JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-213529	JBOS-AS-000290	SV-213529r615939_rule		Medium

Description
JBoss EAP provides a security realm called ManagementRealm. By default, this realm uses the mgmt-users.properties file for authentication. Using file-based authentication does not allow the JBoss server to be in compliance with a wide range of user management requirements such as automatic disabling of inactive accounts as per DoD policy. To address this issue, the management interfaces used to manage the JBoss server must be associated with a security realm that provides centralized authentication management. Examples are AD or LDAP. Management of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user account is the name of an information system account associated with an individual.

Description

JBoss EAP provides a security realm called ManagementRealm. By default, this realm uses the mgmt-users.properties file for authentication. Using file-based authentication does not allow the JBoss server to be in compliance with a wide range of user management requirements such as automatic disabling of inactive accounts as per DoD policy. To address this issue, the management interfaces used to manage the JBoss server must be associated with a security realm that provides centralized authentication management. Examples are AD or LDAP. Management of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user account is the name of an information system account associated with an individual.

STIG	Date
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide	2021-11-23

Details

Check Text ( C-14752r296253_chk )
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the /bin/ folder. Run the jboss-cli script. Connect to the server and authenticate. Obtain the list of management interfaces by running the command: "ls /core-service=management/management-interface" Identify the security realm used by each management interface configuration by running the command: "ls /core-service=management/management-interface=" Determine if the security realm assigned to the management interface uses LDAP for authentication by running the command: "ls /core-service=management/security-realm=/authentication" If the security realm assigned to the management interface does not utilize LDAP for authentication, this is a finding.

Check Text ( C-14752r296253_chk )

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the /bin/ folder.
Run the jboss-cli script.
Connect to the server and authenticate.

Obtain the list of management interfaces by running the command:
"ls /core-service=management/management-interface"

Identify the security realm used by each management interface configuration by running the command:
"ls /core-service=management/management-interface="

Determine if the security realm assigned to the management interface uses LDAP for authentication by running the command:
"ls /core-service=management/security-realm=/authentication"

If the security realm assigned to the management interface does not utilize LDAP for authentication, this is a finding.

Fix Text (F-14750r296254_fix)
Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document. 1. Create an outbound connection to the LDAP server. 2. Create an LDAP-enabled security realm. 3. Reference the new security domain in the Management Interface.