Guide to the Secure Configuration of JBoss EAP 6
with profile STIG for JBoss Enterprise Application Platform 6This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for JBoss EAP 6, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Profile Title | STIG for JBoss Enterprise Application Platform 6 |
---|---|
Profile ID | xccdf_org.ssgproject.content_profile_stig-eap6-disa |
Revision History
Current version: 0.1.36
- draft (as of 2017-11-01)
Platforms
- cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0
- cpe:/a:redhat:jboss_enterprise_application_platform:6.0.1
- cpe:/a:redhat:jboss_enterprise_application_platform:6.1.0
- cpe:/a:redhat:jboss_enterprise_application_platform:6.2.0
- cpe:/a:redhat:jboss_enterprise_application_platform:6.2.1
- cpe:/a:redhat:jboss_enterprise_application_platform:6.2.2
- cpe:/a:redhat:jboss_enterprise_application_platform:6.2.3
- cpe:/a:redhat:jboss_enterprise_application_platform:6.2.4
- cpe:/a:redhat:jboss_enterprise_application_platform:6.3.0
- cpe:/a:redhat:jboss_enterprise_application_platform:6.3.1
- cpe:/a:redhat:jboss_enterprise_application_platform:6.3.2
- cpe:/a:redhat:jboss_enterprise_application_platform:6.3.3
- cpe:/a:redhat:jboss_enterprise_application_platform:6.4.4
Table of Contents
Checklist
contains 49 rules |
JBoss Enterprise Application Platform 6 [ref]groupJBoss Enterprise Application Platform is a popular Java Enterprise Edition application server platform by Red Hat. It is based on the open-source JBoss Application Server, Community Edition. Leveraging robust container architecture, JBoss EAP is capable of hosting a wide variety of applications - anything from simple, static HTML pages all the way to distributed, transaction-based Java Enterprise Edition applications. JBoss EAP is known for being dependable, fast, flexible, and cost-effective. This section provides settings for configuring the JBoss Enterprise Application Platform running on Red Hat Enterprise Linux systems. |
contains 49 rules |
Enable HTTPS for Management Sessions [ref]rule
Follow the specific instructions in the Red Hat Security Guide for EAP version
6.3 to configure the management console for HTTPS.
Types of management interfaces utilized by the JBoss EAP application server
include web-based HTTP interfaces as well as command line-based management
interfaces. In the event remote HTTP management is required, the access must be
via HTTPS.
Severity: medium Identifiers: CCE-80450-0 References: SRG-APP-000014-AS-000009, CCI-000068, JBOS-AS-000010 |
Enable HTTPS for JBoss Web Interface [ref]rule
Follow procedure "4.4. Configure the JBoss Web Server to use HTTPS."
The detailed procedure is found in the JBoss EAP 6.3 Security Guide available at
the vendor's site, RedHat.com. An overview of steps is provided here.
Encryption is critical for protection of remote access sessions. If encryption
is not being used for integrity, malicious users may gain the ability to modify
the application server configuration. The use of cryptography for ensuring
integrity of remote access sessions mitigates that risk.
Severity: medium Identifiers: CCE-80451-8 References: SRG-APP-000015-AS-000010, CCI-001453, JBOS-AS-000015 |
Configure Host Access Restrictions for Applications [ref]ruleConfigure the Java security manager to enforce access restrictions to the host system resources in accordance with application design and resource requirements. Rationale:
The Java Security Manager is a java class that manages the external boundary of
the Java Virtual Machine (JVM) sandbox, controlling how code executing within
the JVM can interact with resources outside the JVM.
Severity: high Identifiers: CCE-80452-6 References: SRG-APP-000033-AS-000024, CCI-000213, JBOS-AS-000025 |
Enable the Java Security Manager [ref]rule
For a domain installation:
Enable the respective JAVA_OPTS flag in both the
domain.conf and the domain.conf.bat files.
The Java Security Manager is a java class that manages the external boundary of
the Java Virtual Machine (JVM) sandbox, controlling how code executing within
the JVM can interact with resources outside the JVM.
