JBOS-AS-000040 - Users in JBoss Management Security Realms must be in the appropriate role.

Information

Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they are 'management realm' and 'application realm'.

Management realm stores authentication information for the management API, which provides functionality for the web-based management console and the management command line interface (CLI).

mgmt-groups.properties stores user to group mapping for the ManagementRealm but only when role-based access controls (RBAC) is enabled.

If management users are not in the appropriate role, unauthorized access to JBoss resources can occur.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Document approved management users and their roles. Configure the application server to use RBAC and ensure users are placed into the appropriate roles.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_JBoss_EAP_6-3_V2R5_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|II, CCI|CCI-000213, Rule-ID|SV-213499r960792_rule, STIG-ID|JBOS-AS-000040, STIG-Legacy|SV-76709, STIG-Legacy|V-62219, Vuln-ID|V-213499

Plugin: Unix

Control ID: d69789b277bafc0a99355a05a7b3eea1313c10fde102cbae034ca39f7135abdf