STIGQter: STIG Summary: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

JBoss ROOT logger must be configured to utilize the appropriate logging level.

DISA Rule

SV-213512r615939_rule

Vulnerability Number

V-213512

Group Title

SRG-APP-000100-AS-000063

Rule Version

JBOS-AS-000135

Severity

CAT II

CCI(s)

CCI-001487 - The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.

Weight

Fix Recommendation

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.

The PROFILE NAMEs included with a Managed Domain JBoss configuration are:
"default", "full", "full-ha" or "ha"
For a Managed Domain configuration, you must check each profile name:

For each PROFILE NAME, run the command:
"/profile=<PROFILE NAME>/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)"

For a Standalone configuration:
"/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)"

Check Contents

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.

The PROFILE NAMEs included with a Managed Domain JBoss configuration are:
"default", "full", "full-ha" or "ha"
For a Managed Domain configuration, you must check each profile name:

For each PROFILE NAME, run the command:
"ls /profile=<PROFILE NAME>/subsystem=logging/root-logger=ROOT"

If ROOT logger "level" is not set to INFO, DEBUG or TRACE
This is a finding for each <PROFILE NAME> (default, full, full-ha and ha)

For a Standalone configuration:
"ls /subsystem=logging/root-logger=ROOT"

If "level" not = INFO, DEBUG or TRACE, this is a finding.

Vulnerability Number

V-213512

Documentable

False

Rule Version

JBOS-AS-000135

Severity Override Guidance

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.

The PROFILE NAMEs included with a Managed Domain JBoss configuration are:
"default", "full", "full-ha" or "ha"
For a Managed Domain configuration, you must check each profile name:

For each PROFILE NAME, run the command:
"ls /profile=<PROFILE NAME>/subsystem=logging/root-logger=ROOT"

If ROOT logger "level" is not set to INFO, DEBUG or TRACE
This is a finding for each <PROFILE NAME> (default, full, full-ha and ha)

For a Standalone configuration:
"ls /subsystem=logging/root-logger=ROOT"

If "level" not = INFO, DEBUG or TRACE, this is a finding.

Check Content Reference

Target Key

3987

JBoss ROOT logger must be configured to utilize the appropriate logging level.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments