JBOS-AS-000425 - Access to JBoss log files must be restricted to authorized users.

Information

If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.

Solution

Configure file permissions on the JBoss log folder to protect from unauthorized access.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_JBoss_EAP_6-3_V2R4_STIG.zip

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-11b., CAT|II, CCI|CCI-001314, Rule-ID|SV-213537r956037_rule, STIG-ID|JBOS-AS-000425, STIG-Legacy|SV-76791, STIG-Legacy|V-62301, Vuln-ID|V-213537

Plugin: Unix

Control ID: 3cd0ac10427d780d15fbdf02200957a6419741866e442db34c7f10e4fd8023bb