STIG for JBoss Enterprise Application Platform 6
This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.


ID Severity Title Discussion (Rationale) Fix Text (Description) Check Text (OCIL Check) SRG Refs CCI Refs 800-53 Refs
jboss_eap_audit_privileged_actions medium Audit JBoss Privileged Actions In order to be able to provide a forensic history of activity, the application server must ensure users who are granted a privileged role or those who utilize a separate distinct account when accessing privileged functions or data have their actions logged.

If privileged activity is not logged, no forensic logs can be used to establish accountability for privileged actions that occur on the system.
Launch the jboss-cli management interface substituting standalone or domain for CONFIG based upon the server installation.

<JBOSS_HOME>/CONFIG//bin/jboss-cli


connect to the server and run the following command:

/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
CCI-NaN
jboss_eap_configure_application_authentication high Remove Silent Authentication - Application Security Realm Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis. By default $localuser is a Superuser. This introduces an integrity and availability vulnerability and violates best practice requirements regarding accountability. Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the
jboss-cli
script. Connect to the server and authenticate. Remove the local element from the Application Realm. For standalone servers, run the following command:
/core-service=management/securityrealm=ApplicationRealm/authentication=local:remove


For managed domain installations, run the following command:
/host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication=local:remove
CCI-NaN
jboss_eap_configure_auditing medium Configure JBoss Auditing and Logging Log records can be generated from various components within the JBoss application server. The minimum list of logged events should be those pertaining to access and authentication events to the management interface as well as system startup and shutdown events.

By default, JBoss does not log management interface access but does provide a default file handler. This handler needs to be enabled. Configuring this setting meets several STIG auditing requirements.
Launch the jboss-cli management interface. Connect to the server by typing connect, authenticate as a user in the Superuser role, and run the following command:

For a Managed Domain configuration:
host=master/server/SERVERNAME/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)


For a Standalone configuration:
/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
CCI-NaN
CCI-NaN
CCI-NaN
CCI-NaN
CCI-NaN
CCI-NaN
CCI-NaN
CCI-NaN
jboss_eap_configure_auditor_roles medium Configure JBoss Auditor Role The JBoss server must be configured to select which personnel are assigned the role of selecting which loggable events are to be logged. In JBoss, the role designated for selecting auditable events is the Auditor role. The personnel or roles that can select loggable events are only the ISSM (or individuals or roles appointed by the ISSM). Obtain documented approvals from ISSM, and assign the appropriate personnel into the
Auditor
role.
CCI-NaN
jboss_eap_configure_ha_lb medium Configure Load Balancing (LB) or High Availability (HA) A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provides high availability. Configure the application server to provide LB or HA services for the hosted application. CCI-NaN
jboss_eap_configure_host_access_restrictions high Configure Host Access Restrictions for Applications The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM.

The JVM requires a security policy in order to restrict application access. A properly configured security policy will define what rights the application has to the underlying system. For example, rights to make changes to files on the host system or to initiate network sockets in order to connect to another system.
Configure the Java security manager to enforce access restrictions to the host system resources in accordance with application design and resource requirements. CCI-NaN
jboss_eap_configure_https medium Enable HTTPS for JBoss Web Interface Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk.

Application servers utilize a web management interface and scripted commands when allowing remote access. Web access requires the use of TLS, and scripted access requires using ssh or some other form of approved cryptography. Application servers must have a capability to enable a secure remote admin capability.

FIPS 140-2 approved TLS versions include TLS V1.0 or greater.

FIPS 140-2 approved TLS versions must be enabled, and non-FIPS-approved SSL versions must be disabled.

NIST SP 800-52 specifies the preferred configurations for government systems.
Follow procedure "4.4. Configure the JBoss Web Server to use HTTPS." The detailed procedure is found in the JBoss EAP 6.3 Security Guide available at the vendor's site, RedHat.com. An overview of steps is provided here.

1. Obtain or generate DoD-approved SSL certificates. 2. Configure the SSL certificate using your certificate values. 3. Set the SSL protocol to TLS V1.1 or V1.2.
CCI-NaN
jboss_eap_configure_keystore medium Enable the JBoss Keystore JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an encrypted keystore, and decrypt them for applications and verification systems. Plain-text configuration files, such as XML deployment descriptors, need to specify passwords and other sensitive information. Use the JBoss EAP Password Vault to securely store sensitive strings in plain-text files. Configure the application server to use the java keystore and JBoss vault as per section 11.13.1 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.

