Users in a reader-role must be authorized.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-250342 | IBMW-LS-000790 | SV-250342r862992_rule | Medium |
| Description |
|---|
| The reader role is a management role that allows read-only access to select administrative REST APIs as well as the Admin Center UI (adminCenter-1.0). Preventing non-privileged users from viewing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Users granted reader role access must be authorized. |
| STIG | Date |
|---|---|
| IBM WebSphere Liberty Server Security Technical Implementation Guide | 2022-09-09 |
Details
| Check Text ( C-53777r862990_chk ) |
|---|
| As a user with access to the ${server.config.dir}/server.xml file. Review the contents and identify if users have been granted the reader-role. grep -i reader-role ${server.config.dir}/server.xml If the reader-role has been created, users in that role must be documented and approved. If users in the reader-role are not approved, this is a finding. EXAMPLE: |
| Fix Text (F-53731r862991_fix) |
|---|
| Edit the ${server.config.dir}/server.xml file. If unauthorized users have been added to the reader-role, remove those users. Otherwise, document the users who are granted the reader-role access. To allow read-only access to select administrative REST APIs, the ${server.config.dir}/server.xml must be configured as follows. Additionally, the users and groups they are a part of must be defined within LDAP. EXAMPLE: ldapType="${ldap.vendor.type}" searchTimeout="8m"> |