Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-62303	JBOS-AS-000470	SV-76793r1_rule		Medium

Description
When configuring JBoss application servers into a domain configuration, HTTP management capabilities are not required on domain member servers as management is done via the server that has been designated as the domain controller. Leaving HTTP management capabilities enabled on domain member servers increases the attack surfaces; therefore, management services on domain member servers must be disabled and management services performed via the domain controller.

Description

When configuring JBoss application servers into a domain configuration, HTTP management capabilities are not required on domain member servers as management is done via the server that has been designated as the domain controller. Leaving HTTP management capabilities enabled on domain member servers increases the attack surfaces; therefore, management services on domain member servers must be disabled and management services performed via the domain controller.

STIG	Date
JBoss EAP 6.3 Security Technical Implementation Guide	2020-06-12

Details

Check Text ( C-63107r1_chk )
Log on to each of the JBoss domain member servers. Note: Sites that manage systems using the JBoss Operations Network client require HTTP interface access. It is acceptable that the management console alone be disabled rather than disabling the entire interface itself. Run the /bin/jboss-cli command line interface utility and connect to the JBoss server. Run the following command: ls /core-service=management/management-interface=httpinterface/ If "console-enabled=true", this is a finding.

Check Text ( C-63107r1_chk )

Log on to each of the JBoss domain member servers.

Note: Sites that manage systems using the JBoss Operations Network client require HTTP interface access. It is acceptable that the management console alone be disabled rather than disabling the entire interface itself.

Run the /bin/jboss-cli command line interface utility and connect to the JBoss server.
Run the following command:
ls /core-service=management/management-interface=httpinterface/

If "console-enabled=true", this is a finding.

Fix Text (F-68223r1_fix)
Run the /bin/jboss-cli command line interface utility. Connect to the JBoss server and run the following command. /core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value=false) Successful command execution returns {"outcome" => "success"}, and future attempts to access the management console via web browser at :9990 will result in no access to the admin console.

Fix Text (F-68223r1_fix)

Run the /bin/jboss-cli command line interface utility.
Connect to the JBoss server and run the following command.
/core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value=false)

Successful command execution returns
{"outcome" => "success"}, and future attempts to access the management console via web browser at :9990 will result in no access to the admin console.