Title

JBoss process owner execution permissions must be limited. (Cat I impact)

Discussion

JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate. If the server is compromised, the attacker will have the same rights as the application server, which in that case would be admin rights. The JBoss EAP server must not be run as the admin user.

Check Content

The script that is used to start JBoss determines the mode in which JBoss will operate, which will be in either in standalone mode or domain mode. Both scripts are installed by default in the <JBOSS_HOME>/bin/ folder. In addition to running the JBoss server as an interactive script launched from the command line, JBoss can also be started as a service. The scripts used to start JBoss are: Red Hat: standalone.sh domain.sh Windows: standalone.bat domain.bat Use the relevant OS commands to determine JBoss ownership. When running as a process: Red Hat: "ps -ef|grep -i jboss". Windows: "services.msc". Search for the JBoss process, which by default is named "JBOSSEAP6". If the user account used to launch the JBoss script or start the JBoss process has admin rights on the system, this is a finding.

Fix Text

Run the JBoss server with non-admin rights.

Additional Identifiers

Rule ID: SV-213520r954822_rule

Vulnerability ID: V-213520

Group Title: SRG-APP-000141-AS-000095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.