DISA RedHat JBoss EAP 6.3 STIG v1r4

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA RedHat JBoss EAP 6.3 STIG v1r4

Updated: 1/25/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.5

Estimated Item Count: 73

Audit Items

DescriptionCategories
DISA_STIG_RedHat_JBoss_EAP_6.3_v1r4.audit from DISA JBoss EAP 6.3 v1r4 STIG
JBOS-AS-000010 - HTTP management session traffic must be encrypted.

SYSTEM AND COMMUNICATIONS PROTECTION

JBOS-AS-000015 - HTTPS must be enabled for JBoss web interfaces.

SYSTEM AND COMMUNICATIONS PROTECTION

JBOS-AS-000025 - Java permissions must be set for hosted applications.
JBOS-AS-000030 - The Java Security Manager must be enabled for the JBoss application server - java.security.manager

SYSTEM AND INFORMATION INTEGRITY

JBOS-AS-000030 - The Java Security Manager must be enabled for the JBoss application server - java.security.policy

SYSTEM AND INFORMATION INTEGRITY

JBOS-AS-000035 - The JBoss server must be configured with Role Based Access Controls.

ACCESS CONTROL

JBOS-AS-000040 - Users in JBoss Management Security Realms must be in the appropriate role.
JBOS-AS-000045 - Silent Authentication must be removed from the Default Application Security Realm.

IDENTIFICATION AND AUTHENTICATION

JBOS-AS-000050 - Silent Authentication must be removed from the Default Management Security Realm.

IDENTIFICATION AND AUTHENTICATION

JBOS-AS-000075 - JBoss management interfaces must be secured - http-interface

SYSTEM AND COMMUNICATIONS PROTECTION

JBOS-AS-000075 - JBoss management interfaces must be secured - native-interface

SYSTEM AND COMMUNICATIONS PROTECTION

JBOS-AS-000080 - The JBoss server must generate log records for access and authentication events to the management interface.

AUDIT AND ACCOUNTABILITY

JBOS-AS-000085 - JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.

AUDIT AND ACCOUNTABILITY

JBOS-AS-000095 - JBoss must be configured to initiate session logging upon startup.

AUDIT AND ACCOUNTABILITY

JBOS-AS-000105 - JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.

AUDIT AND ACCOUNTABILITY

JBOS-AS-000110 - JBoss must be configured to produce log records containing information to establish what type of events occurred.

AUDIT AND ACCOUNTABILITY

JBOS-AS-000115 - JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.

AUDIT AND ACCOUNTABILITY

JBOS-AS-000120 - JBoss must be configured to produce log records that establish which hosted application triggered the events.
JBOS-AS-000125 - JBoss must be configured to record the IP address and port information used by management interface network traffic.

AUDIT AND ACCOUNTABILITY

JBOS-AS-000130 - The application server must produce log records that contain sufficient information to establish the outcome of events.

AUDIT AND ACCOUNTABILITY

JBOS-AS-000135 - JBoss ROOT logger must be configured to utilize the appropriate logging level.

AUDIT AND ACCOUNTABILITY

JBOS-AS-000165 - File permissions must be configured to protect log information from any type of unauthorized read access.
JBOS-AS-000170 - File permissions must be configured to protect log information from unauthorized modification.
JBOS-AS-000175 - File permissions must be configured to protect log information from unauthorized deletion.
JBOS-AS-000195 - JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.
JBOS-AS-000210 - mgmt-users.properties file permissions must be set to allow access to authorized users only.

CONFIGURATION MANAGEMENT

JBOS-AS-000220 - JBoss process owner interactive access must be restricted - /etc/passwd shell

ACCESS CONTROL

JBOS-AS-000220 - JBoss process owner interactive access must be restricted - ssh DenyUsers

ACCESS CONTROL

JBOS-AS-000225 - Google Analytics must be disabled in EAP Console.
JBOS-AS-000230 - JBoss process owner execution permissions must be limited.

ACCESS CONTROL

JBOS-AS-000235 - JBoss QuickStarts must be removed - JBoss QuickStarts must be removed.

CONFIGURATION MANAGEMENT

JBOS-AS-000240 - Remote access to JMX subsystem must be disabled.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

JBOS-AS-000245 - Welcome Web Application must be disabled - Welcome Web Application must be disabled.

CONFIGURATION MANAGEMENT

JBOS-AS-000250 - Any unapproved applications must be removed - Any unapproved applications must be removed.

CONFIGURATION MANAGEMENT

JBOS-AS-000255 - JBoss application and management ports must be approved by the PPSM CAL.

CONFIGURATION MANAGEMENT

JBOS-AS-000260 - The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.

IDENTIFICATION AND AUTHENTICATION

JBOS-AS-000265 - The JBoss Server must be configured to use certificates to authenticate admins.

IDENTIFICATION AND AUTHENTICATION

JBOS-AS-000275 - The JBoss server must be configured to use individual accounts and not generic or shared accounts.

ACCESS CONTROL

JBOS-AS-000285 - The JBoss server must be configured to bind the management interfaces to only management networks.
JBOS-AS-000290 - JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.

IDENTIFICATION AND AUTHENTICATION

JBOS-AS-000295 - The JBoss Password Vault must be used for storing passwords or other sensitive configuration information - vault

IDENTIFICATION AND AUTHENTICATION

JBOS-AS-000295 - The JBoss Password Vault must be used for storing passwords or other sensitive configuration information - vault-option

IDENTIFICATION AND AUTHENTICATION

JBOS-AS-000300 - JBoss KeyStore and Truststore passwords must not be stored in clear text.
JBOS-AS-000305 - LDAP enabled security realm value allow-empty-passwords must be set to false.

IDENTIFICATION AND AUTHENTICATION

JBOS-AS-000310 - JBoss must utilize encryption when using LDAP for authentication.

SYSTEM AND COMMUNICATIONS PROTECTION

JBOS-AS-000320 - The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators - directory

CONFIGURATION MANAGEMENT

JBOS-AS-000320 - The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators - keystore file

CONFIGURATION MANAGEMENT

JBOS-AS-000355 - The JBoss server must separate hosted application functionality from application server management functionality.

ACCESS CONTROL

JBOS-AS-000400 - JBoss file permissions must be configured to protect the confidentiality and integrity of application files.

CONFIGURATION MANAGEMENT