Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-213539 | JBOS-AS-000475 | SV-213539r955082_rule | Medium |
Description |
---|
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Restricting non-privileged users also prevents an attacker who has gained access to a non-privileged account, from elevating privileges, creating accounts, and performing system checks and maintenance. |
STIG | Date |
---|---|
JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide | 2024-02-26 |
Check Text ( C-14762r296283_chk ) |
---|
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the Run the jboss-cli script. Connect to the server and authenticate. Run the following command: For standalone servers: "ls /core-service=management/access=authorization/" For managed domain installations: "ls /host=master/core-service=management/access=authorization/" If the "provider" attribute is not set to "rbac", this is a finding. |
Fix Text (F-14760r296284_fix) |
---|
Run the following command. Restart JBoss. Map users to roles by running the following command. Upper-case words are variables. role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE) |