STIGQter: STIG Summary: IBM WebSphere Traditional V9.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2018:

The WebSphere Application Server users in the admin role must be authorized.

DISA Rule

SV-95941r1_rule

Vulnerability Number

V-81227

Group Title

SRG-APP-000033-AS-000024

Rule Version

WBSP-AS-000220

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-001813 - The information system enforces access restrictions.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Navigate to User and Groups >> Administrative user roles.

If an unauthorized user is assigned to the admin role, click on the user, remove admin rights and assign proper roles as defined in System Security Plan.

Do not delete any user with the "Primary administrative user name" designation.

Click "OK".

Click "Save".

Restart the DMGR and all the JVMs.

Check Contents

Review System Security Plan documentation.

In the administrative console, navigate to Users and Groups >> Administrative user roles.

If users assigned to the admin role are not authorized by the ISSO/ISSM, this is a finding.

Vulnerability Number

V-81227

Documentable

False

Rule Version

WBSP-AS-000220

Severity Override Guidance

Review System Security Plan documentation.

In the administrative console, navigate to Users and Groups >> Administrative user roles.

If users assigned to the admin role are not authorized by the ISSO/ISSM, this is a finding.

Check Content Reference

M

Target Key

3399

Comments