1. Create a java keystore. 2. Mask the keystore password and initialize the password vault. 3. Configure JBoss to use the password vault.
CCI-NaN
jboss_eap_configure_ldap medium Configure LDAP To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store that is either local (OS-based) or centralized (Active Directory/LDAP) in nature. It should be noted that JBoss does not specifically mention Active Directory since AD is LDAP aware.

To ensure accountability and prevent unauthorized access, the JBoss Server must be configured to utilize a centralized authentication mechanism.
Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.

1. Create an outbound connection to the LDAP server. 2. Create an LDAP-enabled security realm. 3. Reference the new security domain in the Management Interface.
CCI-NaN
jboss_eap_configure_log_permissions medium Configure JBoss Log Permissions If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve.

When not configured to use a centralized logging solution like a syslog server, the JBoss EAP application server writes log data to log files that are stored on the OS; appropriate file permissions must be used to restrict access.

Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized access.
Configure the OS file permissions on the application server to protect log information from unauthorized access. CCI-NaN
CCI-NaN
CCI-NaN
jboss_eap_configure_logging_level medium Configure JBoss Logging Level 800 records less data and may result in an insufficient amount of information being logged by the ROOT logger. This can result in failed forensic investigations. The ROOT logger level must be INFO level or lower to provide adequate log information. Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the
jboss-cli
script to start the Command Line Interface (CLI). Connect to the server and authenticate.

The PROFILE NAMEs included with a Managed Domain JBoss configuration are: default, full, full-ha, or ha For a Managed Domain configuration, you must check each profile name:

For each PROFILE NAME, run the command:
/profile=PROFILE NAME/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)


For a Standalone configuration:
/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)
CCI-NaN
jboss_eap_configure_management_authentication high Remove Silent Authentication - Management Security Realm Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis. By default $localuser is a Superuser. This introduces an integrity and availability vulnerability and violates best practice requirements regarding accountability. Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the
<JBOSS_HOME>/bin/
folder. Run the
jboss-cli
script. Connect to the server and authenticate. Remove the local element from the Management Realm. For standalone servers run the following command:
/core-service=management/securityrealm=ManagementRealm/authentication=local:remove


For managed domain installations run the following command:
/host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication=local:remove
CCI-NaN
jboss_eap_configure_management_ldap medium Configure LDAP for Management Interfaces JBoss EAP provides a security realm called ManagementRealm. By default, this realm uses the mgmt-users.properties file for authentication. Using file-based authentication does not allow the JBoss server to be in compliance with a wide range of user management requirements such as automatic disabling of inactive accounts as per DoD policy. To address this issue, the management interfaces used to manage the JBoss server must be associated with a security realm that provides centralized authentication management. Examples are AD or LDAP. Management of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user account is the name of an information system account associated with an individual. Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.

1. Create an outbound connection to the LDAP server. 2. Create an LDAP-enabled security realm. 3. Reference the new security domain in the Management Interface.
CCI-NaN
jboss_eap_configure_management_network medium Separate JBoss Management Network JBoss provides multiple interfaces for accessing the system. By default, these are called public and management. Allowing non- management traffic to access the JBoss management interface increases the chances of a security compromise. The JBoss server must be configured to bind the management interface to a network that controls access. This is usually a network that has been designated as a management network and has restricted access. Similarly, the public interface must be bound to a network that is not on the same segment as the management interface. Refer to Section 4.9 of the JBoss EAP 6.3 Installation guide for detailed instructions on how to start JBoss as a service.

Use the following command line parameters to assign the management interface to a specific management network. These command line flags must be added both when starting JBoss as a service and when starting from the command line.

Substitute your actual network address for the 10.x.x.x addresses provided as an example below.

For a standalone configuration:
JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1
JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1


If a management network is not available, you may substitute localhost/127.0.0.1 for management address. This will force you to manage the JBoss server from the local host.
CCI-NaN
jboss_eap_configure_multifactor_authentication medium Configure Multi-Factor Authentication Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Unlike a simple username/password scenario where the attacker could gain access by knowing both the username and password without the user knowing his account was compromised, multifactor authentication adds the requirement that the attacker must have something from the user, such as a token, or to biometrically be the user. Multifactor authentication is defined as: using two or more factors to achieve authentication.

Factors include: (i) something a user knows (e.g., password/PIN); (ii) something a user has (e.g., cryptographic identification device, token); or (iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token meets this definition.

