| V-213494 | | HTTP management session traffic must be encrypted. | Types of management interfaces utilized by the JBoss EAP application server include web-based HTTP interfaces as well as command line-based management... |
| V-213495 | | HTTPS must be enabled for JBoss web interfaces. | Encryption is critical for protection of web-based traffic. If encryption is not being used to protect the application server's web connectors, malici... |
| V-213499 | | Users in JBoss Management Security Realms must be in the appropriate role. | Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they... |
| V-213503 | | The JBoss server must generate log records for access and authentication events to the management interface. | Log records can be generated from various components within the JBoss application server. The minimum list of logged events should be those pertainin... |
| V-213504 | | JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged. | The JBoss server must be configured to select which personnel are assigned the role of selecting which loggable events are to be logged.
In JBoss, the... |
| V-213505 | | JBoss must be configured to initiate session logging upon startup. | Session logging activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executiv... |
| V-213506 | | JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster. | Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type of event occurred, it wou... |
| V-213507 | | JBoss must be configured to produce log records containing information to establish what type of events occurred. | Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type of event occurred, it wou... |
| V-213508 | | JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred. | Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of th... |
| V-213509 | | JBoss must be configured to produce log records that establish which hosted application triggered the events. | Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of th... |
| V-213510 | | JBoss must be configured to record the IP address and port information used by management interface network traffic. | Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of th... |
| V-213511 | | The application server must produce log records that contain sufficient information to establish the outcome of events. | Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement ... |
| V-213512 | | JBoss ROOT logger must be configured to utilize the appropriate logging level. | Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement ... |
| V-213513 | | File permissions must be configured to protect log information from any type of unauthorized read access. | If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is ... |
| V-213514 | | File permissions must be configured to protect log information from unauthorized modification. | If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is ... |
| V-213515 | | File permissions must be configured to protect log information from unauthorized deletion. | If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is ... |
| V-213516 | | JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days. | JBoss logs by default are written to the local file system. A centralized logging solution like syslog should be used whenever possible; however, any... |
| V-213517 | | mgmt-users.properties file permissions must be set to allow access to authorized users only. | The mgmt-users.properties file contains the password hashes of all users who are in a management role and must be protected. Application servers have... |
| V-213519 | | Google Analytics must be disabled in EAP Console. | The Google Analytics feature aims to help Red Hat EAP team understand how customers are using the console and which parts of the console matter the mo... |
| V-213521 | | JBoss QuickStarts must be removed. | JBoss QuickStarts are demo applications that can be deployed quickly. Demo applications are not written with security in mind and often open new atta... |
| V-213522 | | Remote access to JMX subsystem must be disabled. | The JMX subsystem allows you to trigger JDK and application management operations remotely. In a managed domain configuration, the JMX subsystem is r... |
| V-213524 | | Any unapproved applications must be removed. | Extraneous services and applications running on an application server expands the attack surface and increases risk to the application server. Securin... |
| V-213525 | | JBoss application and management ports must be approved by the PPSM CAL. | Some networking protocols may not meet organizational security requirements to protect data and components.
Application servers natively host a numbe... |
| V-213526 | | The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP. | To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically a... |
| V-213527 | | The JBoss Server must be configured to use certificates to authenticate admins. | Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one ... |
| V-213528 | | The JBoss server must be configured to use individual accounts and not generic or shared accounts. | To assure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application serve... |
| V-213529 | | JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy. | JBoss EAP provides a security realm called ManagementRealm. By default, this realm uses the mgmt-users.properties file for authentication. Using fil... |
| V-213530 | | The JBoss Password Vault must be used for storing passwords or other sensitive configuration information. | JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an encrypted keystore, and decrypt them for applications and verification... |
| V-213531 | | JBoss KeyStore and Truststore passwords must not be stored in clear text. | Access to the JBoss Password Vault must be secured, and the password used to access must be encrypted. There is a specific process used to generate t... |
| V-213532 | | LDAP enabled security realm value allow-empty-passwords must be set to false. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not... |
| V-213533 | | JBoss must utilize encryption when using LDAP for authentication. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.
Application servers ... |
| V-213534 | | The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators. | The cornerstone of the PKI is the private key used to encrypt or digitally sign information.
