STIGQter: STIG Summary: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Remote access to JMX subsystem must be disabled.

DISA Rule

SV-213522r615939_rule

Vulnerability Number

V-213522

Group Title

SRG-APP-000141-AS-000095

Rule Version

JBOS-AS-000240

Severity

CAT II

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.

For a Managed Domain configuration you must check each profile name:

For each PROFILE NAME, run the command:
"/profile=<PROFILE NAME>/subsystem=jmx/remoting-connector=jmx:remove"

For a Standalone configuration:
"/subsystem=jmx/remoting-connector=jmx:remove"

Check Contents

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.

For a Managed Domain configuration, you must check each profile name:

For each PROFILE NAME, run the command:
"ls /profile=<PROFILE NAME>/subsystem=jmx/remoting-connector"

For a Standalone configuration:
"ls /subsystem=jmx/remoting-connector"

If "jmx" is returned, this is a finding.

Vulnerability Number

V-213522

Documentable

False

Rule Version

JBOS-AS-000240

Severity Override Guidance

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.

For a Managed Domain configuration, you must check each profile name:

For each PROFILE NAME, run the command:
"ls /profile=<PROFILE NAME>/subsystem=jmx/remoting-connector"

For a Standalone configuration:
"ls /subsystem=jmx/remoting-connector"

If "jmx" is returned, this is a finding.

Check Content Reference

Target Key

3987

Remote access to JMX subsystem must be disabled.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments