WBSP-AS-000910 - The WebSphere Application Server process must not be started from the command line with the -password option.

Information

The use of the -password option to launch a WebSphere process from the command line can result in a security exposure. Password information may become visible to any user with the ability to view system processes. For example, on a Linux system the 'ps' command will display all running processes, which would include all of the command line flags used to start a WebSphere process.

Solution

When starting WebSphere commands, such as wsadmin, stopManager, stopNode, stopServer, or syncNode; do not use the '-password <password>' option.

Use the interactive mode instead; you will be prompted for user id and password.

For scripts, you may configure user id and password in the 'connector properties' files. These files are under 'Profile_Root/Properties' folder.

- soap.client.props: for default SOAP
- sas.client.props : for RMI and JSR160RMI connectors
- ipc.client.props: for IPC connector

Item Details

Audit Name: DISA IBM WebSphere Traditional 9 STIG v1r1 Middleware

Category: CONFIGURATION MANAGEMENT

Plugin: Unix

Control ID: ed328d6237137fa8d6909805f11e5b306ddf4cfaf5339f43df5bb87941dba32a

Detections

Analytics

WBSP-AS-000910 - The WebSphere Application Server process must not be started from the command line with the -password option.

Information

Solution

See Also

Item Details