Check: JBOS-AS-000030
JBoss Enterprise Application Platform 6.3 STIG:
JBOS-AS-000030
(in versions v2 r4 through v1 r1)
Title
The Java Security Manager must be enabled for the JBoss application server. (Cat I impact)
Discussion
The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM. The Java Security Manager uses a security policy to determine whether a given action will be permitted or denied. To protect the host system, the JBoss application server must be run within the Java Security Manager.
Check Content
To determine if the Java Security Manager is enabled for JBoss, you must examine the startup commands. JBoss can be configured to run in either "domain" or a "standalone" mode. JBOSS_HOME is the variable home directory for the JBoss installation. Use relevant OS commands to navigate the file system. A. For a managed domain installation, review the domain.conf and domain.conf.bat files: JBOSS_HOME/bin/domain.conf JBOSS_HOME/bin/domain.conf.bat In domain.conf file, ensure there is a JAVA_OPTS flag that loads the Java Security Manager as well as a relevant Java Security policy. The following is an example: JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true" In domain.conf.bat file, ensure JAVA_OPTS flag is set. The following is an example: set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true" B. For a standalone installation, review the standalone.conf and standalone.conf.bat files: JBOSS_HOME/bin/standalone.conf JBOSS_HOME/bin/standalone.conf.bat In the standalone.conf file, ensure the JAVA_OPTS flag is set. The following is an example: JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=$JBOSS_HOME -Djboss.modules.policy-permissions=true" In the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. The following is an example: set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME% -Djboss.modules.policy-permissions=true" If the security manager is not enabled and a security policy not defined, this is a finding.
Fix Text
For a domain installation: Enable the respective JAVA_OPTS flag in both the domain.conf and the domain.conf.bat files. For a standalone installation: Enable the respective JAVA_OPTS flag in both the standalone.conf and the standalone.conf.bat files.
Additional Identifiers
Rule ID: SV-213497r954708_rule
Vulnerability ID: V-213497
Group Title: SRG-APP-000033-AS-000024
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |