UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Access to JBoss log files must be restricted to authorized users.


Overview

Finding ID Version Rule ID IA Controls Severity
V-213537 JBOS-AS-000425 SV-213537r956037_rule Medium
Description
If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.
STIG Date
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide 2024-02-26

Details

Check Text ( C-14760r956037_chk )
If the JBoss log folder is installed in the default location and 213514 (JBOS-AS-000170) is not a finding, the log folders are protected and this requirement is not a finding.

By default, JBoss installs its log files into a sub-folder of the "jboss-eap-6.3" home folder.

Using a UNIX like OS example, the default location for log files is:
JBOSS_HOME/standalone/log
JBOSS_HOME/domain/log

For a standalone configuration:
JBOSS_HOME/standalone/log/server.log" Contains all server log messages, including server startup messages.

For a domain configuration:
JBOSS_HOME/domain/log/hostcontroller.log
Host Controller boot log. Contains log messages related to the startup of the host controller.

JBOSS_HOME/domain/log/processcontroller.log
Process controller boot log. Contains log messages related to the startup of the process controller.

JBOSS_HOME/domain/servers/SERVERNAME/log/server.log
The server log for the named server. Contains all log messages for that server, including server startup messages.

Log on with an OS user account with JBoss access and permissions.

Navigate to the "Jboss-eap-6.3" folder using the relevant OS commands for either a UNIX like OS or a Windows OS.

Examine the permissions of the JBoss logs folders.

Owner can be full access.
Group can be full access.
All others must be restricted.

If the JBoss log folder is world readable or world writeable, this is a finding.
Fix Text (F-14758r296278_fix)
Configure file permissions on the JBoss log folder to protect from unauthorized access.