Check: JBOS-AS-000400
JBoss Enterprise Application Platform 6.3 STIG:
JBOS-AS-000400
(in versions v2 r4 through v1 r1)
Title
JBoss file permissions must be configured to protect the confidentiality and integrity of application files. (Cat II impact)
Discussion
The JBoss EAP Application Server is a Java-based AS. It is installed on the OS file system and depends upon file system access controls to protect application data at rest. The file permissions set on the JBoss EAP home folder must be configured so as to limit access to only authorized people and processes. The account used for operating the JBoss server and any designated administrative or operational accounts are the only accounts that should have access. When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. Steps must be taken to ensure data stored on the device is protected.
Check Content
By default, JBoss installs its files into a folder called "jboss-eap-6.3". This folder by default is stored within the home folder of the JBoss user account. The installation process, however, allows for the override of default values to obtain folder and user account information from the system admin. Log on with a user account with JBoss access and permissions. Navigate to the "Jboss-eap-6.3" folder using the relevant OS commands for either a UNIX-like OS or a Windows OS. Examine the permissions of the JBoss folder. Owner can be full access. Group can be full access. All others must be restricted to execute access or no permission. If the JBoss folder is world readable or world writeable, this is a finding.
Fix Text
Configure file permissions on the JBoss folder to protect from unauthorized access.
Additional Identifiers
Rule ID: SV-213536r954932_rule
Vulnerability ID: V-213536
Group Title: SRG-APP-000231-AS-000133
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001199 |
The information system protects the confidentiality and/or integrity of organization-defined information at rest. |
Controls
Number | Title |
---|---|
SC-28 |
Protection Of Information At Rest |