Severity: high Identifiers: CCE-80453-4 References: SRG-APP-000033-AS-000024, CCI-000213, JBOS-AS-000030 |
Enable Role Based Access Control (RBAC) [ref]ruleRun the following command. <JBOSS_HOME>/bin/jboss-cli.sh -c -> connect -> cd /core-service=management/access-authorization :write-attribute(name=provider, value=rbac) Restart JBoss. Map users to roles by running the following command. Upper-case words are variables. role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)Rationale: By default, the JBoss server is not configured to utilize role based access controls (RBAC). RBAC provides the capability to restrict user access to their designated management role, thereby limiting access to only the JBoss functionality that they are supposed to have. Without RBAC, the JBoss server is not able to enforce authorized access according to role. Severity: high Identifiers: CCE-80454-2 References: SRG-APP-000033-AS-000024, SRG-APP-000340-AS-000185, CCI-000213, CCI-002235, JBOS-AS-000035 |
Configure JBoss User Roles [ref]ruleDocument approved management users and their roles. Configure the application server to use RBAC and ensure users are placed into the appropriate roles. Rationale:
Security realms are a series of mappings between users and passwords and users
and roles. There are 2 JBoss security realms provided by default; they are
Severity: medium Identifiers: CCE-80455-9 References: SRG-APP-000033-AS-000024, CCI-000213, JBOS-AS-000040 |
Remove Silent Authentication - Application Security Realm [ref]rule
Log on to the OS of the JBoss server with OS permissions that allow access to
JBoss.
Using the relevant OS commands and syntax, cd to the jboss-cliscript. Connect to the server and authenticate. Remove the local element from the Application Realm. For standalone servers, run the following command: /core-service=management/securityrealm=ApplicationRealm/authentication=local:remove For managed domain installations, run the following command: /host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication=local:removeRationale: Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis. By default $localuser is a Superuser. This introduces an integrity and availability vulnerability and violates best practice requirements regarding accountability. Severity: high Identifiers: CCE-80456-7 References: SRG-APP-000033-AS-000024, CCI-000213, JBOS-AS-000045 |
Remove Silent Authentication - Management Security Realm [ref]ruleLog on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/folder. Run the jboss-cliscript. Connect to the server and authenticate. Remove the local element from the Management Realm. For standalone servers run the following command: /core-service=management/securityrealm=ManagementRealm/authentication=local:remove For managed domain installations run the following command: /host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication=local:removeRationale: Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis. By default $localuser is a Superuser. This introduces an integrity and availability vulnerability and violates best practice requirements regarding accountability. Severity: high Identifiers: CCE-80457-5 References: SRG-APP-000033-AS-000024, CCI-000213, JBOS-AS-000050 |
Secure the JBoss Management Interfaces [ref]rule
Identify the security realm used for management of the system. By default,
this is called JBoss utilizes the concept of security realms to secure the management interfaces used for JBoss server administration. If the security realm attribute is omitted or removed from the management interface definition, access to that interface is no longer secure. The JBoss management interfaces must be secured. Severity: high Identifiers: CCE-80458-3 References: SRG-APP-000033-AS-000024, CCI-000213, JBOS-AS-000075 |
Configure JBoss Auditing and Logging [ref]rule
Launch the jboss-cli management interface.
Connect to the server by typing
host=master/server/SERVERNAME/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true) For a Standalone configuration: /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)Rationale:
Log records can be generated from various components within the JBoss
application server. The minimum list of logged events should be those
pertaining to access and authentication events to the management interface as
well as system startup and shutdown events.
Severity: medium Identifiers: CCE-80459-1 References: SRG-APP-000089-AS-000050, SRG-APP-000092-AS-000053, SRG-APP-000095-AS-000056, SRG-APP-000096-AS-000059, SRG-APP-000096-AS-000060, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062, SRG-APP-000495-AS-000220, SRG-APP-000499-AS-000224, SRG-APP-000499-AS-000224, SRG-APP-000503-AS-000228, SRG-APP-000504-AS-000229, SRG-APP-000505-AS-000230, SRG-APP-000506-AS-000231, SRG-APP-000509-AS-000234, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000169, CCI-000172, CCI-001464, JBOS-AS-000080 |
Configure JBoss Auditor Role [ref]ruleObtain documented approvals from ISSM, and assign the appropriate personnel into the Auditorrole. Rationale:
The JBoss server must be configured to select which personnel are assigned the
role of selecting which loggable events are to be logged.
In JBoss, the role
designated for selecting auditable events is the Severity: medium Identifiers: CCE-80460-9 References: SRG-APP-000090-AS-000051, CCI-000171, JBOS-AS-000085 |
Configure JBoss Logging Level [ref]rule
Log on to the OS of the JBoss server with OS permissions that allow access to
JBoss.
Using the relevant OS commands and syntax, cd to the jboss-cliscript to start the Command Line Interface (CLI). Connect to the server and authenticate. The PROFILE NAMEs included with a Managed Domain JBoss configuration are: default , full , full-ha , or ha
For a Managed Domain configuration, you must check
each profile name:
For each PROFILE NAME, run the command: /profile=PROFILE NAME/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO) For a Standalone configuration: /subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)Rationale: 800 records less data and may result in an insufficient amount of information being logged by the ROOT logger. This can result in failed forensic investigations. The ROOT logger level must be INFO level or lower to provide adequate log information. Severity: medium Identifiers: CCE-80461-7 References: SRG-APP-000100-AS-000063, CCI-001487, JBOS-AS-000135 |
Configure JBoss Log Permissions [ref]ruleConfigure the OS file permissions on the application server to protect log information from unauthorized access. Rationale:
If log data were to become compromised, then competent forensic analysis and
discovery of the true source of potentially malicious system activity is
difficult, if not impossible, to achieve.
Severity: medium Identifiers: CCE-80462-5 References: SRG-APP-000118-AS-000078, SRG-APP-000119-AS-000079, SRG-APP-000120-AS-000080, CCI-000162, CCI-000163, CCI-000164, JBOS-AS-000165 |
Configure JBoss Log Off-Loading Frequency [ref]ruleConfigure the application server to off-load log records every seven days onto a different system or media from the system being logged. Rationale:
JBoss logs by default are written to the local file system. A centralized
logging solution like syslog should be used whenever possible; however, any log
data stored to the file system needs to be off-loaded. JBoss EAP does not
provide an automated backup capability. Instead, reliance is placed on OS or
third-party tools to back up or off-load the log files.
Severity: medium Identifiers: CCE-80463-3 References: SRG-APP-000125-AS-000084, CCI-001348, JBOS-AS-000195 |
Configure mgmt-users.properties File Permissions [ref]ruleConfigure the file permissions to allow access to authorized users only. Owner can be full access. Group can be full access. All others must have execute permissions only. Rationale:The mgmt-users.properties file contains the password hashes of all users who are in a management role and must be protected. Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all. Severity: medium Identifiers: CCE-80464-1 References: SRG-APP-000133-AS-000092, CCI-001499, JBOS-AS-000210 |
Restrict the JBoss Account [ref]rule
Use the relevant OS commands to restrict JBoss user account from interactively
logging on to the console of the JBoss system.
JBoss does not require admin rights to operate and should be run as a regular user. In addition, if the user account was to be compromised and the account was allowed interactive logon rights, this would increase the risk and attack surface against the JBoss system. The right to interactively log on to the system using the JBoss account should be limited according to the OS capabilities. Severity: high Identifiers: CCE-80465-8 References: SRG-APP-000141-AS-000095, CCI-000381, JBOS-AS-000220 |
Disable Google Analytics [ref]rule
Using the EAP web console, log on using admin credentials.
On the bottom right-hand side of the screen, select The Google Analytics feature aims to help Red Hat EAP team understand how customers are using the console and which parts of the console matter the most to the customers. This information will, in turn, help the team to adapt the console design, features, and content to the immediate needs of the customers. Sending analytical data to the vendor introduces risk of unauthorized data exfiltration. This capability must be disabled. Severity: medium Identifiers: CCE-80466-6 References: SRG-APP-000141-AS-000095, CCI-000381, JBOS-AS-000225 |
Restrict JBoss Account [ref]ruleRun the JBoss server with non-admin rights. Rationale:JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate. If the server is compromised, the attacker will have the same rights as the application server, which in that case would be admin rights. The JBoss EAP server must not be run as the admin user. Severity: high Identifiers: CCE-80467-4 References: SRG-APP-000141-AS-000095, CCI-000381, JBOS-AS-000230 |
Remove JBoss Quickstarts [ref]ruleDelete the QuickStarts folder. Rationale:JBoss QuickStarts are demo applications that can be deployed quickly. Demo applications are not written with security in mind and often open new attack vectors. QuickStarts must be removed. Severity: medium Identifiers: CCE-80468-2 References: SRG-APP-000141-AS-000095, CCI-000381, JBOS-AS-000235 |
Remove the JMX Subsystem [ref]rule
Log on to the OS of the JBoss server with OS permissions that allow access to
JBoss.
