OpenControls Logo

STIG Viewer

Users in a reader-role must be authorized.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-250342IBMW-LS-000790SV-250342r961353_ruleCCI-002235medium
Description
The reader role is a management role that allows read-only access to select administrative REST APIs as well as the Admin Center UI (adminCenter-1.0). Preventing non-privileged users from viewing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Users granted reader role access must be authorized.
STIGDate
IBM WebSphere Liberty Server Security Technical Implementation Guide2025-02-11

Related Frameworks

3 paths across 3 frameworks
NIST 800-531 mapping
AC-6(10)
1.00
  • DISA · 2 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.7
1.00
  • DISA · 2 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002235
1.00
  • DISA · 2 · disa_xccdf · related

Details

Check Text (C-250342r961353_chk)

As a user with access to the ${server.config.dir}/server.xml file. Review the contents and identify if users have been granted the reader-role. grep -i reader-role ${server.config.dir}/server.xml If the reader-role has been created, users in that role must be documented and approved. If users in the reader-role are not approved, this is a finding. EXAMPLE: <featureManager><feature>appSecurity-2.0</feature></featureManager> <reader-role> <group>group</group> <group-access-id>group:realmName/groupUniqueId</group-access-id> <user>user</user> <user-access-id>user:realmName/userUniqueId</user-access-id> </reader-role>

Fix Text (F-53731r862991_fix)

Edit the ${server.config.dir}/server.xml file. If unauthorized users have been added to the reader-role, remove those users. Otherwise, document the users who are granted the reader-role access. To allow read-only access to select administrative REST APIs, the ${server.config.dir}/server.xml must be configured as follows. Additionally, the users and groups they are a part of must be defined within LDAP. EXAMPLE: <featureManager> <feature>appSecurity-2.0</feature> </featureManager> <reader-role> <group>group</group><group-access-id> group:realmName/groupUniqueId</group-access-id><user>user</user><user-access-id>user:realmName/userUniqueId</user-access-id> </reader-role> <ldapRegistry id="ldap" realm="SampleLdapRealm" host="${ldap.server.name}" port="${ldap.server.port}" ignoreCase="true" baseDN="${ldap.server.base.dn}" ldapType="${ldap.vendor.type}" searchTimeout="8m"> </ldapRegistry>