| Checked | Name | Title |
|---|
| ☐ | SV-213494r615939_rule | HTTP management session traffic must be encrypted. |
| ☐ | SV-213495r615939_rule | HTTPS must be enabled for JBoss web interfaces. |
| ☐ | SV-213496r615939_rule | Java permissions must be set for hosted applications. |
| ☐ | SV-213497r615939_rule | The Java Security Manager must be enabled for the JBoss application server. |
| ☐ | SV-213498r615939_rule | The JBoss server must be configured with Role Based Access Controls. |
| ☐ | SV-213499r615939_rule | Users in JBoss Management Security Realms must be in the appropriate role. |
| ☐ | SV-213500r615939_rule | Silent Authentication must be removed from the Default Application Security Realm. |
| ☐ | SV-213501r615939_rule | Silent Authentication must be removed from the Default Management Security Realm. |
| ☐ | SV-213502r615939_rule | JBoss management interfaces must be secured. |
| ☐ | SV-213503r615939_rule | The JBoss server must generate log records for access and authentication events to the management interface. |
| ☐ | SV-213504r615939_rule | JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged. |
| ☐ | SV-213505r615939_rule | JBoss must be configured to initiate session logging upon startup. |
| ☐ | SV-213506r615939_rule | JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster. |
| ☐ | SV-213507r615939_rule | JBoss must be configured to produce log records containing information to establish what type of events occurred. |
| ☐ | SV-213508r615939_rule | JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred. |
| ☐ | SV-213509r615939_rule | JBoss must be configured to produce log records that establish which hosted application triggered the events. |
| ☐ | SV-213510r615939_rule | JBoss must be configured to record the IP address and port information used by management interface network traffic. |
| ☐ | SV-213511r615939_rule | The application server must produce log records that contain sufficient information to establish the outcome of events. |
| ☐ | SV-213512r615939_rule | JBoss ROOT logger must be configured to utilize the appropriate logging level. |
| ☐ | SV-213513r615939_rule | File permissions must be configured to protect log information from any type of unauthorized read access. |
| ☐ | SV-213514r615939_rule | File permissions must be configured to protect log information from unauthorized modification. |
| ☐ | SV-213515r615939_rule | File permissions must be configured to protect log information from unauthorized deletion. |
| ☐ | SV-213516r615939_rule | JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days. |
| ☐ | SV-213517r615939_rule | mgmt-users.properties file permissions must be set to allow access to authorized users only. |
| ☐ | SV-213518r615939_rule | JBoss process owner interactive access must be restricted. |
| ☐ | SV-213519r615939_rule | Google Analytics must be disabled in EAP Console. |
| ☐ | SV-213520r615939_rule | JBoss process owner execution permissions must be limited. |
| ☐ | SV-213521r615939_rule | JBoss QuickStarts must be removed. |
| ☐ | SV-213522r615939_rule | Remote access to JMX subsystem must be disabled. |
| ☐ | SV-213523r615939_rule | Welcome Web Application must be disabled. |
| ☐ | SV-213524r615939_rule | Any unapproved applications must be removed. |
| ☐ | SV-213525r615939_rule | JBoss application and management ports must be approved by the PPSM CAL. |
| ☐ | SV-213526r615939_rule | The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP. |
| ☐ | SV-213527r615939_rule | The JBoss Server must be configured to use certificates to authenticate admins. |
| ☐ | SV-213528r615939_rule | The JBoss server must be configured to use individual accounts and not generic or shared accounts. |
| ☐ | SV-213529r615939_rule | JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy. |
| ☐ | SV-213530r615939_rule | The JBoss Password Vault must be used for storing passwords or other sensitive configuration information. |
| ☐ | SV-213531r615939_rule | JBoss KeyStore and Truststore passwords must not be stored in clear text. |
| ☐ | SV-213532r615939_rule | LDAP enabled security realm value allow-empty-passwords must be set to false. |
| ☐ | SV-213533r615939_rule | JBoss must utilize encryption when using LDAP for authentication. |
| ☐ | SV-213534r615939_rule | The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators. |
| ☐ | SV-213535r615939_rule | The JBoss server must separate hosted application functionality from application server management functionality. |
| ☐ | SV-213536r615939_rule | JBoss file permissions must be configured to protect the confidentiality and integrity of application files. |
| ☐ | SV-213537r615939_rule | Access to JBoss log files must be restricted to authorized users. |
| ☐ | SV-213538r615939_rule | Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller. |
| ☐ | SV-213539r615939_rule | The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
| ☐ | SV-213540r615939_rule | The JBoss server must be configured to log all admin activity. |
| ☐ | SV-213541r615939_rule | The JBoss server must be configured to utilize syslog logging. |
| ☐ | SV-213542r615939_rule | Production JBoss servers must not allow automatic application deployment. |
| ☐ | SV-213543r615939_rule | Production JBoss servers must log when failed application deployments occur. |
| ☐ | SV-213544r615939_rule | Production JBoss servers must log when successful application deployments occur. |
| ☐ | SV-213545r615939_rule | JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions. |
| ☐ | SV-213546r615939_rule | The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster. |
| ☐ | SV-213547r615939_rule | JBoss must be configured to use an approved TLS version. |
| ☐ | SV-213548r615939_rule | JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS. |
| ☐ | SV-213549r615939_rule | Production JBoss servers must be supported by the vendor. |
| ☐ | SV-213550r615939_rule | The JRE installed on the JBoss server must be kept up to date. |
| ☐ | SV-213551r615939_rule | JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur. |
| ☐ | SV-213552r615939_rule | JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur. |
| ☐ | SV-213553r615939_rule | JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur. |
| ☐ | SV-213554r615939_rule | JBoss must be configured to generate log records for privileged activities. |
| ☐ | SV-213555r615939_rule | JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface. |
| ☐ | SV-213556r615939_rule | JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface. |
| ☐ | SV-213557r615939_rule | JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events. |
| ☐ | SV-213558r615939_rule | The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates. |
| ☐ | SV-213559r615939_rule | JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis. |
| ☐ | SV-217099r615939_rule | The JBoss server must be configured to bind the management interfaces to only management networks. |
STIGQter: STIG Summary: