{ "name": "stig_jboss_eap_6.3", "date": "2017-03-20", "description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.", "title": "JBoss EAP 6.3 Security Technical Implementation Guide", "version": "1", "item_syntax": "^\\w-\\d+$", "section_separator": null, "items": [ { "id": "V-62073", "title": "HTTP management session traffic must be encrypted.", "description": "Types of management interfaces utilized by the JBoss EAP application server include web-based HTTP interfaces as well as command line-based management interfaces. In the event remote HTTP management is required, the access must be via HTTPS.\n\nThis requirement is in conjunction with the requirement to isolate all management access to a restricted network.", "severity": "medium" }, { "id": "V-62215", "title": "HTTPS must be enabled for JBoss web interfaces.", "description": "Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk.\n\nApplication servers utilize a web management interface and scripted commands when allowing remote access. Web access requires the use of TLS, and scripted access requires using ssh or some other form of approved cryptography. Application servers must have a capability to enable a secure remote admin capability.\n\nFIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\nFIPS 140-2 approved TLS versions must be enabled, and non-FIPS-approved SSL versions must be disabled.\n\nNIST SP 800-52 specifies the preferred configurations for government systems.", "severity": "medium" }, { "id": "V-62217", "title": "Java permissions must be set for hosted applications.", "description": "The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM.\n\nThe JVM requires a security policy in order to restrict application access. A properly configured security policy will define what rights the application has to the underlying system. For example, rights to make changes to files on the host system or to initiate network sockets in order to connect to another system.", "severity": "high" }, { "id": "V-62219", "title": "Users in JBoss Management Security Realms must be in the appropriate role.", "description": "Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they are \"management realm\" and \"application realm\".\n\nManagement realm stores authentication information for the management API, which provides functionality for the web-based management console and the management command line interface (CLI).\n\nmgmt-groups.properties stores user to group mapping for the ManagementRealm but only when role-based access controls (RBAC) is enabled.\n\nIf management users are not in the appropriate role, unauthorized access to JBoss resources can occur.", "severity": "medium" }, { "id": "V-62221", "title": "Silent Authentication must be removed from the Default Application Security Realm.", "description": "Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis. By default $localuser is a Superuser. This introduces an integrity and availability vulnerability and violates best practice requirements regarding accountability.", "severity": "high" }, { "id": "V-62223", "title": "Silent Authentication must be removed from the Default Management Security Realm.", "description": "Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis. By default $localuser is a Superuser. This introduces an integrity and availability vulnerability and violates best practice requirements regarding accountability.", "severity": "high" }, { "id": "V-62225", "title": "The Java Security Manager must be enabled for the JBoss application server.", "description": "The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM.\n\nThe Java Security Manager uses a security policy to determine whether a given action will be\npermitted or denied.\n\nTo protect the host system, the JBoss application server must be run within the Java Security Manager.", "severity": "high" }, { "id": "V-62227", "title": "The JBoss server must be configured with Role Based Access Controls.", "description": "By default, the JBoss server is not configured to utilize role based access controls (RBAC). RBAC provides the capability to restrict user access to their designated management role, thereby limiting access to only the JBoss functionality that they are supposed to have. Without RBAC, the JBoss server is not able to enforce authorized access according to role.", "severity": "high" }, { "id": "V-62229", "title": "JBoss management interfaces must be secured.", "description": "JBoss utilizes the concept of security realms to secure the management interfaces used for JBoss server administration. If the security realm attribute is omitted or removed from the management interface definition, access to that interface is no longer secure. The JBoss management interfaces must be secured.", "severity": "high" }, { "id": "V-62231", "title": "The JBoss server must generate log records for access and authentication events to the management interface.", "description": "Log records can be generated from various components within the JBoss application server. The minimum list of logged events should be those pertaining to access and authentication events to the management interface as well as system startup and shutdown events.\n\nBy default, JBoss does not log management interface access but does provide a default file handler. This handler needs to be enabled. Configuring this setting meets several STIG auditing requirements.", "severity": "medium" }, { "id": "V-62233", "title": "JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.", "description": "The JBoss server must be configured to select which personnel are assigned the role of selecting which loggable events are to be logged.\nIn JBoss, the role designated for selecting auditable events is the \"Auditor\" role.\nThe personnel or roles that can select loggable events are only the ISSM (or individuals or roles appointed by the ISSM).", "severity": "medium" }, { "id": "V-62235", "title": "JBoss must be configured to initiate session logging upon startup.", "description": "Session logging activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.", "severity": "medium" }, { "id": "V-62237", "title": "JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.", "description": "Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible.\n\nLog record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nApplication servers must log all relevant log data that pertains to the application server. Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD/Web server activity, and application server-related system process activity.", "severity": "medium" }, { "id": "V-62239", "title": "JBoss must be configured to produce log records containing information to establish what type of events occurred.", "description": "Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible. \n\nLog record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nApplication servers must log all relevant log data that pertains to the application server. Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD/Web server activity, and application server-related system process activity.", "severity": "medium" }, { "id": "V-62241", "title": "JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.", "description": "Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.\n\nAscertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety.\n\nWithout sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control, or flow control rules invoked.\n\nIn addition to logging event information, application servers must also log the corresponding dates and times of these events. Examples of event data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity, and application server-related system process activity.", "severity": "medium" }, { "id": "V-62243", "title": "JBoss must be configured to produce log records that establish which hosted application triggered the events.", "description": "Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. \n\nBy default, no web logging is enabled in JBoss. Logging can be configured per web application or by virtual server. If web application logging is not set up, application activity will not be logged.\n\nAscertaining the correct location or process within the application server where the events occurred is important during forensic analysis. To determine where an event occurred, the log data must contain data containing the application identity.", "severity": "medium" }, { "id": "V-62245", "title": "JBoss must be configured to record the IP address and port information used by management interface network traffic.", "description": "Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.\n\nAscertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the loggable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise.\n\nWithout sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control, or flow control rules invoked.", "severity": "medium" }, { "id": "V-62247", "title": "The application server must produce log records that contain sufficient information to establish the outcome of events.", "description": "Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control or flow control rules invoked.\n\nSuccess and failure indicators ascertain the outcome of a particular application server event or function. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Event outcome may also include event-specific results (e.g., the security state of the information system after the event occurred).", "severity": "medium" }, { "id": "V-62249", "title": "JBoss ROOT logger must be configured to utilize the appropriate logging level.", "description": "Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. \n\nSee Chapter 14, Section 14.1.9, Table 14.4 of the Red Hat JBoss EAP Administration and Configuration Guide version 6.3 for specific details on log levels and log level values.\n\nThe JBOSS application server ROOT logger captures all messages not captured by a log category and sends them to a log handler (FILE, CONSOLE, SYSLOG, ETC.). By default, the ROOT logger level is set to INFO, which is a value of 800. This will capture most events adequately. Any level numerically higher than INFO (> 800) records less data and may result in an insufficient amount of information being logged by the ROOT logger. This can result in failed forensic investigations. The ROOT logger level must be INFO level or lower to provide adequate log information.", "severity": "medium" }, { "id": "V-62251", "title": "File permissions must be configured to protect log information from any type of unauthorized read access.", "description": "If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. \n\nWhen not configured to use a centralized logging solution like a syslog server, the JBoss EAP application server writes log data to log files that are stored on the OS; appropriate file permissions must be used to restrict access.\n\nLog information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized access.", "severity": "medium" }, { "id": "V-62253", "title": "File permissions must be configured to protect log information from unauthorized modification.", "description": "If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. \n\nWhen not configured to use a centralized logging solution like a syslog server, the JBoss EAP application server writes log data to log files that are stored on the OS; appropriate file permissions must be used to restrict modification.\n\nLog information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized modification.", "severity": "medium" }, { "id": "V-62255", "title": "File permissions must be configured to protect log information from unauthorized deletion.", "description": "If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve.\n\nWhen not configured to use a centralized logging solution like a syslog server, the JBoss EAP application server writes log data to log files that are stored on the OS, appropriate file permissions must be used to restrict deletion.\n\nLogon formation includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized deletion.", "severity": "medium" }, { "id": "V-62257", "title": "JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.", "description": "JBoss logs by default are written to the local file system. A centralized logging solution like syslog should be used whenever possible; however, any log data stored to the file system needs to be off-loaded. JBoss EAP does not provide an automated backup capability. Instead, reliance is placed on OS or third-party tools to back up or off-load the log files.\n\nProtection of log data includes assuring log data is not accidentally lost or deleted. Off-loading log records to a different system or onto separate media from the system the application server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.", "severity": "medium" }, { "id": "V-62259", "title": "mgmt-users.properties file permissions must be set to allow access to authorized users only.", "description": "The mgmt-users.properties file contains the password hashes of all users who are in a management role and must be protected. Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all.", "severity": "medium" }, { "id": "V-62261", "title": "JBoss process owner interactive access must be restricted.", "description": "JBoss does not require admin rights to operate and should be run as a regular user. In addition, if the user account was to be compromised and the account was allowed interactive logon rights, this would increase the risk and attack surface against the JBoss system. The right to interactively log on to the system using the JBoss account should be limited according to the OS capabilities.", "severity": "high" }, { "id": "V-62263", "title": "Google Analytics must be disabled in EAP Console.", "description": "The Google Analytics feature aims to help Red Hat EAP team understand how customers are using the console and which parts of the console matter the most to the customers. This information will, in turn, help the team to adapt the console design, features, and content to the immediate needs of the customers.\n\nSending analytical data to the vendor introduces risk of unauthorized data exfiltration. This capability must be disabled.", "severity": "medium" }, { "id": "V-62265", "title": "JBoss process owner execution permissions must be limited.", "description": "JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate. If the server is compromised, the attacker will have the same rights as the application server, which in that case would be admin rights. The JBoss EAP server must not be run as the admin user.", "severity": "high" }, { "id": "V-62267", "title": "JBoss QuickStarts must be removed.", "description": "JBoss QuickStarts are demo applications that can be deployed quickly. Demo applications are not written with security in mind and often open new attack vectors. QuickStarts must be removed.", "severity": "medium" }, { "id": "V-62269", "title": "Remote access to JMX subsystem must be disabled.", "description": "The JMX subsystem allows you to trigger JDK and application management operations remotely. In a managed domain configuration, the JMX subsystem is removed by default. For a standalone configuration, it is enabled by default and must be removed.", "severity": "medium" }, { "id": "V-62271", "title": "Welcome Web Application must be disabled.", "description": "The Welcome to JBoss web page provides a redirect to the JBoss admin console, which, by default, runs on TCP 9990 as well as redirects to the Online User Guide and Online User Groups hosted at locations on the Internet. The welcome page is unnecessary and should be disabled or replaced with a valid web page.", "severity": "low" }, { "id": "V-62273", "title": "Any unapproved applications must be removed.", "description": "Extraneous services and applications running on an application server expands the attack surface and increases risk to the application server. Securing any server involves identifying and removing any unnecessary services and, in the case of an application server, unnecessary and/or unapproved applications.", "severity": "medium" }, { "id": "V-62275", "title": "JBoss application and management ports must be approved by the PPSM CAL.", "description": "Some networking protocols may not meet organizational security requirements to protect data and components.\n\nApplication servers natively host a number of various features, such as management interfaces, httpd servers and message queues. These features all run on TCPIP ports. This creates the potential that the vendor may choose to utilize port numbers or network services that have been deemed unusable by the organization. The application server must have the capability to both reconfigure and disable the assigned ports without adversely impacting application server operation capabilities. For a list of approved ports and protocols, reference the DoD ports and protocols website at https://powhatan.iiie.disa.mil/ports/cal.html.", "severity": "medium" }, { "id": "V-62277", "title": "The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.", "description": "To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store that is either local (OS-based) or centralized (Active Directory/LDAP) in nature. It should be noted that JBoss does not specifically mention Active Directory since AD is LDAP aware.\n\nTo ensure accountability and prevent unauthorized access, the JBoss Server must be configured to utilize a centralized authentication mechanism.", "severity": "medium" }, { "id": "V-62279", "title": "The JBoss Server must be configured to use certificates to authenticate admins.", "description": "Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Unlike a simple username/password scenario where the attacker could gain access by knowing both the username and password without the user knowing his account was compromised, multifactor authentication adds the requirement that the attacker must have something from the user, such as a token, or to biometrically be the user.\n\nMultifactor authentication is defined as: using two or more factors to achieve authentication.\n\nFactors include: \n(i) something a user knows (e.g., password/PIN); \n(ii) something a user has (e.g., cryptographic identification device, token); or \n(iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token meets this definition.\n\nA privileged account is defined as an information system account with authorizations of a privileged user. These accounts would be capable of accessing the web management interface.\n\nWhen accessing the application server via a network connection, administrative access to the application server must be PKI Hardware Token enabled or a DoD-approved soft certificate.", "severity": "medium" }, { "id": "V-62281", "title": "The JBoss server must be configured to use individual accounts and not generic or shared accounts.", "description": "To assure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application server users) must be individually identified and authenticated.\n\nA group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users.\n\nApplication servers must ensure that individual users are authenticated prior to authenticating via role or group authentication. This is to ensure that there is non-repudiation for actions taken.", "severity": "medium" }, { "id": "V-62283", "title": "The JBoss server must be configured to bind the management interfaces to only management networks.", "description": " JBoss provides multiple interfaces for accessing the system. By default, these are called \"public\" and \"management\". Allowing non-management traffic to access the JBoss management interface increases the chances of a security compromise. The JBoss server must be configured to bind the management interface to a network that controls access. This is usually a network that has been designated as a management network and has restricted access. Similarly, the public interface must be bound to a network that is not on the same segment as the management interface.", "severity": "medium" }, { "id": "V-62285", "title": "JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.", "description": "JBoss EAP provides a security realm called ManagementRealm. By default, this realm uses the mgmt-users.properties file for authentication. Using file-based authentication does not allow the JBoss server to be in compliance with a wide range of user management requirements such as automatic disabling of inactive accounts as per DoD policy. To address this issue, the management interfaces used to manage the JBoss server must be associated with a security realm that provides centralized authentication management. Examples are AD or LDAP.