UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

JBoss EAP 6.3 Security Technical Implementation Guide


Overview

Date Finding Count (67)
2019-01-02 CAT I (High): 10 CAT II (Med): 56 CAT III (Low): 1
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-62265 High JBoss process owner execution permissions must be limited.
V-62327 High The JRE installed on the JBoss server must be kept up to date.
V-62217 High Java permissions must be set for hosted applications.
V-62223 High Silent Authentication must be removed from the Default Management Security Realm.
V-62325 High Production JBoss servers must be supported by the vendor.
V-62229 High JBoss management interfaces must be secured.
V-62261 High JBoss process owner interactive access must be restricted.
V-62227 High The JBoss server must be configured with Role Based Access Controls.
V-62225 High The Java Security Manager must be enabled for the JBoss application server.
V-62221 High Silent Authentication must be removed from the Default Application Security Realm.
V-62311 Medium Production JBoss servers must not allow automatic application deployment.
V-62289 Medium JBoss KeyStore and Truststore passwords must not be stored in clear text.
V-62293 Medium JBoss must utilize encryption when using LDAP for authentication.
V-62245 Medium JBoss must be configured to record the IP address and port information used by management interface network traffic.
V-62281 Medium The JBoss server must be configured to use individual accounts and not generic or shared accounts.
V-62291 Medium LDAP enabled security realm value allow-empty-passwords must be set to false.
V-62267 Medium JBoss QuickStarts must be removed.
V-62283 Medium The JBoss server must be configured to bind the management interfaces to only management networks.
V-62275 Medium JBoss application and management ports must be approved by the PPSM CAL.
V-62231 Medium The JBoss server must generate log records for access and authentication events to the management interface.
V-62277 Medium The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.
V-62279 Medium The JBoss Server must be configured to use certificates to authenticate admins.
V-62273 Medium Any unapproved applications must be removed.
V-62249 Medium JBoss ROOT logger must be configured to utilize the appropriate logging level.
V-62297 Medium The JBoss server must separate hosted application functionality from application server management functionality.
V-62295 Medium The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.
V-62301 Medium Access to JBoss log files must be restricted to authorized users.
V-62233 Medium JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.
V-62303 Medium Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller.
V-62309 Medium The JBoss server must be configured to utilize syslog logging.
V-62215 Medium HTTPS must be enabled for JBoss web interfaces.
V-62259 Medium mgmt-users.properties file permissions must be set to allow access to authorized users only.
V-62235 Medium JBoss must be configured to initiate session logging upon startup.
V-62237 Medium JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.
V-62341 Medium JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events.
V-62251 Medium File permissions must be configured to protect log information from any type of unauthorized read access.
V-62335 Medium JBoss must be configured to generate log records for privileged activities.
V-62345 Medium JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.
V-62255 Medium File permissions must be configured to protect log information from unauthorized deletion.
V-62323 Medium JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.
V-62239 Medium JBoss must be configured to produce log records containing information to establish what type of events occurred.
V-62321 Medium JBoss must be configured to use an approved TLS version.
V-62253 Medium File permissions must be configured to protect log information from unauthorized modification.
V-62241 Medium JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.
V-62243 Medium JBoss must be configured to produce log records that establish which hosted application triggered the events.
V-62343 Medium The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
V-62257 Medium JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.
V-62073 Medium HTTP management session traffic must be encrypted.
V-62263 Medium Google Analytics must be disabled in EAP Console.
V-62319 Medium The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.
V-62269 Medium Remote access to JMX subsystem must be disabled.
V-62299 Medium JBoss file permissions must be configured to protect the confidentiality and integrity of application files.
V-62307 Medium The JBoss server must be configured to log all admin activity.
V-62333 Medium JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur.
V-62339 Medium JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface.
V-62247 Medium The application server must produce log records that contain sufficient information to establish the outcome of events.
V-62287 Medium The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.
V-62317 Medium JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
V-62315 Medium Production JBoss servers must log when successful application deployments occur.
V-62305 Medium The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-62219 Medium Users in JBoss Management Security Realms must be in the appropriate role.
V-62331 Medium JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur.
V-62285 Medium JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.
V-62337 Medium JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface.
V-62313 Medium Production JBoss servers must log when failed application deployments occur.
V-62329 Medium JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur.
V-62271 Low Welcome Web Application must be disabled.