Information
Ensure that only one user ID has write access to the WebSphere Liberty configuration files. If there are multiple administrators, they can use sudo and the /etc/sudoers file to elevate their privilege when write access is required.
WebSphere Liberty server administrators sometimes need the ability to write to server configuration files, but following the principle of least privilege they should not operate with write access unless absolutely necessary. Administrators can use sudo and the /etc/sudoers to file to elevate their privilege when write access is needed, while operating with read access the rest of the time. Administrators should never share user IDs and passwords.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Create a single, non-login, user ID that owns the server's configuration directory. Add any WebSphere administrators to the group that owns the server's configuration directory, which will automatically give them read access to the server's configuration, but not write access. Use sudo and the /etc/sudoers file to allow these administrators to elevate their privilege to the user ID that owns the server's configuration directory when write access is required.