Revision 1.23

Jun 9, 2021
Informational Update
  • 1.17 The allRolesMode must be configured to 'strict' - 'allRolesMode = strict'
  • 2.25 Ensure Configure SecurityInterceptor logging level is set correctly - 'org.jboss.ejb.plugins.SecurityInterceptor = true'
  • 2.29 Production applications should not log output to the JBoss console - 'JBoss console output log = false'
  • 3.1 Ensure JMX Console is either secured or removed - 'java:/jaas/jmx-console = true'
  • 3.1 Ensure JMX Console is either secured or removed - 'java:/jaas/jmx-console = true' - jmx-console.war
  • 3.4 The JMXInvokerServlet servlet must be secured against web attacks
  • 3.4 The JMXInvokerServlet servlet must be secured against web attacks - 'http-method,'POST' = false'
  • 3.4 The JMXInvokerServlet servlet must be secured against web attacks - 'http-method,GET = false'
  • 3.5 JMXInvokerServlet configuration - 'usersProperties = props/jmx-console-users.properties'
  • 3.5 JMXInvokerServlet servlet configuration - 'rolesProperties = props/jmx-console-roles.properties'
  • 3.5 The JMXInvokerServlet servlet must be configured to prevent unprivileged access using authentication - 'java:/jaas/jmx-console = true'
  • 3.6 JMXInvokerServlet configuration - 'org.jboss.jmx.connector.invoker.RolesAuthorization = true'
  • 3.6 JMXInvokerServlet configuration - 'rolesProperties = props/jmx-console-roles.properties'
  • 3.6 JMXInvokerServlet configuration - 'usersProperties = props/jmx-console-users.properties'
Miscellaneous
  • References updated.
Added
  • 2.28 Ensure all required information is displayed in <layout> - 'ConversionPattern = \%d \%-5p \\[\%c\\] \\(\%t:\%x\\) \%m\%n'
Removed
  • 2.28 Ensure all required information is displayed in &lt;layout&gt; - 'ConversionPattern = \%d \%-5p \\[\%c\\] \\(\%t:\%x\\) \%m\%n'