If the private key is stolen, this will lead to the comp... |
| V-213535 | | The JBoss server must separate hosted application functionality from application server management functionality. | The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications,... |
| V-213536 | | JBoss file permissions must be configured to protect the confidentiality and integrity of application files. | The JBoss EAP Application Server is a Java-based AS. It is installed on the OS file system and depends upon file system access controls to protect ap... |
| V-213537 | | Access to JBoss log files must be restricted to authorized users. | If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure... |
| V-213538 | | Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller. | When configuring JBoss application servers into a domain configuration, HTTP management capabilities are not required on domain member servers as mana... |
| V-213539 | | The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-213540 | | The JBoss server must be configured to log all admin activity. | In order to be able to provide a forensic history of activity, the application server must ensure users who are granted a privileged role or those who... |
| V-213541 | | The JBoss server must be configured to utilize syslog logging. | Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement ... |
| V-213542 | | Production JBoss servers must not allow automatic application deployment. | When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server conf... |
| V-213543 | | Production JBoss servers must log when failed application deployments occur. | Without logging the enforcement of access restrictions against changes to the application server configuration, it will be difficult to identify attem... |
| V-213544 | | Production JBoss servers must log when successful application deployments occur. | Without logging the enforcement of access restrictions against changes to the application server configuration, it will be difficult to identify attem... |
| V-213545 | | JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions. | Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD syst... |
| V-213546 | | The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster. | A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A ... |
| V-213547 | | JBoss must be configured to use an approved TLS version. | Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism... |
| V-213548 | | JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS. | Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography i... |
| V-213551 | | JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur. | Changing privileges of a subject/object may cause a subject/object to gain or lose capabilities. When successful/unsuccessful changes are made, the e... |
| V-213552 | | JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur. | Deleting privileges of a subject/object may cause a subject/object to gain or lose capabilities. When successful and unsuccessful privilege deletions... |
| V-213553 | | JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur. | Logging the access to the application server allows the system administrators to monitor user accounts. By logging successful/unsuccessful logons, th... |
| V-213554 | | JBoss must be configured to generate log records for privileged activities. | Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate,... |
| V-213555 | | JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface. | Determining when a user has accessed the management interface is important to determine the timeline of events when a security incident occurs. Gener... |
| V-213556 | | JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface. | Concurrent logons from different systems could possibly indicate a compromised account. When concurrent logons are made from different workstations t... |
| V-213557 | | JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events. | The maintenance of user accounts is a key activity within the system to determine access and privileges. Through changes to accounts, an attacker can... |
| V-213558 | | The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates. | Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business... |
| V-213559 | | JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forens... |
| V-217099 | | The JBoss server must be configured to bind the management interfaces to only management networks. | JBoss provides multiple interfaces for accessing the system. By default, these are called "public" and "management". Allowing non-management traffic... |
| V-213523 | | Welcome Web Application must be disabled. | The Welcome to JBoss web page provides a redirect to the JBoss admin console, which, by default, runs on TCP 9990 as well as redirects to the Online U... |
| V-213496 | | Java permissions must be set for hosted applications. | The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing... |
| V-213497 | | The Java Security Manager must be enabled for the JBoss application server. | The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing... |
| V-213498 | | The JBoss server must be configured with Role Based Access Controls. | By default, the JBoss server is not configured to utilize role based access controls (RBAC). RBAC provides the capability to restrict user access to ... |
| V-213500 | | Silent Authentication must be removed from the Default Application Security Realm. | Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specific... |
| V-213501 | | Silent Authentication must be removed from the Default Management Security Realm. | Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specific... |
| V-213502 | | JBoss management interfaces must be secured. | JBoss utilizes the concept of security realms to secure the management interfaces used for JBoss server administration. If the security realm attribu... |
| V-213518 | | JBoss process owner interactive access must be restricted. | JBoss does not require admin rights to operate and should be run as a regular user. In addition, if the user account was to be compromised and the ac... |
| V-213520 | | JBoss process owner execution permissions must be limited. | JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the att... |
| V-213549 | | Production JBoss servers must be supported by the vendor. | The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperat... |
| V-213550 | | The JRE installed on the JBoss server must be kept up to date. | The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperat... |