Using the relevant OS commands and syntax, cd to the jboss-cliscript to start the Command Line Interface (CLI). Connect to the server and authenticate. For a Managed Domain configuration you must check each profile name: For each PROFILE NAME, run the command: /profile=PROFILE NAME/subsystem=jmx/remoting-connector=jmx:removeFor a Standalone configuration: /subsystem=jmx/remoting-connector=jmx:removeRationale: The JMX subsystem allows you to trigger JDK and application management operations remotely. In a managed domain configuration, the JMX subsystem is removed by default. For a standalone configuration, it is enabled by default and must be removed. Severity: medium Identifiers: CCE-80469-0 References: SRG-APP-000141-AS-000095, CCI-000381, JBOS-AS-000240 |
Disable or Replace the JBoss Welcome Page [ref]ruleUse the Management CLI script $JBOSS_HOME/bin/jboss-cli.shto run the following command. You may need to change the profile to modify a different managed domain profile, or remove the /profile=defaultportion of the command for a standalone server. /profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value.) To configure your web application to use the root context (/) as its URL address, modify the applications jboss-web.xml, which is located in the applications META-INF/ or
WEB-INF/ directory. Replace its <context-root> directive with one that looks
like the following:
Rationale: The Welcome to JBoss web page provides a redirect to the JBoss admin console, which, by default, runs on TCP 9990 as well as redirects to the Online User Guide and Online User Groups hosted at locations on the Internet. The welcome page is unnecessary and should be disabled or replaced with a valid web page. Severity: low Identifiers: CCE-80470-8 References: SRG-APP-000141-AS-000095, CCI-000381, JBOS-AS-000245 |
Remove Unnecessary Applications [ref]ruleIdentify, authorize, and document all applications that are deployed to the application server. Remove unauthorized applications. Rationale:Extraneous services and applications running on an application server expands the attack surface and increases risk to the application server. Securing any server involves identifying and removing any unnecessary services and, in the case of an application server, unnecessary and/or unapproved applications. Severity: medium Identifiers: CCE-80471-6 References: SRG-APP-000141-AS-000095, CCI-000381, JBOS-AS-000250 |
Configure JBoss Management and Application Ports [ref]ruleOpen the EAP web console by pointing a web browser to HTTPS://Servername:9990Log on to the admin console using admin credentials Select the Configuration tab
Expand the General Configuration sub
system by clicking on the +
Select Socket Binding
Select the
View option next to standard-sockets
Select
Inbound
Select the port that needs to be reconfigured and select Edit .
Rationale:
Some networking protocols may not meet organizational security requirements to
protect data and components.
Severity: medium Identifiers: CCE-80472-4 References: SRG-APP-000142-AS-000014, CCI-000382, JBOS-AS-000255 |
Configure LDAP [ref]rule
Follow steps in section 11.8 - Management Interface Security in the
JBoss_Enterprise_Application_Platform-6.3
-Administration_and_Configuration_Guide-en-US document.
To assure accountability and prevent unauthorized access, application server
users must be uniquely identified and authenticated. This is typically
accomplished via the use of a user store that is either local (OS-based) or
centralized (Active Directory/LDAP) in nature. It should be noted that JBoss
does not specifically mention Active Directory since AD is LDAP aware.
Severity: medium Identifiers: CCE-80473-2 References: SRG-APP-000148-AS-000101, CCI-000764, JBOS-AS-000260 |
Configure Multi-Factor Authentication [ref]ruleConfigure the application server to authenticate privileged users via multifactor/certificate-based authentication mechanisms when using network access to the management interface. Rationale:
Multifactor authentication creates a layered defense and makes it more
difficult for an unauthorized person to access the application server. If one
factor is compromised or broken, the attacker still has at least one more
barrier to breach before successfully breaking into the target. Unlike a simple
username/password scenario where the attacker could gain access by knowing both
the username and password without the user knowing his account was compromised,
multifactor authentication adds the requirement that the attacker must have
something from the user, such as a token, or to biometrically be the user.
Multifactor authentication is defined as: using two or more factors to achieve
authentication.
