Remote access to JMX subsystem must be disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-213522	JBOS-AS-000240	SV-213522r615939_rule		Medium

Description
The JMX subsystem allows you to trigger JDK and application management operations remotely. In a managed domain configuration, the JMX subsystem is removed by default. For a standalone configuration, it is enabled by default and must be removed.

STIG	Date
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide	2021-11-23

Details

Check Text ( C-14745r296232_chk )
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the /bin/ folder. Run the jboss-cli script to start the Command Line Interface (CLI). Connect to the server and authenticate. For a Managed Domain configuration, you must check each profile name: For each PROFILE NAME, run the command: "ls /profile=/subsystem=jmx/remoting-connector" For a Standalone configuration: "ls /subsystem=jmx/remoting-connector" If "jmx" is returned, this is a finding.

Check Text ( C-14745r296232_chk )

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the /bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.

For a Managed Domain configuration, you must check each profile name:

For each PROFILE NAME, run the command:
"ls /profile=/subsystem=jmx/remoting-connector"

For a Standalone configuration:
"ls /subsystem=jmx/remoting-connector"

If "jmx" is returned, this is a finding.

Fix Text (F-14743r296233_fix)
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the /bin/ folder. Run the jboss-cli script to start the Command Line Interface (CLI). Connect to the server and authenticate. For a Managed Domain configuration you must check each profile name: For each PROFILE NAME, run the command: "/profile=/subsystem=jmx/remoting-connector=jmx:remove" For a Standalone configuration: "/subsystem=jmx/remoting-connector=jmx:remove"

Fix Text (F-14743r296233_fix)

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the /bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.

For a Managed Domain configuration you must check each profile name:

For each PROFILE NAME, run the command:
"/profile=/subsystem=jmx/remoting-connector=jmx:remove"

For a Standalone configuration:
"/subsystem=jmx/remoting-connector=jmx:remove"