STIGQter: STIG Summary: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Java permissions must be set for hosted applications.

DISA Rule

SV-213496r615939_rule

Vulnerability Number

V-213496

Group Title

SRG-APP-000033-AS-000024

Rule Version

JBOS-AS-000025

Severity

CAT I

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Configure the Java security manager to enforce access restrictions to the host system resources in accordance with application design and resource requirements.

Check Contents

Obtain documentation from the admin that identifies the applications hosted on the JBoss server as well as the corresponding rights the application requires. For example, if the application requires network socket permissions and file write permissions, those requirements should be documented.

1. Identify the JBoss installation as either domain or standalone and review the relevant configuration file.
For domain installs: JBOSS_HOME/bin/domain.conf
For standalone installs: JBOSS_HOME/bin/standalone.conf

2. Identify the location and name of the security policy by reading the JAVA_OPTS flag -Djava.security.policy=<file name> where <file name> will indicate name and location of security policy. If the application uses a policy URL, obtain URL and policy file from system admin.

3. Review security policy and ensure hosted applications have the appropriate restrictions placed on them as per documented application functionality requirements.

If the security policy does not restrict application access to host resources as per documented requirements, this is a finding.

Vulnerability Number

V-213496

Documentable

False

Rule Version

JBOS-AS-000025

Severity Override Guidance

Obtain documentation from the admin that identifies the applications hosted on the JBoss server as well as the corresponding rights the application requires. For example, if the application requires network socket permissions and file write permissions, those requirements should be documented.

1. Identify the JBoss installation as either domain or standalone and review the relevant configuration file.
For domain installs: JBOSS_HOME/bin/domain.conf
For standalone installs: JBOSS_HOME/bin/standalone.conf

2. Identify the location and name of the security policy by reading the JAVA_OPTS flag -Djava.security.policy=<file name> where <file name> will indicate name and location of security policy. If the application uses a policy URL, obtain URL and policy file from system admin.

3. Review security policy and ensure hosted applications have the appropriate restrictions placed on them as per documented application functionality requirements.

If the security policy does not restrict application access to host resources as per documented requirements, this is a finding.

Check Content Reference

M

Target Key

3987

Comments