A privileged account is defined as an information system account with authorizations of a privileged user. These accounts would be capable of accessing the web management interface.

When accessing the application server via a network connection, administrative access to the application server must be PKI Hardware Token enabled or a DoD-approved soft certificate.
Configure the application server to authenticate privileged users via multifactor/certificate-based authentication mechanisms when using network access to the management interface. CCI-NaN
jboss_eap_configure_offloading_max medium Configure JBoss Log Off-Loading Frequency JBoss logs by default are written to the local file system. A centralized logging solution like syslog should be used whenever possible; however, any log data stored to the file system needs to be off-loaded. JBoss EAP does not provide an automated backup capability. Instead, reliance is placed on OS or third-party tools to back up or off-load the log files.

Protection of log data includes assuring log data is not accidentally lost or deleted. Off-loading log records to a different system or onto separate media from the system the application server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.
Configure the application server to off-load log records every seven days onto a different system or media from the system being logged. CCI-NaN
jboss_eap_configure_ports medium Configure JBoss Management and Application Ports Some networking protocols may not meet organizational security requirements to protect data and components.

Application servers natively host a number of various features, such as management interfaces, httpd servers and message queues. These features all run on TCPIP ports. This creates the potential that the vendor may choose to utilize port numbers or network services that have been deemed unusable by the organization. The application server must have the capability to both reconfigure and disable the assigned ports without adversely impacting application server operation capabilities.
Open the EAP web console by pointing a web browser to
HTTPS://Servername:9990
Log on to the admin console using admin credentials Select the Configuration tab Expand the General Configuration sub system by clicking on the + Select Socket Binding Select the View option next to standard-sockets Select Inbound

Select the port that needs to be reconfigured and select Edit.
CCI-NaN
jboss_eap_configure_secure_management_access medium Enable HTTPS for Management Sessions Types of management interfaces utilized by the JBoss EAP application server include web-based HTTP interfaces as well as command line-based management interfaces. In the event remote HTTP management is required, the access must be via HTTPS.

This requirement is in conjunction with the requirement to isolate all management access to a restricted network.
Follow the specific instructions in the Red Hat Security Guide for EAP version 6.3 to configure the management console for HTTPS.

This involves the following steps. 1. Create a keystore in JKS format. 2. Ensure the management console binds to HTTPS. 3. Create a new Security Realm. 4. Configure Management Interface to use new security realm. 5. Configure the management console to use the keystore. 6. Restart the EAP server.
CCI-NaN
jboss_eap_configure_security_manager high Enable the Java Security Manager The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM.

The Java Security Manager uses a security policy to determine whether a given action will be permitted or denied.

To protect the host system, the JBoss application server must be run within the Java Security Manager.
For a domain installation: Enable the respective JAVA_OPTS flag in both the domain.conf and the domain.conf.bat files.

For a standalone installation: Enable the respective JAVA_OPTS flag in both the standalone.conf and the standalone.conf.bat files.
CCI-NaN
jboss_eap_configure_security_realm high Secure the JBoss Management Interfaces JBoss utilizes the concept of security realms to secure the management interfaces used for JBoss server administration. If the security realm attribute is omitted or removed from the management interface definition, access to that interface is no longer secure. The JBoss management interfaces must be secured. Identify the security realm used for management of the system. By default, this is called Management Realm.

If a management security realm is not already available, reference the Jboss EAP 6.3 system administration guide for instructions on how to create a security realm for management purposes. Create the management realm, and assign authentication and authorization access restrictions to the management realm.

Assign the management interfaces to the management realm.
CCI-NaN
jboss_eap_configure_syslog medium Enable Logging to syslog Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control or flow control rules invoked.

Off-loading is a common process in information systems with limited log storage capacity.

Centralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to off-load log records onto a different system or media than the system being logged.
Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the
jboss-cli
script. Connect to the server and authenticate. Run the command:

Standalone configuration:
ls /subsystem=logging/syslog-handler=


Domain configuration:
ls /profile=default/subsystem=logging/syslog-handler=


If no values are returned, this is a finding.
CCI-NaN
jboss_eap_configure_user_permissions medium Configure mgmt-users.properties File Permissions The mgmt-users.properties file contains the password hashes of all users who are in a management role and must be protected. Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all. Configure the file permissions to allow access to authorized users only. Owner can be full access. Group can be full access. All others must have execute permissions only. CCI-NaN
jboss_eap_configure_user_roles medium Configure JBoss User Roles Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they are management realm and application realm.

Management realm stores authentication information for the management API, which provides functionality for the web-based management console and the management command line interface (CLI).

mgmt-groups.properties stores user to group mapping for the ManagementRealm but only when role-based access controls (RBAC) is enabled. If management users are not in the appropriate role, unauthorized access to JBoss resources can occur.
Document approved management users and their roles. Configure the application server to use RBAC and ensure users are placed into the appropriate roles. CCI-NaN
jboss_eap_disable_analytics medium Disable Google Analytics The Google Analytics feature aims to help Red Hat EAP team understand how customers are using the console and which parts of the console matter the most to the customers. This information will, in turn, help the team to adapt the console design, features, and content to the immediate needs of the customers. Sending analytical data to the vendor introduces risk of unauthorized data exfiltration. This capability must be disabled. Using the EAP web console, log on using admin credentials. On the bottom right-hand side of the screen, select Settings, uncheck the Enable Data Usage Collection box, and save the configuration. CCI-NaN
jboss_eap_disable_automatic_deployment medium Disable Automatic Deployment When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant effects on the overall security of the system.

Access restrictions for changes also include application software libraries.

If the application server provides automatic code deployment capability, (where updates to applications hosted on the application server are automatically performed, usually by the developers' IDE tool), it must also provide a capability to restrict the use of automatic application deployment. Automatic code deployments are allowable in a development environment, but not in production.
Determine the JBoss server configuration as being either standalone or domain. Launch the relevant jboss-cli management interface substituting standalone or domain for CONFIG

<JBOSS_HOME>/CONFIG/bin/jboss-cli


connect to the server and run the command:
/subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-enabled,value.)
CCI-NaN
jboss_eap_disable_domain_admin_console medium Disable Network Access to the Admin Console When configuring JBoss application servers into a domain configuration, HTTP management capabilities are not required on domain member servers as management is done via the server that has been designated as the domain controller. Leaving HTTP management capabilities enabled on domain member servers increases the attack surfaces; therefore, management services on domain member servers must be disabled and management services performed via the domain controller. Run the
<JBOSS_HOME>/bin/jboss-clii
command line interface utility. Connect to the JBoss server and run the following command.
/core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value.)


Successful command execution returns
{"outcome" => success"}
, and future attempts to access the management console via web browser at SERVERNAME:9990 will result in no access to the admin console.
CCI-NaN
jboss_eap_disable_replace_welcome_page low Disable or Replace the JBoss Welcome Page The Welcome to JBoss web page provides a redirect to the JBoss admin console, which, by default, runs on TCP 9990 as well as redirects to the Online User Guide and Online User Groups hosted at locations on the Internet. The welcome page is unnecessary and should be disabled or replaced with a valid web page. Use the Management CLI script
$JBOSS_HOME/bin/jboss-cli.sh
to run the following command. You may need to change the profile to modify a different managed domain profile, or remove the
/profile=default
portion of the command for a standalone server.

/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value.)


To configure your web application to use the root context (/) as its URL address, modify the applications jboss-web.xml, which is located in the applications META-INF/ or WEB-INF/ directory. Replace its <context-root> directive with one that looks like the following:

/
CCI-NaN
jboss_eap_enable_rbac high Enable Role Based Access Control (RBAC) By default, the JBoss server is not configured to utilize role based access controls (RBAC). RBAC provides the capability to restrict user access to their designated management role, thereby limiting access to only the JBoss functionality that they are supposed to have. Without RBAC, the JBoss server is not able to enforce authorized access according to role. Run the following command.
<JBOSS_HOME>/bin/jboss-cli.sh -c -> connect -> cd
/core-service=management/access-authorization :write-attribute(name=provider,
value=rbac)


Restart JBoss.

Map users to roles by running the following command. Upper-case words are variables.

role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)
CCI-NaN
CCI-NaN
jboss_eap_encrypt_keystore_passwords medium Encrypt JBoss Keystore Passwords Access to the JBoss Password Vault must be secured, and the password used to access must be encrypted. There is a specific process used to generate the encrypted password hash. This process must be followed in order to store the password in an encrypted format.

The admin must utilize this process in order to ensure the Keystore password is encrypted.
Configure the application server to mask the java keystore password as per the procedure described in section 11.13.3 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document. CCI-NaN
jboss_eap_file_permissions medium Configure JBoss Application File Permissions The JBoss EAP Application Server is a Java-based AS. It is installed on the OS file system and depends upon file system access controls to protect application data at rest. The file permissions set on the JBoss EAP home folder must be configured so as to limit access to only authorized people and processes. The account used for operating the JBoss server and any designated administrative or operational accounts are the only accounts that should have access.

