mgmt-users.properties file permissions must be set to allow access to authorized users only.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62259	JBOS-AS-000210	SV-76749r1_rule		Medium

Description
The mgmt-users.properties file contains the password hashes of all users who are in a management role and must be protected. Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all.

Description

The mgmt-users.properties file contains the password hashes of all users who are in a management role and must be protected. Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all.

STIG	Date
JBoss EAP 6.3 Security Technical Implementation Guide	2020-06-12

Details

Check Text ( C-63063r1_chk )
The mgmt-users.properties files are located in the standalone or domain configuration folder. /domain/configuration/mgmt-users.properties. /standalone/configuration/mgmt-users.properties. Identify users who have access to the files using relevant OS commands. Obtain documentation from system admin identifying authorized users. Owner can be full access. Group can be full access. All others must have execute permissions only. If the file permissions are not configured so as to restrict access to only authorized users, or if documentation that identifies authorized users is missing, this is a finding.

Check Text ( C-63063r1_chk )

The mgmt-users.properties files are located in the standalone or domain configuration folder.

/domain/configuration/mgmt-users.properties.
/standalone/configuration/mgmt-users.properties.

Identify users who have access to the files using relevant OS commands.

Obtain documentation from system admin identifying authorized users.

Owner can be full access.
Group can be full access.
All others must have execute permissions only.

If the file permissions are not configured so as to restrict access to only authorized users, or if documentation that identifies authorized users is missing, this is a finding.

Fix Text (F-68179r1_fix)
Configure the file permissions to allow access to authorized users only. Owner can be full access. Group can be full access. All others must have execute permissions only.