Check: JBOS-AS-000030
      
      
        
  JBoss Enterprise Application Platform 6.3 STIG:
  JBOS-AS-000030
  
    (in version v2 r6)
  
      
      
    
  Title
The Java Security Manager must be enabled for the JBoss application server. (Cat I impact)
Discussion
The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM. The Java Security Manager uses a security policy to determine whether a given action will be permitted or denied. To protect the host system, the JBoss application server must be run within the Java Security Manager.
Check Content
Enabling the Security Manager in JDK 24 is an error and if using JDK 24, this is not a finding. Note, Security Manager was deprecated in Java 17 and will be permanently removed in JDK 24. For additional information: <https://openjdk.org/jeps/486> To determine if the Java Security Manager is enabled for JBoss, the startup commands must be examined. JBoss can be configured to run in either "domain" or a "standalone" mode. JBOSS_HOME is the variable home directory for the JBoss installation. Use relevant OS commands to navigate the file system. 1. For a managed domain installation, review the domain.conf and domain.conf.bat files: JBOSS_HOME/bin/domain.conf JBOSS_HOME/bin/domain.conf.bat In domain.conf file, ensure there is a JAVA_OPTS flag that loads the Java Security Manager as well as a relevant Java Security policy. Example: JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true" In domain.conf.bat file, ensure JAVA_OPTS flag is set. Example: set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true" 2. For a standalone installation, review the standalone.conf and standalone.conf.bat files: JBOSS_HOME/bin/standalone.conf JBOSS_HOME/bin/standalone.conf.bat In the standalone.conf file, ensure the JAVA_OPTS flag is set. Example: JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=$JBOSS_HOME -Djboss.modules.policy-permissions=true" In the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. Example: set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME% -Djboss.modules.policy-permissions=true" If the security manager is not enabled and a security policy not defined, this is a finding.
Fix Text
Enabling the Security Manager in JDK 24 is an error and if using JDK 24, this is not a finding. For a domain installation: Enable the respective JAVA_OPTS flag in both the domain.conf and the domain.conf.bat files. For a standalone installation: Enable the respective JAVA_OPTS flag in both the standalone.conf and the standalone.conf.bat files.
Additional Identifiers
Rule ID: SV-213497r1069475_rule
Vulnerability ID: V-213497
Group Title: SRG-APP-000033-AS-000024
Expert Comments
      
        
        
      
      
        
  CCIs
      
      
        
        
      
    
  | Number | Definition | 
|---|---|
| CCI-000213 | Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | 
      
        
        
      
      
        
  Controls
      
      
        
        
      
    
  | Number | Title | 
|---|---|
| AC-3 | Access Enforcement |