UCF STIG Viewer Logo

JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide


Overview

Date Finding Count (67)
2021-11-23 CAT I (High): 10 CAT II (Med): 56 CAT III (Low): 1
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-213496 High Java permissions must be set for hosted applications.
V-213497 High The Java Security Manager must be enabled for the JBoss application server.
V-213498 High The JBoss server must be configured with Role Based Access Controls.
V-213500 High Silent Authentication must be removed from the Default Application Security Realm.
V-213518 High JBoss process owner interactive access must be restricted.
V-213550 High The JRE installed on the JBoss server must be kept up to date.
V-213549 High Production JBoss servers must be supported by the vendor.
V-213502 High JBoss management interfaces must be secured.
V-213520 High JBoss process owner execution permissions must be limited.
V-213501 High Silent Authentication must be removed from the Default Management Security Realm.
V-213494 Medium HTTP management session traffic must be encrypted.
V-213495 Medium HTTPS must be enabled for JBoss web interfaces.
V-213528 Medium The JBoss server must be configured to use individual accounts and not generic or shared accounts.
V-217099 Medium The JBoss server must be configured to bind the management interfaces to only management networks.
V-213536 Medium JBoss file permissions must be configured to protect the confidentiality and integrity of application files.
V-213499 Medium Users in JBoss Management Security Realms must be in the appropriate role.
V-213531 Medium JBoss KeyStore and Truststore passwords must not be stored in clear text.
V-213519 Medium Google Analytics must be disabled in EAP Console.
V-213535 Medium The JBoss server must separate hosted application functionality from application server management functionality.
V-213534 Medium The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.
V-213537 Medium Access to JBoss log files must be restricted to authorized users.
V-213513 Medium File permissions must be configured to protect log information from any type of unauthorized read access.
V-213512 Medium JBoss ROOT logger must be configured to utilize the appropriate logging level.
V-213511 Medium The application server must produce log records that contain sufficient information to establish the outcome of events.
V-213510 Medium JBoss must be configured to record the IP address and port information used by management interface network traffic.
V-213517 Medium mgmt-users.properties file permissions must be set to allow access to authorized users only.
V-213516 Medium JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.
V-213515 Medium File permissions must be configured to protect log information from unauthorized deletion.
V-213558 Medium The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
V-213503 Medium The JBoss server must generate log records for access and authentication events to the management interface.
V-213522 Medium Remote access to JMX subsystem must be disabled.
V-213507 Medium JBoss must be configured to produce log records containing information to establish what type of events occurred.
V-213538 Medium Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller.
V-213506 Medium JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.
V-213544 Medium Production JBoss servers must log when successful application deployments occur.
V-213514 Medium File permissions must be configured to protect log information from unauthorized modification.
V-213530 Medium The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.
V-213551 Medium JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur.
V-213508 Medium JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.
V-213545 Medium JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
V-213546 Medium The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.
V-213547 Medium JBoss must be configured to use an approved TLS version.
V-213540 Medium The JBoss server must be configured to log all admin activity.
V-213541 Medium The JBoss server must be configured to utilize syslog logging.
V-213542 Medium Production JBoss servers must not allow automatic application deployment.
V-213543 Medium Production JBoss servers must log when failed application deployments occur.
V-213526 Medium The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.
V-213527 Medium The JBoss Server must be configured to use certificates to authenticate admins.
V-213524 Medium Any unapproved applications must be removed.
V-213525 Medium JBoss application and management ports must be approved by the PPSM CAL.
V-213548 Medium JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.
V-213521 Medium JBoss QuickStarts must be removed.
V-213557 Medium JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events.
V-213533 Medium JBoss must utilize encryption when using LDAP for authentication.
V-213529 Medium JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.
V-213509 Medium JBoss must be configured to produce log records that establish which hosted application triggered the events.
V-213556 Medium JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface.
V-213532 Medium LDAP enabled security realm value allow-empty-passwords must be set to false.
V-213555 Medium JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface.
V-213559 Medium JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.
V-213554 Medium JBoss must be configured to generate log records for privileged activities.
V-213504 Medium JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.
V-213505 Medium JBoss must be configured to initiate session logging upon startup.
V-213539 Medium The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-213553 Medium JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur.
V-213552 Medium JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur.
V-213523 Low Welcome Web Application must be disabled.