Severity: medium Identifiers: CCE-80474-0 References: SRG-APP-000149-AS-000102, CCI-000765, JBOS-AS-000265 |
Remove JBoss Group Acount Access [ref]ruleConfigure the application server so required users are individually authenticated by creating individual user accounts. Utilize an LDAP server that is configured according to DOD policy. Rationale:
To assure individual accountability and prevent unauthorized access,
application server users (and any processes acting on behalf of application
server users) must be individually identified and authenticated.
Severity: medium Identifiers: CCE-80475-7 References: SRG-APP-000153-AS-000104, CCI-000770, JBOS-AS-000275 |
Separate JBoss Management Network [ref]rule
Refer to Section 4.9 of the JBoss EAP 6.3 Installation guide for detailed
instructions on how to start JBoss as a service.
JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1 JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1 If a management network is not available, you may substitute localhost/127.0.0.1 for management address. This will force you to manage the JBoss server from the local host. Rationale: JBoss provides multiple interfaces for accessing the system. By default, these are called public and management. Allowing non- management traffic to access the JBoss management interface increases the chances of a security compromise. The JBoss server must be configured to bind the management interface to a network that controls access. This is usually a network that has been designated as a management network and has restricted access. Similarly, the public interface must be bound to a network that is not on the same segment as the management interface. Severity: medium Identifiers: CCE-80476-5 References: SRG-APP-000158-AS-000108, CCI-000778, JBOS-AS-000285 |
Configure LDAP for Management Interfaces [ref]rule
Follow steps in section 11.8 - Management Interface Security in the
JBoss_Enterprise_Application_Platform-6.3
-Administration_and_Configuration_Guide-en-US document.
JBoss EAP provides a security realm called ManagementRealm. By default, this realm uses the mgmt-users.properties file for authentication. Using file-based authentication does not allow the JBoss server to be in compliance with a wide range of user management requirements such as automatic disabling of inactive accounts as per DoD policy. To address this issue, the management interfaces used to manage the JBoss server must be associated with a security realm that provides centralized authentication management. Examples are AD or LDAP. Management of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user account is the name of an information system account associated with an individual. Severity: medium Identifiers: CCE-80477-3 References: SRG-APP-000163-AS-000111, CCI-000795, JBOS-AS-000290 |
Enable the JBoss Keystore [ref]rule
Configure the application server to use the java keystore and JBoss vault as
per section 11.13.1 -Password Vault System in the
JBoss_Enterprise_Application_Platform-6.3
-Administration_and_Configuration_Guide-en-US document.
JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an encrypted keystore, and decrypt them for applications and verification systems. Plain-text configuration files, such as XML deployment descriptors, need to specify passwords and other sensitive information. Use the JBoss EAP Password Vault to securely store sensitive strings in plain-text files. Severity: medium Identifiers: CCE-80478-1 References: SRG-APP-000171-AS-000119, CCI-000196, JBOS-AS-000295 |
Encrypt JBoss Keystore Passwords [ref]ruleConfigure the application server to mask the java keystore password as per the procedure described in section 11.13.3 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document. Rationale:
Access to the JBoss Password Vault must be secured, and the password used to
access must be encrypted. There is a specific process used to generate the
encrypted password hash. This process must be followed in order to store the
password in an encrypted format.
Severity: medium Identifiers: CCE-80479-9 References: SRG-APP-000171-AS-000119, CCI-000196, JBOS-AS-000300 |
Require Password Authentication [ref]rule
Configure the LDAP Security Realm using default settings that sets Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Application servers have the capability to utilize either certificates (tokens) or user IDs and passwords in order to authenticate. When the application server transmits or receives passwords, the passwords must be encrypted. Severity: medium Identifiers: CCE-80480-7 References: SRG-APP-000172-AS-000120, CCI-000197, JBOS-AS-000305 |
Use Secure Standard LDAP Port [ref]rule
Follow steps in section 11.8 - Management Interface Security in the
JBoss_Enterprise_Application_Platform-6.3
-Administration_and_Configuration_Guide-en-US document.
Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords during transmission.
Severity: medium Identifiers: CCE-80481-5 References: SRG-APP-000172-AS-000121, CCI-000197, JBOS-AS-000310 |
Restrict Access to the JBoss Keystore [ref]ruleConfigure the application server OS file permissions on the corresponding private key to restrict access to authorized accounts or roles. Rationale:
The cornerstone of the PKI is the private key used to encrypt or digitally sign
information.
Severity: medium Identifiers: CCE-80482-3 References: SRG-APP-000176-AS-000125, CCI-000186, JBOS-AS-000320 |
Use Separate Management and Application Networks [ref]rule
Start the application server with a
The application server consists of the management interface and hosted
applications. By separating the management interface from hosted applications,
the user must authenticate as a privileged user to the management interface
before being presented with management functionality. This prevents non-
privileged users from having visibility to functions not available to the user.
By limiting visibility, a compromised non-privileged account does not offer
information to the attacker or functionality and information needed to further
the attack on the application server.
Severity: medium Identifiers: CCE-80483-1 References: SRG-APP-000211-AS-000146, CCI-001082, JBOS-AS-000355 |
Configure JBoss Application File Permissions [ref]ruleConfigure file permissions on the JBoss folder to protect from unauthorized access. Rationale:
The JBoss EAP Application Server is a Java-based AS. It is installed on the OS
file system and depends upon file system access controls to protect application
data at rest. The file permissions set on the JBoss EAP home folder must be
configured so as to limit access to only authorized people and processes. The
account used for operating the JBoss server and any designated administrative or
operational accounts are the only accounts that should have access.
Severity: medium Identifiers: CCE-80484-9 References: SRG-APP-000231-AS-000133, CCI-001199, JBOS-AS-000400 |
Configure JBoss Log Directory Permissions [ref]ruleConfigure file permissions on the JBoss log folder to protect from unauthorized access. Rationale:
If the application provides too much information in error logs and
administrative messages to the screen, this could lead to compromise. The
structure and content of error messages need to be carefully considered by the
organization and development team. The extent to which the information system is
able to identify and handle error conditions is guided by organizational policy
and operational requirements.
Severity: medium Identifiers: CCE-80485-6 References: SRG-APP-000267-AS-000170, CCI-001314, JBOS-AS-000425 |
Disable Network Access to the Admin Console [ref]ruleRun the <JBOSS_HOME>/bin/jboss-cliicommand line interface utility. Connect to the JBoss server and run the following command. /core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value.) Successful command execution returns {"outcome" => success"}, and future attempts to access the management console via web browser at SERVERNAME:9990 will result in no access to the admin console.
Rationale:When configuring JBoss application servers into a domain configuration, HTTP management capabilities are not required on domain member servers as management is done via the server that has been designated as the domain controller. Leaving HTTP management capabilities enabled on domain member servers increases the attack surfaces; therefore, management services on domain member servers must be disabled and management services performed via the domain controller. Severity: medium Identifiers: CCE-80486-4 References: SRG-APP-000316-AS-000199, CCI-002322, JBOS-AS-000470 |
Audit JBoss Privileged Actions [ref]rule
Launch the jboss-cli management interface substituting standalone or domain for
CONFIG based upon the server installation.
<JBOSS_HOME>/CONFIG//bin/jboss-cli connect to the server and run the following command: /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)Rationale:
In order to be able to provide a forensic history of activity, the application
server must ensure users who are granted a privileged role or those who utilize
a separate distinct account when accessing privileged functions or data have
their actions logged.
Severity: medium Identifiers: CCE-80487-2 References: SRG-APP-000343-AS-000030, CCI-002234, JBOS-AS-000480 |
Enable Logging to syslog [ref]rule
Log on to the OS of the JBoss server with OS permissions that allow access to
JBoss.
Using the relevant OS commands and syntax, cd to the jboss-cliscript. Connect to the server and authenticate. Run the command: Standalone configuration: ls /subsystem=logging/syslog-handler= Domain configuration: ls /profile=default/subsystem=logging/syslog-handler= If no values are returned, this is a finding. Rationale:
Information system logging capability is critical for accurate forensic
analysis. Log record content that may be necessary to satisfy the requirement of
this control includes, but is not limited to, time stamps, source and
destination IP addresses, user/process identifiers, event descriptions,
application-specific events, success/fail indications, filenames involved,
access control or flow control rules invoked.
Severity: medium Identifiers: CCE-80488-0 References: SRG-APP-000358-AS-000064, CCI-001851, JBOS-AS-000505 |
Disable Automatic Deployment [ref]rule
Determine the JBoss server configuration as being either standalone or domain.
Launch the relevant jboss-cli management interface substituting standalone or
domain for CONFIG
<JBOSS_HOME>/CONFIG/bin/jboss-cli connect to the server and run the command: /subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-enabled,value.)Rationale:
When dealing with access restrictions pertaining to change control, it should
be noted that any changes to the software and/or application server
configuration can potentially have significant effects on the overall security
of the system.
