UCF STIG Viewer Logo

The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62305 JBOS-AS-000475 SV-76795r1_rule Medium
Description
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Restricting non-privileged users also prevents an attacker who has gained access to a non-privileged account, from elevating privileges, creating accounts, and performing system checks and maintenance.
STIG Date
JBoss EAP 6.3 Security Technical Implementation Guide 2020-06-12

Details

Check Text ( C-63109r1_chk )
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the /bin/ folder.
Run the jboss-cli script.
Connect to the server and authenticate.

Run the following command:

For standalone servers:
"ls /core-service=management/access=authorization/"

For managed domain installations:
"ls /host=master/core-service=management/access=authorization/"

If the "provider" attribute is not set to "rbac", this is a finding.
Fix Text (F-68225r1_fix)
Run the following command.
/bin/jboss-cli.sh -c -> connect -> cd /core-service=management/access-authorization :write-attribute(name=provider, value=rbac)

Restart JBoss.

Map users to roles by running the following command. Upper-case words are variables.

role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)