When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. Steps must be taken to ensure data stored on the device is protected.
Configure file permissions on the JBoss folder to protect from unauthorized access. CCI-NaN
jboss_eap_log_deployments medium Log Application Deployments Without logging the enforcement of access restrictions against changes to the application server configuration, it will be difficult to identify attempted attacks, and a log trail will not be available for forensic investigation for after-the-fact actions. Configuration changes may occur to any of the modules within the application server through the management interface, but logging of actions to the configuration of a module outside the application server is not logged.

Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Log items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
Launch the jboss-cli management interface substituting standalone or domain for CONFIG based upon the server installation.

<JBOSS_HOME>/CONFIG/bin/jboss-cli


connect to the server and run the following command:

/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
CCI-NaN
jboss_eap_logs_permissions medium Configure JBoss Log Directory Permissions If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.
Configure file permissions on the JBoss log folder to protect from unauthorized access. CCI-NaN
jboss_eap_remove_group_accounts medium Remove JBoss Group Acount Access To assure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application server users) must be individually identified and authenticated.

A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users.

Application servers must ensure that individual users are authenticated prior to authenticating via role or group authentication. This is to ensure that there is non-repudiation for actions taken.
Configure the application server so required users are individually authenticated by creating individual user accounts. Utilize an LDAP server that is configured according to DOD policy. CCI-NaN
jboss_eap_remove_jmx medium Remove the JMX Subsystem The JMX subsystem allows you to trigger JDK and application management operations remotely. In a managed domain configuration, the JMX subsystem is removed by default. For a standalone configuration, it is enabled by default and must be removed. Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the
jboss-cli
script to start the Command Line Interface (CLI). Connect to the server and authenticate.

For a Managed Domain configuration you must check each profile name:

For each PROFILE NAME, run the command:
/profile=PROFILE NAME/subsystem=jmx/remoting-connector=jmx:remove
For a Standalone configuration:
/subsystem=jmx/remoting-connector=jmx:remove
CCI-NaN
jboss_eap_remove_quickstarts medium Remove JBoss Quickstarts JBoss QuickStarts are demo applications that can be deployed quickly. Demo applications are not written with security in mind and often open new attack vectors. QuickStarts must be removed. Delete the QuickStarts folder. CCI-NaN
jboss_eap_remove_unnecessary_apps medium Remove Unnecessary Applications Extraneous services and applications running on an application server expands the attack surface and increases risk to the application server. Securing any server involves identifying and removing any unnecessary services and, in the case of an application server, unnecessary and/or unapproved applications. Identify, authorize, and document all applications that are deployed to the application server. Remove unauthorized applications. CCI-NaN
jboss_eap_require_password_access medium Require Password Authentication Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Application servers have the capability to utilize either certificates (tokens) or user IDs and passwords in order to authenticate. When the application server transmits or receives passwords, the passwords must be encrypted. Configure the LDAP Security Realm using default settings that sets allow-empty-values to .. LDAP Security Realm creation is described in section 11.9 -Add an LDAP Security Realm in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document. CCI-NaN
jboss_eap_restrict_jboss_account high Restrict the JBoss Account JBoss does not require admin rights to operate and should be run as a regular user. In addition, if the user account was to be compromised and the account was allowed interactive logon rights, this would increase the risk and attack surface against the JBoss system. The right to interactively log on to the system using the JBoss account should be limited according to the OS capabilities. Use the relevant OS commands to restrict JBoss user account from interactively logging on to the console of the JBoss system.

For Windows systems, use GPO. For UNIX like systems using ssh DenyUsers account id or follow established procedure for restricting access.
CCI-NaN
jboss_eap_roll_over_transfer_logs medium Roll Over and Transfer JBoss Logs Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can track and understand what may have occurred. Off-loading should be set up as a scheduled task but can be configured to be run manually, if other processes during the off-loading are manual.

Off-loading is a common process in information systems with limited log storage capacity.
Open the web-based management interface by opening a browser and pointing it to HTTPS://EAP_SERVER:9990/

Authenticate as a user with Admin rights. Navigate to the Configuration tab. Expand + Subsystems. Expand + Core. Select Logging. Select the Handler tab. Select Periodic.

