Redhat JBoss EAP 5.x

Audit Details

Name: Redhat JBoss EAP 5.x

Updated: 4/25/2022

Authority: SCAP

Plugin: Unix

Revision: 1.24

Estimated Item Count: 112

Audit Items

DescriptionCategories
1.1 JBoss Enterprise Application Platform should be a vendor supported version

CONFIGURATION MANAGEMENT

1.1/1.2 - JBoss Enterprise Application Platform/Ensure Java Runtime Environment in use is a supported version

CONFIGURATION MANAGEMENT

1.2 Ensure all configurations are made to the appropriate server profile

CONFIGURATION MANAGEMENT

1.4 Ensure Technology Preview components are disabled in production environments

CONFIGURATION MANAGEMENT

1.5 Disable Hot Deployment in production

CONFIGURATION MANAGEMENT

1.6 Production applications should not implement the default SRPVerifierStore interface for the Secure Remote Password (SRP) protocol

CONFIGURATION MANAGEMENT

1.7 Declare an EJB authorization policy for deployed applications

ACCESS CONTROL

1.9 Ensure appropriate DefaultDS is enabled

SYSTEM AND COMMUNICATIONS PROTECTION

1.11 Ensure default HSQLDB is disabled

CONFIGURATION MANAGEMENT

1.11 Ensure default HSQLDB is disabled - 'JBOSS_HOME/common/lib/hsqldb-plugin.jar'

CONFIGURATION MANAGEMENT

1.11 Ensure default HSQLDB is disabled - 'JBOSS_HOME/common/lib/hsqldb.jar'

CONFIGURATION MANAGEMENT

1.11 Ensure default HSQLDB is disabled - 'JBOSS_HOME/server/@[email protected]/deploy/hsqldb-ds.xml'

CONFIGURATION MANAGEMENT

1.11 Ensure default HSQLDB is disabled - 'JBOSS_HOME/server/@[email protected]/deploy/messaging/hsqldb-persistence-service.xml'

CONFIGURATION MANAGEMENT

1.12 Ensure HSQLDB Security Domain is removed - 'HsqlDbRealm = false'

SYSTEM AND COMMUNICATIONS PROTECTION

1.14 - Ensure Oracle Database persistence plugin is set correctly - 'DatabasePersistencePlugin'

CONFIGURATION MANAGEMENT

1.15 - Ensure IBM JRE 1.6 is configured correctly - 'policy.provider = sun.security.provider.PolicyFile'

CONFIGURATION MANAGEMENT

1.17 The allRolesMode must be configured to 'strict' - 'allRolesMode = strict'

ACCESS CONTROL

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS password != empty'

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS principal != sa'

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'JBossWS userName != sa'

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jbossws-users.properties - kermit'

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console password != empty'

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console principal != sa'

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console userName != sa'

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'jmx-console-users.properties - admin'

IDENTIFICATION AND AUTHENTICATION

1.19 - Remove, rename, or comment out the default user accounts from production servers - 'messaging-users.properties - guest'

IDENTIFICATION AND AUTHENTICATION

1.20 - Remove default roles from production servers - 'admin-console default role != JBossAdmin|HttpInvoker|friend|guest'

IDENTIFICATION AND AUTHENTICATION

1.20 - Remove default roles from production servers - 'console-mgr default role != JBossAdmin|HttpInvoker|friend|guest'

IDENTIFICATION AND AUTHENTICATION

1.20 - Remove default roles from production servers - 'jmx-console default role != JBossAdmin|HttpInvoker|friend|guest'

IDENTIFICATION AND AUTHENTICATION

1.22 DefaultCacheTimeout must be configured properly for active security domains - 'DefaultCacheTimeout <= 1800'

SYSTEM AND COMMUNICATIONS PROTECTION

1.23 snmp-adaptor.sar must not be deployed - 'JBOSS_HOME/server/@[email protected]/deploy/snmp-adaptor.sar'

CONFIGURATION MANAGEMENT

2.1 Configure Java Security Manager to use an environment specific policy - 'JAVA_OPTS -Djava.security.manager -Djava.security.policy'

SYSTEM AND COMMUNICATIONS PROTECTION

2.23 Ensure Security Audit Appender is enabled - 'Audit Appender = true'

AUDIT AND ACCOUNTABILITY

2.24 Ensure Security Audit Provider is enabled - 'Audit Provider = true'

AUDIT AND ACCOUNTABILITY

2.25 Ensure Configure SecurityInterceptor logging level is set correctly - 'org.jboss.ejb.plugins.SecurityInterceptor = true'

AUDIT AND ACCOUNTABILITY

2.26 Ensure logging is enabled for Microcontainer bootstrap operations - 'SecurityInterceptor logging level = true'

AUDIT AND ACCOUNTABILITY

2.27 - Ensure logging is enabled for web-based requests if required by deployed applications - 'AccessLogValve = true'

AUDIT AND ACCOUNTABILITY

2.28 Ensure all required information is displayed in <layout> - 'ConversionPattern = %d %-5p \[%c\] \(%t:%x\) %m%n'

CONFIGURATION MANAGEMENT

2.29 Production applications should not log output to the JBoss console - 'JBoss console output log = false'

AUDIT AND ACCOUNTABILITY

2.31 - Deny the JBoss process owner console access

ACCESS CONTROL

2.32/2.33 - Set JBoss file ownership/permissions

CONFIGURATION MANAGEMENT

3.1 Ensure JMX Console is either secured or removed - 'java:/jaas/jmx-console = true'

ACCESS CONTROL

3.1 Ensure JMX Console is either secured or removed - 'java:/jaas/jmx-console = true'

ACCESS CONTROL

3.1 Ensure JMX Console is either secured or removed - 'java:/jaas/jmx-console = true' - jmx-console.war

CONFIGURATION MANAGEMENT

3.2 Ensure Web Console is either secured or removed - 'java:/jaas/jmx-console = true'

CONFIGURATION MANAGEMENT

3.2 Ensure Web Console is either secured or removed - 'JBOSS_HOME/server/@[email protected]/deploy/admin-console.war'

CONFIGURATION MANAGEMENT

3.3 Ensure Admin Console is either secured or removed

ACCESS CONTROL

3.3 Ensure Admin Console is either secured or removed - 'java:/jaas/jmx-console = true'

ACCESS CONTROL

3.3 Ensure Admin Console is either secured or removed - 'JBOSS_HOME/server/@[email protected]/deploy/management'

CONFIGURATION MANAGEMENT

3.4 The JMXInvokerServlet servlet must be secured against web attacks

ACCESS CONTROL