STIGQter: STIG Summary: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Users in JBoss Management Security Realms must be in the appropriate role.

DISA Rule

SV-213499r615939_rule

Vulnerability Number

V-213499

Group Title

SRG-APP-000033-AS-000024

Rule Version

JBOS-AS-000040

Severity

CAT II

CCI(s)

CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

Fix Recommendation

Document approved management users and their roles. Configure the application server to use RBAC and ensure users are placed into the appropriate roles.

Check Contents

Review the mgmt-users.properties file. Also review the <management /> section in the standalone.xml or domain.xml configuration files. The relevant xml file will depend on if the JBoss server is configured in standalone or domain mode.

Ensure all users listed in these files are approved for management access to the JBoss server and are in the appropriate role.

For domain configurations:
<JBOSS_HOME>/domain/configuration/mgmt-users.properties.
<JBOSS_HOME>/domain/configuration/domain.xml

For standalone configurations:
<JBOSS_HOME>/standalone/configuration/mgmt-users.properties.
<JBOSS_HOME>/standalone/configuration/standalone.xml

If the users listed are not in the appropriate role, this is a finding.

Users in JBoss Management Security Realms must be in the appropriate role.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments