UCF STIG Viewer Logo

The MySQL DatabasePassword key must be removed or set to a blank value in the database configuration file in Jamf Pro EMM.


Overview

Finding ID Version Rule ID IA Controls Severity
V-99607 JAMF-10-100120 SV-108711r1_rule Medium
Description
If the database password is not removed or set to a blank value in the configuration file, the user is not forced to enter the password, which would allow an adversary to access to access the database. SFR ID: FMT_SMF.1(2)b. / CM-5(10) Satisfies: SRG-APP-000380
STIG Date
Jamf Pro v10.x EMM Security Technical Implementation Guide 2020-02-04

Details

Check Text ( C-98457r1_chk )
Verify the MySQL key has been removed or set to a blank value in Jamf Pro EMM.

1. On the Jamf Pro server, navigate to the JSS/Tomcat/webapps/ROOT/WEB-INF/xml.
2. Find the "Database.xml" file and open it in a text editor.
3. Find the .
4. Verify that there is no password.

If the MySQL key has not been removed or not set to a blank value, this is a finding.
Fix Text (F-105291r1_fix)
Remove the MySQL key or set to a blank value in Jamf Pro EMM.

If the database password is removed from the configuration file, the database password must be entered manually for the Jamf Pro EMM server web app during startup. In a clustered environment, the database password must be entered manually for each individual node.

Note: Default values are included below for reference only. Use unique values in production environments.


...
jamfsoftware
jamfsoftware

...