Users in JBoss Management Security Realms must be in the appropriate role.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62219	JBOS-AS-000040	SV-76709r1_rule		Medium

Description
Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they are "management realm" and "application realm". Management realm stores authentication information for the management API, which provides functionality for the web-based management console and the management command line interface (CLI). mgmt-groups.properties stores user to group mapping for the ManagementRealm but only when role-based access controls (RBAC) is enabled. If management users are not in the appropriate role, unauthorized access to JBoss resources can occur.

Description

Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they are "management realm" and "application realm". Management realm stores authentication information for the management API, which provides functionality for the web-based management console and the management command line interface (CLI). mgmt-groups.properties stores user to group mapping for the ManagementRealm but only when role-based access controls (RBAC) is enabled. If management users are not in the appropriate role, unauthorized access to JBoss resources can occur.

STIG	Date
JBoss EAP 6.3 Security Technical Implementation Guide	2017-03-20

Details

Check Text ( C-63023r1_chk )
Review the mgmt-users.properties file. Also review the section in the standalone.xml or domain.xml configuration files. The relevant xml file will depend on if the JBoss server is configured in standalone or domain mode. Ensure all users listed in these files are approved for management access to the JBoss server and are in the appropriate role. For domain configurations: /domain/configuration/mgmt-users.properties. /domain/configuration/domain.xml For standalone configurations: /standalone/configuration/mgmt-users.properties. /standalone/configuration/standalone.xml If the users listed are not in the appropriate role, this is a finding.

Check Text ( C-63023r1_chk )

Review the mgmt-users.properties file. Also review the section in the standalone.xml or domain.xml configuration files. The relevant xml file will depend on if the JBoss server is configured in standalone or domain mode.

Ensure all users listed in these files are approved for management access to the JBoss server and are in the appropriate role.

For domain configurations:
/domain/configuration/mgmt-users.properties.
/domain/configuration/domain.xml

For standalone configurations:
/standalone/configuration/mgmt-users.properties.
/standalone/configuration/standalone.xml

If the users listed are not in the appropriate role, this is a finding.

Fix Text (F-68139r1_fix)
Document approved management users and their roles. Configure the application server to use RBAC and ensure users are placed into the appropriate roles.