Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-213499 | JBOS-AS-000040 | SV-213499r954708_rule | Medium |
Description |
---|
Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they are "management realm" and "application realm". Management realm stores authentication information for the management API, which provides functionality for the web-based management console and the management command line interface (CLI). mgmt-groups.properties stores user to group mapping for the ManagementRealm but only when role-based access controls (RBAC) is enabled. If management users are not in the appropriate role, unauthorized access to JBoss resources can occur. |
STIG | Date |
---|---|
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide | 2024-02-26 |
Check Text ( C-14722r296163_chk ) |
---|
Review the mgmt-users.properties file. Also review the Ensure all users listed in these files are approved for management access to the JBoss server and are in the appropriate role. For domain configurations: For standalone configurations: If the users listed are not in the appropriate role, this is a finding. |
Fix Text (F-14720r296164_fix) |
---|
Document approved management users and their roles. Configure the application server to use RBAC and ensure users are placed into the appropriate roles. |