Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-213520 | JBOS-AS-000230 | SV-213520r615939_rule | High |
Description |
---|
JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate. If the server is compromised, the attacker will have the same rights as the application server, which in that case would be admin rights. The JBoss EAP server must not be run as the admin user. |
STIG | Date |
---|---|
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide | 2020-12-11 |
Check Text ( C-14743r296226_chk ) |
---|
The script that is used to start JBoss determines the mode in which JBoss will operate, which will be in either in standalone mode or domain mode. Both scripts are installed by default in the In addition to running the JBoss server as an interactive script launched from the command line, JBoss can also be started as a service. The scripts used to start JBoss are: Red Hat: standalone.sh domain.sh Windows: standalone.bat domain.bat Use the relevant OS commands to determine JBoss ownership. When running as a process: Red Hat: "ps -ef|grep -i jboss". Windows: "services.msc". Search for the JBoss process, which by default is named "JBOSSEAP6". If the user account used to launch the JBoss script or start the JBoss process has admin rights on the system, this is a finding. |
Fix Text (F-14741r296227_fix) |
---|
Run the JBoss server with non-admin rights. |