CCE Identifiers in Guide to the Secure Configuration of JBoss EAP 6


CCE ID Rule Title Description
CCE-80487-2 Audit JBoss Privileged Actions Launch the jboss-cli management interface substituting standalone or domain for CONFIG based upon the server installation.

<JBOSS_HOME>/CONFIG//bin/jboss-cli


connect to the server and run the following command:

/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
CCE-80491-4 Use Approved DoD Certificate Authorities Locate the cacerts file for the JVM. This can be done using the appropriate find command for the OS and change to the directory where the cacerts file is located.

Remove the certificates that have a CA that is non-DoD approved, and import DoD CA-approved certificates.
CCE-80450-0 Enable HTTPS for Management Sessions Follow the specific instructions in the Red Hat Security Guide for EAP version 6.3 to configure the management console for HTTPS.

This involves the following steps. 1. Create a keystore in JKS format. 2. Ensure the management console binds to HTTPS. 3. Create a new Security Realm. 4. Configure Management Interface to use new security realm. 5. Configure the management console to use the keystore. 6. Restart the EAP server.
CCE-80456-7 Remove Silent Authentication - Application Security Realm Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the
jboss-cli
script. Connect to the server and authenticate. Remove the local element from the Application Realm. For standalone servers, run the following command:
/core-service=management/securityrealm=ApplicationRealm/authentication=local:remove


For managed domain installations, run the following command:
/host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication=local:remove
CCE-80457-5 Remove Silent Authentication - Management Security Realm Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the
<JBOSS_HOME>/bin/
folder. Run the
jboss-cli
script. Connect to the server and authenticate. Remove the local element from the Management Realm. For standalone servers run the following command:
/core-service=management/securityrealm=ManagementRealm/authentication=local:remove


For managed domain installations run the following command:
/host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication=local:remove
CCE-80455-9 Configure JBoss User Roles Document approved management users and their roles. Configure the application server to use RBAC and ensure users are placed into the appropriate roles.
CCE-80486-4 Disable Network Access to the Admin Console Run the
<JBOSS_HOME>/bin/jboss-clii
command line interface utility. Connect to the JBoss server and run the following command.
/core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value.)


Successful command execution returns
{"outcome" => success"}
, and future attempts to access the management console via web browser at SERVERNAME:9990 will result in no access to the admin console.
CCE-80458-3 Secure the JBoss Management Interfaces Identify the security realm used for management of the system. By default, this is called Management Realm.

If a management security realm is not already available, reference the Jboss EAP 6.3 system administration guide for instructions on how to create a security realm for management purposes. Create the management realm, and assign authentication and authorization access restrictions to the management realm.

Assign the management interfaces to the management realm.
CCE-80490-6 Log Application Deployments Launch the jboss-cli management interface substituting standalone or domain for CONFIG based upon the server installation.

<JBOSS_HOME>/CONFIG/bin/jboss-cli


connect to the server and run the following command:

/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
CCE-80463-3 Configure JBoss Log Off-Loading Frequency Configure the application server to off-load log records every seven days onto a different system or media from the system being logged.
CCE-80470-8 Disable or Replace the JBoss Welcome Page Use the Management CLI script
$JBOSS_HOME/bin/jboss-cli.sh
to run the following command. You may need to change the profile to modify a different managed domain profile, or remove the
/profile=default
portion of the command for a standalone server.

/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value.)


To configure your web application to use the root context (/) as its URL address, modify the applications jboss-web.xml, which is located in the applications META-INF/ or WEB-INF/ directory. Replace its <context-root> directive with one that looks like the following:

/
CCE-80465-8 Restrict the JBoss Account Use the relevant OS commands to restrict JBoss user account from interactively logging on to the console of the JBoss system.

For Windows systems, use GPO. For UNIX like systems using ssh DenyUsers account id or follow established procedure for restricting access.
CCE-80453-4 Enable the Java Security Manager For a domain installation: Enable the respective JAVA_OPTS flag in both the domain.conf and the domain.conf.bat files.

For a standalone installation: Enable the respective JAVA_OPTS flag in both the standalone.conf and the standalone.conf.bat files.
CCE-80495-5 JBoss Version Is Vendor Supported Obtain vendor support from Red Hat.
CCE-80459-1 Configure JBoss Auditing and Logging Launch the jboss-cli management interface. Connect to the server by typing connect, authenticate as a user in the Superuser role, and run the following command:

For a Managed Domain configuration:
host=master/server/SERVERNAME/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)


For a Standalone configuration:
/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)
CCE-80494-8 Use Approved Ciphers Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red Hat vendor's website for step-by-step instructions on establishing SSL encryption on JBoss.

The overall steps include:

1. Add an HTTPS connector. 2. Configure the SSL encryption certificate and keys. 3. Set the Cipher to an approved algorithm.
CCE-80477-3 Configure LDAP for Management Interfaces Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.

1. Create an outbound connection to the LDAP server. 2. Create an LDAP-enabled security realm. 3. Reference the new security domain in the Management Interface.
CCE-80451-8 Enable HTTPS for JBoss Web Interface Follow procedure "4.4. Configure the JBoss Web Server to use HTTPS." The detailed procedure is found in the JBoss EAP 6.3 Security Guide available at the vendor's site, RedHat.com. An overview of steps is provided here.

1. Obtain or generate DoD-approved SSL certificates. 2. Configure the SSL certificate using your certificate values. 3. Set the SSL protocol to TLS V1.1 or V1.2.
CCE-80492-2 Configure Load Balancing (LB) or High Availability (HA) Configure the application server to provide LB or HA services for the hosted application.
CCE-80471-6 Remove Unnecessary Applications Identify, authorize, and document all applications that are deployed to the application server. Remove unauthorized applications.
CCE-80468-2 Remove JBoss Quickstarts Delete the QuickStarts folder.
CCE-80464-1 Configure mgmt-users.properties File Permissions Configure the file permissions to allow access to authorized users only. Owner can be full access. Group can be full access. All others must have execute permissions only.
CCE-80466-6 Disable Google Analytics Using the EAP web console, log on using admin credentials. On the bottom right-hand side of the screen, select Settings, uncheck the Enable Data Usage Collection box, and save the configuration.
CCE-80469-0 Remove the JMX Subsystem Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the
jboss-cli
script to start the Command Line Interface (CLI). Connect to the server and authenticate.

For a Managed Domain configuration you must check each profile name:

For each PROFILE NAME, run the command:
/profile=PROFILE NAME/subsystem=jmx/remoting-connector=jmx:remove
For a Standalone configuration:
/subsystem=jmx/remoting-connector=jmx:remove
CCE-80462-5 Configure JBoss Log Permissions Configure the OS file permissions on the application server to protect log information from unauthorized access.
CCE-80472-4 Configure JBoss Management and Application Ports Open the EAP web console by pointing a web browser to
HTTPS://Servername:9990
Log on to the admin console using admin credentials Select the Configuration tab Expand the General Configuration sub system by clicking on the + Select Socket Binding Select the View option next to standard-sockets Select Inbound

Select the port that needs to be reconfigured and select Edit.
CCE-80475-7 Remove JBoss Group Acount Access Configure the application server so required users are individually authenticated by creating individual user accounts. Utilize an LDAP server that is configured according to DOD policy.
CCE-80452-6 Configure Host Access Restrictions for Applications Configure the Java security manager to enforce access restrictions to the host system resources in accordance with application design and resource requirements.
CCE-80460-9 Configure JBoss Auditor Role Obtain documented approvals from ISSM, and assign the appropriate personnel into the
Auditor
role.
CCE-80478-1 Enable the JBoss Keystore Configure the application server to use the java keystore and JBoss vault as per section 11.13.1 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.

1. Create a java keystore. 2. Mask the keystore password and initialize the password vault. 3. Configure JBoss to use the password vault.
CCE-80496-3 JBoss System Is Patched Configure the operating system and the application server to use a patch management system or process that ensures security-relevant updates are installed within the time period directed by the ISSM.
CCE-80476-5 Separate JBoss Management Network Refer to Section 4.9 of the JBoss EAP 6.3 Installation guide for detailed instructions on how to start JBoss as a service.

Use the following command line parameters to assign the management interface to a specific management network. These command line flags must be added both when starting JBoss as a service and when starting from the command line.

Substitute your actual network address for the 10.x.x.x addresses provided as an example below.

