WBSP-AS-000920 - The WebSphere Application Server files must be owned by the non-root WebSphere user ID.

Information

Having files owned by the root or administrator user is an indication that the WebSphere processes are being run with escalated privileges. Running as root/admin user gives attackers elevated privileges that can be used to compromise the system more easily compared to operating the WebSphere processes with regular user privileges.

Specifying a regular OS user when installing and managing WebSphere is best practice. By doing so, the WebSphere files will be owned by the user ID specified rather than being owned by the admin user.

Use the underlying OS file permissions to ensure that access to the WebSphere files are restricted to only those users who require access.

Solution

Note: executing this fix without proper planning regarding file ownership can render your installation inoperable. See vulnerability discussion before executing this fix.

Ensure all WebSphere related files and folders are owned by the WebSphere OS user.

Ensure OS group membership is restricted.

File ownership changes for UNIX systems:
chown -R <user> <WAS_HOME>
chown -R <user> <PROFILE_HOME>,
chown -R <user> <OTHER_HOME>, <OTHER_HOME> may be zero or more directories for other files

Group ownership changes for UNIX systems:
chgrp -R <user> <WAS_HOME>
chgrp -R <user> <PROFILE_HOME>,
chgrp -R <user> <OTHER_HOME>, where <OTHER_HOME> may be zero or more root directories for other files

File ownership changes for Windows systems:
'takeown /r /u <user> /f <directory /p <password of user>', where the <directory> is <WAS_HOME>, <PROFILE_HOME>, or <OTHER_HOME>

See Also

http://iasecontent.disa.mil/stigs/zip/U_IBM_WebSphere_Traditional_V9-x_V1R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-95985r1_rule, STIG-ID|WBSP-AS-000920, Vuln-ID|V-81271

Plugin: Unix

Control ID: 24b2c74580f147e2afa37bb27db09f27e5771adbd90ebf72c2f459945c78dc7a