JBoss process owner execution permissions must be limited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-213520	JBOS-AS-000230	SV-213520r615939_rule		High

Description
JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate. If the server is compromised, the attacker will have the same rights as the application server, which in that case would be admin rights. The JBoss EAP server must not be run as the admin user.

Description

JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate. If the server is compromised, the attacker will have the same rights as the application server, which in that case would be admin rights. The JBoss EAP server must not be run as the admin user.

STIG	Date
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide	2021-11-23

Details

Check Text ( C-14743r296226_chk )
The script that is used to start JBoss determines the mode in which JBoss will operate, which will be in either in standalone mode or domain mode. Both scripts are installed by default in the /bin/ folder. In addition to running the JBoss server as an interactive script launched from the command line, JBoss can also be started as a service. The scripts used to start JBoss are: Red Hat: standalone.sh domain.sh Windows: standalone.bat domain.bat Use the relevant OS commands to determine JBoss ownership. When running as a process: Red Hat: "ps -ef\|grep -i jboss". Windows: "services.msc". Search for the JBoss process, which by default is named "JBOSSEAP6". If the user account used to launch the JBoss script or start the JBoss process has admin rights on the system, this is a finding.

Check Text ( C-14743r296226_chk )

The script that is used to start JBoss determines the mode in which JBoss will operate, which will be in either in standalone mode or domain mode. Both scripts are installed by default in the /bin/ folder.

In addition to running the JBoss server as an interactive script launched from the command line, JBoss can also be started as a service.

The scripts used to start JBoss are:
Red Hat:
standalone.sh
domain.sh

Windows:
standalone.bat
domain.bat

Use the relevant OS commands to determine JBoss ownership.

When running as a process:
Red Hat: "ps -ef|grep -i jboss".
Windows: "services.msc".

Search for the JBoss process, which by default is named "JBOSSEAP6".

If the user account used to launch the JBoss script or start the JBoss process has admin rights on the system, this is a finding.

Fix Text (F-14741r296227_fix)
Run the JBoss server with non-admin rights.