Any unapproved applications must be removed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62273	JBOS-AS-000250	SV-76763r1_rule		Medium

Description
Extraneous services and applications running on an application server expands the attack surface and increases risk to the application server. Securing any server involves identifying and removing any unnecessary services and, in the case of an application server, unnecessary and/or unapproved applications.

STIG	Date
JBoss EAP 6.3 Security Technical Implementation Guide	2015-11-09

Details

Check Text ( C-63077r1_chk )
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the /bin/ folder. Run the jboss-cli script. Connect to the server and authenticate. Run the command: ls /deployment The list of deployed applications is displayed. Have the system admin identify the applications listed and confirm they are approved applications. If the system admin cannot provide documentation proving their authorization for deployed applications, this is a finding.

Check Text ( C-63077r1_chk )

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the /bin/ folder.
Run the jboss-cli script.
Connect to the server and authenticate.
Run the command:

ls /deployment

The list of deployed applications is displayed. Have the system admin identify the applications listed and confirm they are approved applications.

If the system admin cannot provide documentation proving their authorization for deployed applications, this is a finding.

Fix Text (F-68193r1_fix)
Identify, authorize, and document all applications that are deployed to the application server. Remove unauthorized applications.