UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Java Security Manager must be enabled for the JBoss application server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-213497 JBOS-AS-000030 SV-213497r954708_rule High
Description
The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM. The Java Security Manager uses a security policy to determine whether a given action will be permitted or denied. To protect the host system, the JBoss application server must be run within the Java Security Manager.
STIG Date
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide 2024-02-26

Details

Check Text ( C-14720r296157_chk )
To determine if the Java Security Manager is enabled for JBoss, you must examine the startup commands. JBoss can be configured to run in either "domain" or a "standalone" mode. JBOSS_HOME is the variable home directory for the JBoss installation. Use relevant OS commands to navigate the file system.

A. For a managed domain installation, review the domain.conf and domain.conf.bat files:

JBOSS_HOME/bin/domain.conf
JBOSS_HOME/bin/domain.conf.bat

In domain.conf file, ensure there is a JAVA_OPTS flag that loads the Java Security Manager as well as a relevant Java Security policy. The following is an example:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true"

In domain.conf.bat file, ensure JAVA_OPTS flag is set. The following is an example:

set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true"

B. For a standalone installation, review the standalone.conf and standalone.conf.bat files:

JBOSS_HOME/bin/standalone.conf
JBOSS_HOME/bin/standalone.conf.bat

In the standalone.conf file, ensure the JAVA_OPTS flag is set. The following is an example:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=$JBOSS_HOME -Djboss.modules.policy-permissions=true"

In the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. The following is an example:

set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME% -Djboss.modules.policy-permissions=true"

If the security manager is not enabled and a security policy not defined, this is a finding.
Fix Text (F-14718r296158_fix)
For a domain installation:
Enable the respective JAVA_OPTS flag in both the domain.conf and the domain.conf.bat files.

For a standalone installation:
Enable the respective JAVA_OPTS flag in both the standalone.conf and the standalone.conf.bat files.