UCF STIG Viewer Logo

JBoss EAP 6.3 Security Technical Implementation Guide


Overview

Date Finding Count (67)
2017-03-20 CAT I (High): 10 CAT II (Med): 56 CAT III (Low): 1
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-62265 High JBoss process owner execution permissions must be limited.
V-62327 High The JRE installed on the JBoss server must be kept up to date.
V-62217 High Java permissions must be set for hosted applications.
V-62223 High Silent Authentication must be removed from the Default Management Security Realm.
V-62325 High Production JBoss servers must be supported by the vendor.
V-62229 High JBoss management interfaces must be secured.
V-62261 High JBoss process owner interactive access must be restricted.
V-62227 High The JBoss server must be configured with Role Based Access Controls.
V-62225 High The Java Security Manager must be enabled for the JBoss application server.
V-62221 High Silent Authentication must be removed from the Default Application Security Realm.
V-62311 Medium Production JBoss servers must not allow automatic application deployment.
V-62289 Medium JBoss KeyStore and Truststore passwords must not be stored in clear text.
V-62293 Medium JBoss must utilize encryption when using LDAP for authentication.
V-62245 Medium JBoss must be configured to record the IP address and port information used by management interface network traffic.
V-62281 Medium The JBoss server must be configured to use individual accounts and not generic or shared accounts.
V-62291 Medium LDAP enabled security realm value allow-empty-passwords must be set to false.
V-62267 Medium JBoss QuickStarts must be removed.
V-62283 Medium The JBoss server must be configured to bind the management interfaces to only management networks.
V-62275 Medium JBoss application and management ports must be approved by the PPSM CAL.
V-62231 Medium The JBoss server must generate log records for access and authentication events to the management interface.
V-62277 Medium The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.
V-62279 Medium The JBoss Server must be configured to use certificates to authenticate admins.
V-62273 Medium Any unapproved applications must be removed.
V-62249 Medium JBoss ROOT logger must be configured to utilize the appropriate logging level.
V-62297 Medium The JBoss server must separate hosted application functionality from application server management functionality.
V-62295 Medium The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.
V-62301 Medium Access to JBoss log files must be restricted to authorized users.
V-62233 Medium JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.
V-62303 Medium Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller.
V-62309 Medium The JBoss server must be configured to utilize syslog logging.
V-62215 Medium HTTPS must be enabled for JBoss web interfaces.
V-62259 Medium mgmt-users.properties file permissions must be set to allow access to authorized users only.
V-62235 Medium JBoss must be configured to initiate session logging upon startup.
V-62237 Medium JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.
V-62341 Medium JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events.
V-62251 Medium File permissions must be configured to protect log information from any type of unauthorized read access.
V-62335 Medium JBoss must be configured to generate log records for privileged activities.
V-62345 Medium JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.
V-62255 Medium File permissions must be configured to protect log information from unauthorized deletion.
V-62323 Medium JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.
V-62239 Medium JBoss must be configured to produce log records containing information to establish what type of events occurred.
V-62321 Medium JBoss must be configured to use an approved TLS version.
V-62253 Medium File permissions must be configured to protect log information from unauthorized modification.
V-62241 Medium JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.
V-62243 Medium JBoss must be configured to produce log records that establish which hosted application triggered the events.
V-62343 Medium The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
V-62257 Medium JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.
V-62073 Medium HTTP management session traffic must be encrypted.
V-62263 Medium Google Analytics must be disabled in EAP Console.
V-62319 Medium The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.
V-62269 Medium Remote access to JMX subsystem must be disabled.
V-62299 Medium JBoss file permissions must be configured to protect the confidentiality and integrity of application files.
V-62307 Medium The JBoss server must be configured to log all admin activity.
V-62333 Medium JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur.
V-62339 Medium JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface.
V-62247 Medium The application server must produce log records that contain sufficient information to establish the outcome of events.
V-62287 Medium The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.
V-62317 Medium JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
V-62315 Medium Production JBoss servers must log when successful application deployments occur.
V-62305 Medium The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-62219 Medium Users in JBoss Management Security Realms must be in the appropriate role.
V-62331 Medium JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur.
V-62285 Medium JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.
V-62337 Medium JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface.
V-62313 Medium Production JBoss servers must log when failed application deployments occur.
V-62329 Medium JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur.
V-62271 Low Welcome Web Application must be disabled.