UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

JBoss process owner execution permissions must be limited.


Overview

Finding ID Version Rule ID IA Controls Severity
V-213520 JBOS-AS-000230 SV-213520r615939_rule High
Description
JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate. If the server is compromised, the attacker will have the same rights as the application server, which in that case would be admin rights. The JBoss EAP server must not be run as the admin user.
STIG Date
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide 2021-11-23

Details

Check Text ( C-14743r296226_chk )
The script that is used to start JBoss determines the mode in which JBoss will operate, which will be in either in standalone mode or domain mode. Both scripts are installed by default in the /bin/ folder.

In addition to running the JBoss server as an interactive script launched from the command line, JBoss can also be started as a service.

The scripts used to start JBoss are:
Red Hat:
standalone.sh
domain.sh

Windows:
standalone.bat
domain.bat

Use the relevant OS commands to determine JBoss ownership.

When running as a process:
Red Hat: "ps -ef|grep -i jboss".
Windows: "services.msc".

Search for the JBoss process, which by default is named "JBOSSEAP6".

If the user account used to launch the JBoss script or start the JBoss process has admin rights on the system, this is a finding.
Fix Text (F-14741r296227_fix)
Run the JBoss server with non-admin rights.