18 - Role Based Authentication per queue

Information

In order to have role based authentication inside our queue server you need to setup HornetQ with these directives.

You can restrict the access to particular queue (read/write) or even prevent the creation, deletion of new queues, with a basic role based access control.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Set the security-setting parameters to match needed requirements:

<subsystem xmlns="urn:jboss:domain:messaging:1.1">
<hornetq-server>
<security-settings>
<security-setting match="#">
<permission type="send" roles="MyRole"/>
<permission type="consume" roles="MyRole"/>
<permission type="createNonDurableQueue" roles="MyRole"/>
<permission type="deleteNonDurableQueue" roles="MyRole"/>
</security-setting>
</security-settings>
</hornetq-server>
</subsystem>

See Also

https://docs.jboss.org/author/display/AS72/Hardening+Guidelines

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3(7)

Plugin: Unix

Control ID: 8b86f97fa5fe93e4d451d8934cf23b92109517747026925d150e10f4c906abc5