Severity: medium Identifiers: CCE-80489-8 References: SRG-APP-000380-AS-000088, CCI-001813, JBOS-AS-000545 |
Log Application Deployments [ref]rule
Launch the jboss-cli management interface substituting standalone or domain for
CONFIG based upon the server installation.
<JBOSS_HOME>/CONFIG/bin/jboss-cli connect to the server and run the following command: /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)Rationale:
Without logging the enforcement of access restrictions against changes to the
application server configuration, it will be difficult to identify attempted
attacks, and a log trail will not be available for forensic investigation for
after-the-fact actions. Configuration changes may occur to any of the modules
within the application server through the management interface, but logging of
actions to the configuration of a module outside the application server is not
logged.
Severity: medium Identifiers: CCE-80490-6 References: SRG-APP-000381-AS-000089, CCI-001814, JBOS-AS-000550 |
Use Approved DoD Certificate Authorities [ref]rule
Locate the cacerts file for the JVM. This can be done using the appropriate
find command for the OS and change to the directory where the cacerts file is
located.
Untrusted Certificate Authorities (CA) can issue certificates, but they may be
issued by organizations or individuals that seek to compromise DoD systems or by
organizations with insufficient security controls. If the CA used for verifying
the certificate is not a DoD-approved CA, trust of this CA has not been
established.
Severity: medium Identifiers: CCE-80491-4 References: SRG-APP-000427-AS-000264, CCI-002470, JBOS-AS-000625 |
Configure Load Balancing (LB) or High Availability (HA) [ref]ruleConfigure the application server to provide LB or HA services for the hosted application. Rationale:A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provides high availability. Severity: medium Identifiers: CCE-80492-2 References: SRG-APP-000435-AS-000069, CCI-002385, JBOS-AS-000640 |
Use Approves TLS version [ref]rule
Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red
Hat vendor's web site for step-by-step instructions on establishing SSL
encryption on JBoss.
Preventing the disclosure of transmitted information requires that the
application server take measures to employ some form of cryptographic mechanism
in order to protect the information during transmission. This is usually
achieved through the use of Transport Layer Security (TLS).
Severity: medium Identifiers: CCE-80493-0 References: SRG-APP-000439-AS-000155, CCI-002418, JBOS-AS-000650 |
Use Approved Ciphers [ref]rule
Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red
Hat vendor's website for step-by-step instructions on establishing SSL
encryption on JBoss.
Preventing the disclosure or modification of transmitted information requires
that application servers take measures to employ approved cryptography in order
to protect the information during transmission over the network. This is usually
achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec
tunnel.
Severity: medium Identifiers: CCE-80494-8 References: SRG-APP-000440-AS-000167, CCI-002421, JBOS-AS-000655 |
JBoss Version Is Vendor Supported [ref]ruleObtain vendor support from Red Hat. Rationale:The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus on unpatched systems. It is critical that support be obtained and made available. Severity: high Identifiers: CCE-80495-5 References: SRG-APP-000456-AS-000266, CCI-002605, JBOS-AS-000680 |
JBoss System Is Patched [ref]ruleConfigure the operating system and the application server to use a patch management system or process that ensures security-relevant updates are installed within the time period directed by the ISSM. Rationale:The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus on unpatched systems. It is critical that support be obtained and made available. Severity: high Identifiers: CCE-80496-3 References: SRG-APP-000456-AS-000266, CCI-002605, JBOS-AS-000685 |
Use DoD Approved Certificates [ref]ruleConfigure the application server to use DoD- or CNSS-approved Class 3 or Class 4 PKI certificates. Rationale:Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to- business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The application server must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions. Severity: medium Identifiers: CCE-80497-1 References: SRG-APP-000514-AS-000137, CCI-002450, JBOS-AS-000730 |
Roll Over and Transfer JBoss Logs [ref]rule
Open the web-based management interface by opening a browser and pointing it to
Information stored in one location is vulnerable to accidental or incidental
deletion or alteration. Protecting log data is important during a forensic
investigation to ensure investigators can track and understand what may have
occurred. Off-loading should be set up as a scheduled task but can be
configured to be run manually, if other processes during the off-loading are
manual.
Severity: medium Identifiers: CCE-80498-9 References: SRG-APP-000515-AS-000203, CCI-001851, JBOS-AS-000735 |