Title

JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged. (Cat II impact)

Discussion

The JBoss server must be configured to select which personnel are assigned the role of selecting which loggable events are to be logged. In JBoss, the role designated for selecting auditable events is the "Auditor" role. The personnel or roles that can select loggable events are only the ISSM (or individuals or roles appointed by the ISSM).

Check Content

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder. Run the jboss-cli script to start the Command Line Interface (CLI). Connect to the server and authenticate. Run the command: For a Managed Domain configuration: "ls host=master/server=<SERVERNAME>/core-service=management/access=authorization/role-mapping=Auditor/include=" For a Standalone configuration: "ls /core-service=management/access=authorization/role-mapping=Auditor/include=" If the list of users in the Auditors group is not approved by the ISSM, this is a finding.

Fix Text

Obtain documented approvals from ISSM, and assign the appropriate personnel into the "Auditor" role.

Additional Identifiers

Rule ID: SV-213504r960882_rule

Vulnerability ID: V-213504

Group Title: SRG-APP-000090-AS-000051

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.