For a standalone configuration:
JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1
JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1


If a management network is not available, you may substitute localhost/127.0.0.1 for management address. This will force you to manage the JBoss server from the local host.
CCE-80489-8 Disable Automatic Deployment Determine the JBoss server configuration as being either standalone or domain. Launch the relevant jboss-cli management interface substituting standalone or domain for CONFIG

<JBOSS_HOME>/CONFIG/bin/jboss-cli


connect to the server and run the command:
/subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-enabled,value.)
CCE-80454-2 Enable Role Based Access Control (RBAC) Run the following command.
<JBOSS_HOME>/bin/jboss-cli.sh -c -> connect -> cd
/core-service=management/access-authorization :write-attribute(name=provider,
value=rbac)


Restart JBoss.

Map users to roles by running the following command. Upper-case words are variables.

role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)
CCE-80482-3 Restrict Access to the JBoss Keystore Configure the application server OS file permissions on the corresponding private key to restrict access to authorized accounts or roles.
CCE-80485-6 Configure JBoss Log Directory Permissions Configure file permissions on the JBoss log folder to protect from unauthorized access.
CCE-80467-4 Restrict JBoss Account Run the JBoss server with non-admin rights.
CCE-80474-0 Configure Multi-Factor Authentication Configure the application server to authenticate privileged users via multifactor/certificate-based authentication mechanisms when using network access to the management interface.
CCE-80483-1 Use Separate Management and Application Networks Start the application server with a -bmanagement and a -b flag so that admin management functionality and hosted applications are separated.

Refer to section 4.9 in the JBoss EAP 6.3 Installation Guide for specific instructions on how to start the JBoss server as a service.
CCE-80473-2 Configure LDAP Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.

1. Create an outbound connection to the LDAP server. 2. Create an LDAP-enabled security realm. 3. Reference the new security domain in the Management Interface.
CCE-80488-0 Enable Logging to syslog Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the
jboss-cli
script. Connect to the server and authenticate. Run the command:

Standalone configuration:
ls /subsystem=logging/syslog-handler=


Domain configuration:
ls /profile=default/subsystem=logging/syslog-handler=


If no values are returned, this is a finding.
CCE-80479-9 Encrypt JBoss Keystore Passwords Configure the application server to mask the java keystore password as per the procedure described in section 11.13.3 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.
CCE-80481-5 Use Secure Standard LDAP Port Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.

1. Create an outbound connection to the LDAP server. 2. Create an LDAP-enabled security realm. 3. Reference the new security domain in the Management Interface.
CCE-80461-7 Configure JBoss Logging Level Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the
jboss-cli
script to start the Command Line Interface (CLI). Connect to the server and authenticate.

The PROFILE NAMEs included with a Managed Domain JBoss configuration are: default, full, full-ha, or ha For a Managed Domain configuration, you must check each profile name:

For each PROFILE NAME, run the command:
/profile=PROFILE NAME/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)


For a Standalone configuration:
/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)
CCE-80497-1 Use DoD Approved Certificates Configure the application server to use DoD- or CNSS-approved Class 3 or Class 4 PKI certificates.
CCE-80493-0 Use Approves TLS version Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red Hat vendor's web site for step-by-step instructions on establishing SSL encryption on JBoss.

The overall steps include:

1. Add an HTTPS connector. 2. Configure the SSL encryption certificate and keys. 3. Set the protocol to TLS V1.1 or V1.2.
CCE-80484-9 Configure JBoss Application File Permissions Configure file permissions on the JBoss folder to protect from unauthorized access.
CCE-80480-7 Require Password Authentication Configure the LDAP Security Realm using default settings that sets allow-empty-values to .. LDAP Security Realm creation is described in section 11.9 -Add an LDAP Security Realm in the JBoss_Enterprise_Application_Platform-6.3 -Administration_and_Configuration_Guide-en-US document.
CCE-80498-9 Roll Over and Transfer JBoss Logs Open the web-based management interface by opening a browser and pointing it to HTTPS://EAP_SERVER:9990/

Authenticate as a user with Admin rights. Navigate to the Configuration tab. Expand + Subsystems. Expand + Core. Select Logging. Select the Handler tab. Select Periodic.

If a periodic file handler does not exist, reference JBoss admin guide for instructions on how to create a file handler that will rotate logs on a daily basis. Create scripts that package and off-load log data at least weekly.