UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide


Overview

Date Finding Count (67)
2024-02-26 CAT I (High): 10 CAT II (Med): 56 CAT III (Low): 1
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-213496 High Java permissions must be set for hosted applications.
V-213497 High The Java Security Manager must be enabled for the JBoss application server.
V-213498 High The JBoss server must be configured with Role Based Access Controls.
V-213500 High Silent Authentication must be removed from the Default Application Security Realm.
V-213518 High JBoss process owner interactive access must be restricted.
V-213550 High The JRE installed on the JBoss server must be kept up to date.
V-213549 High Production JBoss servers must be supported by the vendor.
V-213502 High JBoss management interfaces must be secured.
V-213520 High JBoss process owner execution permissions must be limited.
V-213501 High Silent Authentication must be removed from the Default Management Security Realm.
V-213494 Medium HTTP management session traffic must be encrypted.
V-213495 Medium HTTPS must be enabled for JBoss web interfaces.
V-213528 Medium The JBoss server must be configured to use individual accounts and not generic or shared accounts.
V-217099 Medium The JBoss server must be configured to bind the management interfaces to only management networks.
V-213536 Medium JBoss file permissions must be configured to protect the confidentiality and integrity of application files.
V-213499 Medium Users in JBoss Management Security Realms must be in the appropriate role.
V-213531 Medium JBoss KeyStore and Truststore passwords must not be stored in clear text.
V-213519 Medium Google Analytics must be disabled in EAP Console.
V-213535 Medium The JBoss server must separate hosted application functionality from application server management functionality.
V-213534 Medium The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.
V-213537 Medium Access to JBoss log files must be restricted to authorized users.
V-213513 Medium File permissions must be configured to protect log information from any type of unauthorized read access.
V-213512 Medium JBoss ROOT logger must be configured to utilize the appropriate logging level.
V-213511 Medium The application server must produce log records that contain sufficient information to establish the outcome of events.
V-213510 Medium JBoss must be configured to record the IP address and port information used by management interface network traffic.
V-213517 Medium mgmt-users.properties file permissions must be set to allow access to authorized users only.
V-213516 Medium JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.
V-213515 Medium File permissions must be configured to protect log information from unauthorized deletion.
V-213558 Medium The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.
V-213503 Medium The JBoss server must generate log records for access and authentication events to the management interface.
V-213522 Medium Remote access to JMX subsystem must be disabled.
V-213507 Medium JBoss must be configured to produce log records containing information to establish what type of events occurred.
V-213538 Medium Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller.
V-213506 Medium JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.
V-213544 Medium Production JBoss servers must log when successful application deployments occur.
V-213514 Medium File permissions must be configured to protect log information from unauthorized modification.
V-213530 Medium The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.
V-213551 Medium JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur.
V-213508 Medium JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.
V-213545 Medium JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
V-213546 Medium The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.
V-213547 Medium JBoss must be configured to use an approved TLS version.
V-213540 Medium The JBoss server must be configured to log all admin activity.
V-213541 Medium The JBoss server must be configured to utilize syslog logging.
V-213542 Medium Production JBoss servers must not allow automatic application deployment.
V-213543 Medium Production JBoss servers must log when failed application deployments occur.
V-213526 Medium The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.
V-213527 Medium The JBoss Server must be configured to use certificates to authenticate admins.
V-213524 Medium Any unapproved applications must be removed.
V-213525 Medium JBoss application and management ports must be approved by the PPSM CAL.
V-213548 Medium JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.
V-213521 Medium JBoss QuickStarts must be removed.
V-213557 Medium JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events.
V-213533 Medium JBoss must utilize encryption when using LDAP for authentication.
V-213529 Medium JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.
V-213509 Medium JBoss must be configured to produce log records that establish which hosted application triggered the events.
V-213556 Medium JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface.
V-213532 Medium LDAP enabled security realm value allow-empty-passwords must be set to false.
V-213555 Medium JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface.
V-213559 Medium JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.
V-213554 Medium JBoss must be configured to generate log records for privileged activities.
V-213504 Medium JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.
V-213505 Medium JBoss must be configured to initiate session logging upon startup.
V-213539 Medium The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-213553 Medium JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur.
V-213552 Medium JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur.
V-213523 Low Welcome Web Application must be disabled.