STIGQter: STIG Summary: JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 22 Jan 2021:

Any unapproved applications must be removed.

DISA Rule

SV-213524r615939_rule

Vulnerability Number

V-213524

Group Title

SRG-APP-000141-AS-000095

Rule Version

JBOS-AS-000250

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Identify, authorize, and document all applications that are deployed to the application server. Remove unauthorized applications.

Check Contents

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script.
Connect to the server and authenticate.
Run the command:

ls /deployment

The list of deployed applications is displayed. Have the system admin identify the applications listed and confirm they are approved applications.

If the system admin cannot provide documentation proving their authorization for deployed applications, this is a finding.

Vulnerability Number

V-213524

Documentable

False

Rule Version

JBOS-AS-000250

Severity Override Guidance

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script.
Connect to the server and authenticate.
Run the command:

ls /deployment

The list of deployed applications is displayed. Have the system admin identify the applications listed and confirm they are approved applications.

If the system admin cannot provide documentation proving their authorization for deployed applications, this is a finding.

Check Content Reference

M

Target Key

3987

Comments