The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-62287 | JBOS-AS-000295 | SV-76777r1_rule | Medium |
| Description |
|---|
| JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an encrypted keystore, and decrypt them for applications and verification systems. Plain-text configuration files, such as XML deployment descriptors, need to specify passwords and other sensitive information. Use the JBoss EAP Password Vault to securely store sensitive strings in plain-text files. |
| STIG | Date |
|---|---|
| JBoss EAP 6.3 Security Technical Implementation Guide | 2017-03-20 |
Details
| Check Text ( C-63091r1_chk ) |
|---|
| Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the Run the jboss-cli script. Connect to the server and authenticate. Run the command: "ls /core-service=vault" If "code=undefined" and "module=undefined", this is a finding. |
| Fix Text (F-68207r1_fix) |
|---|
| Configure the application server to use the java keystore and JBoss vault as per section 11.13.1 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document. 1. Create a java keystore. 2. Mask the keystore password and initialize the password vault. 3. Configure JBoss to use the password vault. |