The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-213530 | JBOS-AS-000295 | SV-213530r981682_rule | CCI-000196 | medium |
| Description | ||||
| JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an encrypted keystore, and decrypt them for applications and verification systems. Plain-text configuration files, such as XML deployment descriptors, need to specify passwords and other sensitive information. Use the JBoss EAP Password Vault to securely store sensitive strings in plain-text files. | ||||
| STIG | Date | |||
| JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide | 2025-02-20 | |||
Related Frameworks
6 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
IA-5(1)
1.00
- DISA · V2R6 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1714 mappings
3.5.10
1.00
- DISA · V2R6 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.7
1.00
- DISA · V2R6 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.8
1.00
- DISA · V2R6 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.9
1.00
- DISA · V2R6 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000196
1.00
- DISA · V2R6 · disa_xccdf · related
Details
Check Text (C-213530r981682_chk)
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Based on your installation, use the relevant OS commands and syntax to access the standalone or domain configuration folder.
<JBOSS_HOME>/standalone/configuration folder. Review the standalone.xml file. <JBOSS_HOME>/domain/configuration folder.
Review the domain.xml file
If the <vault> section does not exist or if the <vault-option> settings are not configured, this is a finding.
If the <vault> section does not exist or if the <vault-option> settings are not configured, this is a finding.
Fix Text (F-14751r296257_fix)
Configure the application server to use the java keystore and JBoss vault as per section 11.13.1 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.
1. Create a java keystore.
2. Mask the keystore password and initialize the password vault.
3. Configure JBoss to use the password vault.