The WebSphere Application Server users in a local user registry group must be authorized for that group.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-81213	WBSP-AS-000150	SV-95927r1_rule		Medium

Description
Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by logging connection activities of remote users. Examples of policy requirements include, but are not limited to, authorizing remote access to the information system, limiting access based on authentication credentials, and monitoring for unauthorized access. Satisfies: SRG-APP-000315-AS-000094, SRG-APP-000380-AS-000088, SRG-APP-000133-AS-000092, SRG-APP-000033-AS-000024, SRG-APP-000153-AS-000104

Description

Application servers provide remote access capability and must be able to enforce remote access policy requirements or work in conjunction with enterprise tools designed to enforce policy requirements. Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by logging connection activities of remote users. Examples of policy requirements include, but are not limited to, authorizing remote access to the information system, limiting access based on authentication credentials, and monitoring for unauthorized access. Satisfies: SRG-APP-000315-AS-000094, SRG-APP-000380-AS-000088, SRG-APP-000133-AS-000092, SRG-APP-000033-AS-000024, SRG-APP-000153-AS-000104

STIG	Date
IBM WebSphere Traditional V9.x Security Technical Implementation Guide	2018-08-24

Details

Check Text ( C-80883r3_chk )
If the systems user registry is managed by LDAP, this requirement is NA. Review the System Security Plan documentation. Interview the system administrator. Obtain a list of authorized users. In the administrative console, navigate to Users and Groups >> Manage Groups. Select each group. Select the "Members" tab. Validate the members of the group are authorized. If users in the group are not authorized by the ISSO/ISSM, this is a finding.

Check Text ( C-80883r3_chk )

If the systems user registry is managed by LDAP, this requirement is NA.

Review the System Security Plan documentation.

Interview the system administrator.

Obtain a list of authorized users.

In the administrative console, navigate to Users and Groups >> Manage Groups.

Select each group.

Select the "Members" tab.

Validate the members of the group are authorized.

If users in the group are not authorized by the ISSO/ISSM, this is a finding.

Fix Text (F-87991r2_fix)
From administrative console, navigate to Users and Groups >> Administrative group roles. Note: names of the groups and the roles assigned to each group. Navigate back to User and Groups >> Manage Groups. Click on every group. For each group, click on users. If there is any user who does not belong to the group based on the roles assigned to the group, click on the checkbox next to the user. Click "Remove". Restart the DMGR and all the JVMs.

Fix Text (F-87991r2_fix)

From administrative console, navigate to Users and Groups >> Administrative group roles.

Note: names of the groups and the roles assigned to each group.

Navigate back to User and Groups >> Manage Groups.

Click on every group.

For each group, click on users.

If there is any user who does not belong to the group based on the roles assigned to the group, click on the checkbox next to the user.

Click "Remove".

Restart the DMGR and all the JVMs.