If a periodic file handler does not exist, reference JBoss admin guide for instructions on how to create a file handler that will rotate logs on a daily basis. Create scripts that package and off-load log data at least weekly.
CCI-NaN
jboss_eap_secure_keystore_permissions medium Restrict Access to the JBoss Keystore The cornerstone of the PKI is the private key used to encrypt or digitally sign information.

If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can pretend to be the authorized user.

Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. Java-based application servers utilize the Java keystore, which provides storage for cryptographic keys and certificates. The keystore is usually maintained in a file stored on the file system.
Configure the application server OS file permissions on the corresponding private key to restrict access to authorized accounts or roles. CCI-NaN
jboss_eap_service_separate_networks medium Use Separate Management and Application Networks The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user to the management interface before being presented with management functionality. This prevents non- privileged users from having visibility to functions not available to the user. By limiting visibility, a compromised non-privileged account does not offer information to the attacker or functionality and information needed to further the attack on the application server.

JBoss is designed to operate with separate application and management interfaces. The JBoss server is started via a script. To start the JBoss server in domain mode, the admin will execute the /bin/domain.sh or domain.bat script.

To start the JBoss server in standalone mode, the admin will execute /bin/standalone.bat or standalone.sh.

Command line flags are used to specify which network address is used for management and which address is used for public/application access.
Start the application server with a -bmanagement and a -b flag so that admin management functionality and hosted applications are separated.

Refer to section 4.9 in the JBoss EAP 6.3 Installation Guide for specific instructions on how to start the JBoss server as a service.
CCI-NaN
jboss_eap_system_up_to_date high JBoss System Is Patched The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus on unpatched systems. It is critical that support be obtained and made available. Configure the operating system and the application server to use a patch management system or process that ensures security-relevant updates are installed within the time period directed by the ISSM. CCI-NaN
jboss_eap_unprivileged_mode high Restrict JBoss Account JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate. If the server is compromised, the attacker will have the same rights as the application server, which in that case would be admin rights. The JBoss EAP server must not be run as the admin user. Run the JBoss server with non-admin rights. CCI-NaN
jboss_eap_use_approved_ca_cert medium Use Approved DoD Certificate Authorities Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.

The DoD will only accept PKI certificates obtained from a DoD- approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. The application server must only allow the use of DoD PKI- established certificate authorities for verification.
Locate the cacerts file for the JVM. This can be done using the appropriate find command for the OS and change to the directory where the cacerts file is located.

Remove the certificates that have a CA that is non-DoD approved, and import DoD CA-approved certificates.
CCI-NaN
jboss_eap_use_approved_ciphers medium Use Approved Ciphers Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec tunnel.

If data in transit is unencrypted, it is vulnerable to disclosure and modification. If approved cryptographic algorithms are not used, encryption strength cannot be assured.

FIPS 140-2 approved TLS versions include TLS V1.0 or greater.

TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red Hat vendor's website for step-by-step instructions on establishing SSL encryption on JBoss.

The overall steps include:

1. Add an HTTPS connector. 2. Configure the SSL encryption certificate and keys. 3. Set the Cipher to an approved algorithm.
CCI-NaN
jboss_eap_use_dod_approved_certs medium Use DoD Approved Certificates Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to- business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The application server must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions. Configure the application server to use DoD- or CNSS-approved Class 3 or Class 4 PKI certificates. CCI-NaN
jboss_eap_use_secure_ldap_port medium Use Secure Standard LDAP Port Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.

Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server utilizes LDAP, the LDAP traffic must be encrypted.
Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.

1. Create an outbound connection to the LDAP server. 2. Create an LDAP-enabled security realm. 3. Reference the new security domain in the Management Interface.
CCI-NaN
jboss_eap_use_tls medium Use Approves TLS version Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS).

JBoss relies on the underlying SSL implementation running on the OS. This can be either Java based or OpenSSL. The SSL protocol setting determines which SSL protocol is used. SSL has known security vulnerabilities, so TLS should be used instead. If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.

FIPS 140-2 approved TLS versions include TLS V1.0 or greater.

TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red Hat vendor's web site for step-by-step instructions on establishing SSL encryption on JBoss.

The overall steps include:

1. Add an HTTPS connector. 2. Configure the SSL encryption certificate and keys. 3. Set the protocol to TLS V1.1 or V1.2.
CCI-NaN
jboss_eap_vendor_supported high JBoss Version Is Vendor Supported The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus on unpatched systems. It is critical that support be obtained and made available. Obtain vendor support from Red Hat. CCI-NaN