Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-62305 | JBOS-AS-000475 | SV-76795r1_rule | Medium |
| Description |
|---|
| Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Restricting non-privileged users also prevents an attacker who has gained access to a non-privileged account, from elevating privileges, creating accounts, and performing system checks and maintenance. |
| STIG | Date |
|---|---|
| JBoss EAP 6.3 Security Technical Implementation Guide | 2017-03-20 |
Details
| Check Text ( C-63109r1_chk ) |
|---|
| Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the Run the jboss-cli script. Connect to the server and authenticate. Run the following command: For standalone servers: "ls /core-service=management/access=authorization/" For managed domain installations: "ls /host=master/core-service=management/access=authorization/" If the "provider" attribute is not set to "rbac", this is a finding. |
| Fix Text (F-68225r1_fix) |
|---|
| Run the following command. Restart JBoss. Map users to roles by running the following command. Upper-case words are variables. role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE) |