JBOS-AS-000240 - Remote access to JMX subsystem must be disabled.

Information

The JMX subsystem allows you to trigger JDK and application management operations remotely. In a managed domain configuration, the JMX subsystem is removed by default. For a standalone configuration, it is enabled by default and must be removed.

Solution

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.

For a Managed Domain configuration you must check each profile name:

For each PROFILE NAME, run the command:
'/profile=<PROFILE NAME>/subsystem=jmx/remoting-connector=jmx:remove'

For a Standalone configuration:
'/subsystem=jmx/remoting-connector=jmx:remove'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_JBoss_EAP_6-3_V2R4_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-213522r954822_rule, STIG-ID|JBOS-AS-000240, STIG-Legacy|SV-76759, STIG-Legacy|V-62269, Vuln-ID|V-213522

Plugin: Unix

Control ID: 1a1fe6c528f8d7de14c7a7115ce7be5797e207510d096624cfe4e9c09855c470