. By default, this realm uses the mgmt-users.properties file for authentication. Using file-based authentication does not allow the JBoss server to be in compliance with a wide range of user mana
    SV-76777r2_rule JBOS-AS-000295 CCI-000196 MEDIUM The JBoss Password Vault must be used for storing passwords or other sensitive configuration information. JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an encrypted keystore, and decrypt them for applications and verification systems. Plain-text configuration files, such as XML deployment descriptors, need to specify passwords a
    SV-76779r1_rule JBOS-AS-000300 CCI-000196 MEDIUM JBoss KeyStore and Truststore passwords must not be stored in clear text. Access to the JBoss Password Vault must be secured, and the password used to access must be encrypted. There is a specific process used to generate the encrypted password hash. This process must be followed in order to store the password in an encrypted
    SV-76781r1_rule JBOS-AS-000305 CCI-000197 MEDIUM LDAP enabled security realm value allow-empty-passwords must be set to false. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Application servers have
    SV-76783r1_rule JBOS-AS-000310 CCI-000197 MEDIUM JBoss must utilize encryption when using LDAP for authentication. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected
    SV-76785r1_rule JBOS-AS-000320 CCI-000186 MEDIUM The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the priv
    SV-76787r1_rule JBOS-AS-000355 CCI-001082 MEDIUM The JBoss server must separate hosted application functionality from application server management functionality. The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user to the management interface before being presented with
    SV-76789r1_rule JBOS-AS-000400 CCI-001199 MEDIUM JBoss file permissions must be configured to protect the confidentiality and integrity of application files. The JBoss EAP Application Server is a Java-based AS. It is installed on the OS file system and depends upon file system access controls to protect application data at rest. The file permissions set on the JBoss EAP home folder must be configured so as t
    SV-76791r1_rule JBOS-AS-000425 CCI-001314 MEDIUM Access to JBoss log files must be restricted to authorized users. If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team.
    SV-76793r1_rule JBOS-AS-000470 CCI-002322 MEDIUM Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller. When configuring JBoss application servers into a domain configuration, HTTP management capabilities are not required on domain member servers as management is done via the server that has been designated as the domain controller. Leaving HTTP managemen
    SV-76795r1_rule JBOS-AS-000475 CCI-002235 MEDIUM The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Restricting non-privileged users also prevents an attacker who has
    SV-76797r1_rule JBOS-AS-000480 CCI-002234 MEDIUM The JBoss server must be configured to log all admin activity. In order to be able to provide a forensic history of activity, the application server must ensure users who are granted a privileged role or those who utilize a separate distinct account when accessing privileged functions or data have their actions logge
    SV-76799r2_rule JBOS-AS-000505 CCI-001851 MEDIUM The JBoss server must be configured to utilize syslog logging. Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/p
    SV-76801r1_rule JBOS-AS-000545 CCI-001813 MEDIUM Production JBoss servers must not allow automatic application deployment. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant effects on the overall security of the system. Access restric
    SV-76803r1_rule JBOS-AS-000550 CCI-001814 MEDIUM Production JBoss servers must log when failed application deployments occur. Without logging the enforcement of access restrictions against changes to the application server configuration, it will be difficult to identify attempted attacks, and a log trail will not be available for forensic investigation for after-the-fact actions
    SV-76805r1_rule JBOS-AS-000555 CCI-001814 MEDIUM Production JBoss servers must log when successful application deployments occur. Without logging the enforcement of access restrictions against changes to the application server configuration, it will be difficult to identify attempted attacks, and a log trail will not be available for forensic investigation for after-the-fact actions
    SV-76807r1_rule JBOS-AS-000625 CCI-002470 MEDIUM JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions. Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate
    SV-76809r1_rule JBOS-AS-000640 CCI-002385 MEDIUM The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster. A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the applica
    SV-76811r2_rule JBOS-AS-000650 CCI-002418 MEDIUM JBoss must be configured to use an approved TLS version. Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Tr
    SV-76813r2_rule JBOS-AS-000655 CCI-002421 MEDIUM JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS. Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through
    SV-76815r1_rule JBOS-AS-000680 CCI-002605 HIGH Production JBoss servers must be supported by the vendor. The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus o
    SV-76817r1_rule JBOS-AS-000685 CCI-002605 HIGH The JRE installed on the JBoss server must be kept up to date. The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus o
    SV-76819r1_rule JBOS-AS-000690 CCI-000172 MEDIUM JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur. Changing privileges of a subject/object may cause a subject/object to gain or lose capabilities. When successful/unsuccessful changes are made, the event needs to be logged. By logging the event, the modification or attempted modification can be investi
    SV-76821r1_rule JBOS-AS-000695 CCI-000172 MEDIUM JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur. Deleting privileges of a subject/object may cause a subject/object to gain or lose capabilities. When successful and unsuccessful privilege deletions are made, the events need to be logged. By logging the event, the modification or attempted modificatio
    SV-76823r1_rule JBOS-AS-000700 CCI-000172 MEDIUM JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur. Logging the access to the application server allows the system administrators to monitor user accounts. By logging successful/unsuccessful logons, the system administrator can determine if an account is compromised (e.g., frequent logons) or is in the pr
    SV-76825r1_rule JBOS-AS-000705 CCI-000172 MEDIUM JBoss must be configured to generate log records for privileged activities. Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Privileged ac
    SV-76827r1_rule JBOS-AS-000710 CCI-000172 MEDIUM JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface. Determining when a user has accessed the management interface is important to determine the timeline of events when a security incident occurs. Generating these events, especially if the management interface is accessed via a stateless protocol like HTTP
    SV-76829r1_rule JBOS-AS-000715 CCI-000172 MEDIUM JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface. Concurrent logons from different systems could possibly indicate a compromised account. When concurrent logons are made from different workstations to the management interface, a log record needs to be generated. This configuration setting provides fore
    SV-76831r1_rule JBOS-AS-000720 CCI-000172 MEDIUM JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events. The maintenance of user accounts is a key activity within the system to determine access and privileges. Through changes to accounts, an attacker can create an account for persistent access, modify an account to elevate privileges, or terminate/disable a
    SV-76833r1_rule JBOS-AS-000730 CCI-002450 MEDIUM The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates. Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates
    SV-76835r1_rule JBOS-AS-000735 CCI-001851 MEDIUM JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can track and understand what may have occurred. Off-loading sh