JBOS-AS-000275 - The JBoss server must be configured to use individual accounts and not generic or shared accounts.

Information

To assure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application server users) must be individually identified and authenticated.

A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users.

Application servers must ensure that individual users are authenticated prior to authenticating via role or group authentication. This is to ensure that there is non-repudiation for actions taken.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure the application server so required users are individually authenticated by creating individual user accounts. Utilize an LDAP server that is configured according to DOD policy.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_JBoss_EAP_6-3_V2R4_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(5), CAT|II, CCI|CCI-000770, Rule-ID|SV-213528r956002_rule, STIG-ID|JBOS-AS-000275, STIG-Legacy|SV-76771, STIG-Legacy|V-62281, Vuln-ID|V-213528

Plugin: Unix

Control ID: e67e4eea302d70d136c5d1941fca6984ad38c705d43cf1f2618a6b138ab91923