Remote access to JMX subsystem must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-213522 | JBOS-AS-000240 | SV-213522r960963_rule | CCI-000381 | medium |
| Description | ||||
| The JMX subsystem allows you to trigger JDK and application management operations remotely. In a managed domain configuration, the JMX subsystem is removed by default. For a standalone configuration, it is enabled by default and must be removed. | ||||
| STIG | Date | |||
| JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide | 2025-02-20 | |||
Details
Check Text (C-213522r960963_chk)
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.
For a Managed Domain configuration, you must check each profile name:
For each PROFILE NAME, run the command:
"ls /profile=<PROFILE NAME>/subsystem=jmx/remoting-connector"
For a Standalone configuration:
"ls /subsystem=jmx/remoting-connector"
If "jmx" is returned, this is a finding.
Fix Text (F-14743r296233_fix)
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.
For a Managed Domain configuration you must check each profile name:
For each PROFILE NAME, run the command:
"/profile=<PROFILE NAME>/subsystem=jmx/remoting-connector=jmx:remove"
For a Standalone configuration:
"/subsystem=jmx/remoting-connector=jmx:remove"