DISA RedHat JBoss EAP 6.3 STIG v1r4

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA RedHat JBoss EAP 6.3 STIG v1r4

Updated: 1/25/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.5

Estimated Item Count: 73

Audit Items

Description	Categories
DISA_STIG_RedHat_JBoss_EAP_6.3_v1r4.audit from DISA JBoss EAP 6.3 v1r4 STIG
JBOS-AS-000010 - HTTP management session traffic must be encrypted.	SYSTEM AND COMMUNICATIONS PROTECTION
JBOS-AS-000015 - HTTPS must be enabled for JBoss web interfaces.	SYSTEM AND COMMUNICATIONS PROTECTION
JBOS-AS-000025 - Java permissions must be set for hosted applications.
JBOS-AS-000030 - The Java Security Manager must be enabled for the JBoss application server - java.security.manager	SYSTEM AND INFORMATION INTEGRITY
JBOS-AS-000030 - The Java Security Manager must be enabled for the JBoss application server - java.security.policy	SYSTEM AND INFORMATION INTEGRITY
JBOS-AS-000035 - The JBoss server must be configured with Role Based Access Controls.	ACCESS CONTROL
JBOS-AS-000040 - Users in JBoss Management Security Realms must be in the appropriate role.
JBOS-AS-000045 - Silent Authentication must be removed from the Default Application Security Realm.	IDENTIFICATION AND AUTHENTICATION
JBOS-AS-000050 - Silent Authentication must be removed from the Default Management Security Realm.	IDENTIFICATION AND AUTHENTICATION
JBOS-AS-000075 - JBoss management interfaces must be secured - http-interface	SYSTEM AND COMMUNICATIONS PROTECTION
JBOS-AS-000075 - JBoss management interfaces must be secured - native-interface	SYSTEM AND COMMUNICATIONS PROTECTION
JBOS-AS-000080 - The JBoss server must generate log records for access and authentication events to the management interface.	AUDIT AND ACCOUNTABILITY
JBOS-AS-000085 - JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.	AUDIT AND ACCOUNTABILITY
JBOS-AS-000095 - JBoss must be configured to initiate session logging upon startup.	AUDIT AND ACCOUNTABILITY
JBOS-AS-000105 - JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.	AUDIT AND ACCOUNTABILITY
JBOS-AS-000110 - JBoss must be configured to produce log records containing information to establish what type of events occurred.	AUDIT AND ACCOUNTABILITY
JBOS-AS-000115 - JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.	AUDIT AND ACCOUNTABILITY
JBOS-AS-000120 - JBoss must be configured to produce log records that establish which hosted application triggered the events.
JBOS-AS-000125 - JBoss must be configured to record the IP address and port information used by management interface network traffic.	AUDIT AND ACCOUNTABILITY
JBOS-AS-000130 - The application server must produce log records that contain sufficient information to establish the outcome of events.	AUDIT AND ACCOUNTABILITY
JBOS-AS-000135 - JBoss ROOT logger must be configured to utilize the appropriate logging level.	AUDIT AND ACCOUNTABILITY
JBOS-AS-000165 - File permissions must be configured to protect log information from any type of unauthorized read access.
JBOS-AS-000170 - File permissions must be configured to protect log information from unauthorized modification.
JBOS-AS-000175 - File permissions must be configured to protect log information from unauthorized deletion.
JBOS-AS-000195 - JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.
JBOS-AS-000210 - mgmt-users.properties file permissions must be set to allow access to authorized users only.	CONFIGURATION MANAGEMENT
JBOS-AS-000220 - JBoss process owner interactive access must be restricted - /etc/passwd shell	ACCESS CONTROL
JBOS-AS-000220 - JBoss process owner interactive access must be restricted - ssh DenyUsers	ACCESS CONTROL
JBOS-AS-000225 - Google Analytics must be disabled in EAP Console.
JBOS-AS-000230 - JBoss process owner execution permissions must be limited.	ACCESS CONTROL
JBOS-AS-000235 - JBoss QuickStarts must be removed - JBoss QuickStarts must be removed.	CONFIGURATION MANAGEMENT
JBOS-AS-000240 - Remote access to JMX subsystem must be disabled.	ACCESS CONTROL, CONFIGURATION MANAGEMENT
JBOS-AS-000245 - Welcome Web Application must be disabled - Welcome Web Application must be disabled.	CONFIGURATION MANAGEMENT
JBOS-AS-000250 - Any unapproved applications must be removed - Any unapproved applications must be removed.	CONFIGURATION MANAGEMENT
JBOS-AS-000255 - JBoss application and management ports must be approved by the PPSM CAL.	CONFIGURATION MANAGEMENT
JBOS-AS-000260 - The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.	IDENTIFICATION AND AUTHENTICATION
JBOS-AS-000265 - The JBoss Server must be configured to use certificates to authenticate admins.	IDENTIFICATION AND AUTHENTICATION
JBOS-AS-000275 - The JBoss server must be configured to use individual accounts and not generic or shared accounts.	ACCESS CONTROL
JBOS-AS-000285 - The JBoss server must be configured to bind the management interfaces to only management networks.
JBOS-AS-000290 - JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.	IDENTIFICATION AND AUTHENTICATION
JBOS-AS-000295 - The JBoss Password Vault must be used for storing passwords or other sensitive configuration information - vault	IDENTIFICATION AND AUTHENTICATION
JBOS-AS-000295 - The JBoss Password Vault must be used for storing passwords or other sensitive configuration information - vault-option	IDENTIFICATION AND AUTHENTICATION
JBOS-AS-000300 - JBoss KeyStore and Truststore passwords must not be stored in clear text.
JBOS-AS-000305 - LDAP enabled security realm value allow-empty-passwords must be set to false.	IDENTIFICATION AND AUTHENTICATION
JBOS-AS-000310 - JBoss must utilize encryption when using LDAP for authentication.	SYSTEM AND COMMUNICATIONS PROTECTION
JBOS-AS-000320 - The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators - directory	CONFIGURATION MANAGEMENT
JBOS-AS-000320 - The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators - keystore file	CONFIGURATION MANAGEMENT
JBOS-AS-000355 - The JBoss server must separate hosted application functionality from application server management functionality.	ACCESS CONTROL
JBOS-AS-000400 - JBoss file permissions must be configured to protect the confidentiality and integrity of application files.	CONFIGURATION MANAGEMENT

Detections

Analytics

DISA RedHat JBoss EAP 6.3 STIG v1r4

Warning! Audit Deprecated

Audit Details

Audit Items