1.1 JBoss Enterprise Application Platform should be a vendor supported version | CONFIGURATION MANAGEMENT |
1.1/1.2 - JBoss Enterprise Application Platform/Ensure Java Runtime Environment in use is a supported version | CONFIGURATION MANAGEMENT |
1.2 Ensure all configurations are made to the appropriate server profile | CONFIGURATION MANAGEMENT |
1.4 Ensure Technology Preview components are disabled in production environments | CONFIGURATION MANAGEMENT |
1.5 Disable Hot Deployment in production | CONFIGURATION MANAGEMENT |
1.6 Production applications should not implement the default SRPVerifierStore interface for the Secure Remote Password (SRP) protocol | CONFIGURATION MANAGEMENT |
1.7 Declare an EJB authorization policy for deployed applications | ACCESS CONTROL |
1.9 Ensure appropriate DefaultDS is enabled | SYSTEM AND COMMUNICATIONS PROTECTION |
1.11 Ensure default HSQLDB is disabled | SYSTEM AND COMMUNICATIONS PROTECTION |
1.11 Ensure default HSQLDB is disabled - 'JBOSS_HOME/common/lib/hsqldb-plugin.jar' | CONFIGURATION MANAGEMENT |
1.11 Ensure default HSQLDB is disabled - 'JBOSS_HOME/common/lib/hsqldb.jar' | CONFIGURATION MANAGEMENT |
1.11 Ensure default HSQLDB is disabled - 'JBOSS_HOME/server/@PROFILE@/deploy/hsqldb-ds.xml' | CONFIGURATION MANAGEMENT |
1.11 Ensure default HSQLDB is disabled - 'JBOSS_HOME/server/@PROFILE@/deploy/messaging/hsqldb-persistence-service.xml' | CONFIGURATION MANAGEMENT |
1.12 Ensure HSQLDB Security Domain is removed - 'HsqlDbRealm = false' | SYSTEM AND COMMUNICATIONS PROTECTION |
1.14 - Ensure Oracle Database persistence plugin is set correctly - 'DatabasePersistencePlugin' | CONFIGURATION MANAGEMENT |
1.15 - Ensure IBM JRE 1.6 is configured correctly - 'policy.provider = sun.security.provider.PolicyFile' | CONFIGURATION MANAGEMENT |
1.17 The allRolesMode must be configured to 'strict' - 'allRolesMode = strict' | ACCESS CONTROL |
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS password != empty' | IDENTIFICATION AND AUTHENTICATION |
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS principal != sa' | IDENTIFICATION AND AUTHENTICATION |
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS userName != sa' | IDENTIFICATION AND AUTHENTICATION |
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jbossws-users.properties - kermit' | IDENTIFICATION AND AUTHENTICATION |
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console password != empty' | IDENTIFICATION AND AUTHENTICATION |
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console principal != sa' | IDENTIFICATION AND AUTHENTICATION |
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console userName != sa' | IDENTIFICATION AND AUTHENTICATION |
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console-users.properties - admin' | IDENTIFICATION AND AUTHENTICATION |
1.19 - Remove, rename, or comment out the default user accounts from production servers - 'messaging-users.properties - guest' | IDENTIFICATION AND AUTHENTICATION |
1.20 - Remove default roles from production servers - 'admin-console default role != JBossAdmin|HttpInvoker|friend|guest' | IDENTIFICATION AND AUTHENTICATION |
1.20 - Remove default roles from production servers - 'console-mgr default role != JBossAdmin|HttpInvoker|friend|guest' | IDENTIFICATION AND AUTHENTICATION |
1.20 - Remove default roles from production servers - 'jmx-console default role != JBossAdmin|HttpInvoker|friend|guest' | IDENTIFICATION AND AUTHENTICATION |
1.22 DefaultCacheTimeout must be configured properly for active security domains - 'DefaultCacheTimeout <= 1800' | SYSTEM AND COMMUNICATIONS PROTECTION |
1.23 snmp-adaptor.sar must not be deployed - 'JBOSS_HOME/server/@PROFILE@/deploy/snmp-adaptor.sar' | CONFIGURATION MANAGEMENT |
2.1 Configure Java Security Manager to use an environment specific policy - 'JAVA_OPTS -Djava.security.manager -Djava.security.policy' | SYSTEM AND SERVICES ACQUISITION |
2.23 Ensure Security Audit Appender is enabled - 'Audit Appender = true' | AUDIT AND ACCOUNTABILITY |
2.24 Ensure Security Audit Provider is enabled - 'Audit Provider = true' | AUDIT AND ACCOUNTABILITY |
2.25 Ensure Configure SecurityInterceptor logging level is set correctly - 'org.jboss.ejb.plugins.SecurityInterceptor = true' | AUDIT AND ACCOUNTABILITY |
2.26 Ensure logging is enabled for Microcontainer bootstrap operations - 'SecurityInterceptor logging level = true' | AUDIT AND ACCOUNTABILITY |
2.27 - Ensure logging is enabled for web-based requests if required by deployed applications - 'AccessLogValve = true' | AUDIT AND ACCOUNTABILITY |
2.28 Ensure all required information is displayed in <layout> - 'ConversionPattern = %d %-5p \[%c\] \(%t:%x\) %m%n' | CONFIGURATION MANAGEMENT |
2.29 Production applications should not log output to the JBoss console - 'JBoss console output log = false' | AUDIT AND ACCOUNTABILITY |
2.31 - Deny the JBoss process owner console access | ACCESS CONTROL |
2.32/2.33 - Set JBoss file ownership/permissions | CONFIGURATION MANAGEMENT |
3.1 Ensure JMX Console is either secured or removed - 'java:/jaas/jmx-console = true' | ACCESS CONTROL |
3.1 Ensure JMX Console is either secured or removed - 'java:/jaas/jmx-console = true' | ACCESS CONTROL |
3.1 Ensure JMX Console is either secured or removed - 'java:/jaas/jmx-console = true' - jmx-console.war | CONFIGURATION MANAGEMENT |
3.2 Ensure Web Console is either secured or removed - 'java:/jaas/jmx-console = true' | ACCESS CONTROL |
3.2 Ensure Web Console is either secured or removed - 'JBOSS_HOME/server/@PROFILE@/deploy/admin-console.war' | CONFIGURATION MANAGEMENT |
3.3 Ensure Admin Console is either secured or removed | ACCESS CONTROL |
3.3 Ensure Admin Console is either secured or removed - 'java:/jaas/jmx-console = true' | ACCESS CONTROL |
3.3 Ensure Admin Console is either secured or removed - 'JBOSS_HOME/server/@PROFILE@/deploy/management' | CONFIGURATION MANAGEMENT |
3.4 The JMXInvokerServlet servlet must be secured against web attacks | ACCESS CONTROL |