\n\nManagement of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user account is the name of an information system account associated with an individual.", "severity": "medium" }, { "id": "V-62287", "title": "The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.", "description": "JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an encrypted keystore, and decrypt them for applications and verification systems. Plain-text configuration files, such as XML deployment descriptors, need to specify passwords and other sensitive information. Use the JBoss EAP Password Vault to securely store sensitive strings in plain-text files.", "severity": "medium" }, { "id": "V-62289", "title": "JBoss KeyStore and Truststore passwords must not be stored in clear text.", "description": "Access to the JBoss Password Vault must be secured, and the password used to access must be encrypted. There is a specific process used to generate the encrypted password hash. This process must be followed in order to store the password in an encrypted format.\n\nThe admin must utilize this process in order to ensure the Keystore password is encrypted.", "severity": "medium" }, { "id": "V-62291", "title": "LDAP enabled security realm value allow-empty-passwords must be set to false.", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.\n\nApplication servers have the capability to utilize either certificates (tokens) or user IDs and passwords in order to authenticate. When the application server transmits or receives passwords, the passwords must be encrypted.", "severity": "medium" }, { "id": "V-62293", "title": "JBoss must utilize encryption when using LDAP for authentication.", "description": "Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.\n\nApplication servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server utilizes LDAP, the LDAP traffic must be encrypted.", "severity": "medium" }, { "id": "V-62295", "title": "The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.", "description": "The cornerstone of the PKI is the private key used to encrypt or digitally sign information.\n\nIf the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can pretend to be the authorized user.\n\nBoth the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. Java-based application servers utilize the Java keystore, which provides storage for cryptographic keys and certificates. The keystore is usually maintained in a file stored on the file system.", "severity": "medium" }, { "id": "V-62297", "title": "The JBoss server must separate hosted application functionality from application server management functionality.", "description": "The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user to the management interface before being presented with management functionality. This prevents non-privileged users from having visibility to functions not available to the user. By limiting visibility, a compromised non-privileged account does not offer information to the attacker or functionality and information needed to further the attack on the application server.\n\nJBoss is designed to operate with separate application and management interfaces.\nThe JBoss server is started via a script. To start the JBoss server in domain mode, the admin will execute the /bin/domain.sh or domain.bat script.\n\nTo start the JBoss server in standalone mode, the admin will execute /bin/standalone.bat or standalone.sh.\n\nCommand line flags are used to specify which network address is used for management and which address is used for public/application access.", "severity": "medium" }, { "id": "V-62299", "title": "JBoss file permissions must be configured to protect the confidentiality and integrity of application files.", "description": "The JBoss EAP Application Server is a Java-based AS. It is installed on the OS file system and depends upon file system access controls to protect application data at rest. The file permissions set on the JBoss EAP home folder must be configured so as to limit access to only authorized people and processes. The account used for operating the JBoss server and any designated administrative or operational accounts are the only accounts that should have access.\n\nWhen data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. Steps must be taken to ensure data stored on the device is protected.", "severity": "medium" }, { "id": "V-62301", "title": "Access to JBoss log files must be restricted to authorized users.", "description": "If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nApplication servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.", "severity": "medium" }, { "id": "V-62303", "title": "Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller.", "description": "When configuring JBoss application servers into a domain configuration, HTTP management capabilities are not required on domain member servers as management is done via the server that has been designated as the domain controller. \n\nLeaving HTTP management capabilities enabled on domain member servers increases the attack surfaces; therefore, management services on domain member servers must be disabled and management services performed via the domain controller.", "severity": "medium" }, { "id": "V-62305", "title": "The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.", "description": "Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.\n\nRestricting non-privileged users also prevents an attacker who has gained access to a non-privileged account, from elevating privileges, creating accounts, and performing system checks and maintenance.", "severity": "medium" }, { "id": "V-62307", "title": "The JBoss server must be configured to log all admin activity.", "description": "In order to be able to provide a forensic history of activity, the application server must ensure users who are granted a privileged role or those who utilize a separate distinct account when accessing privileged functions or data have their actions logged.\n\nIf privileged activity is not logged, no forensic logs can be used to establish accountability for privileged actions that occur on the system.", "severity": "medium" }, { "id": "V-62309", "title": "The JBoss server must be configured to utilize syslog logging.", "description": "Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control or flow control rules invoked.\n\nOff-loading is a common process in information systems with limited log storage capacity.\n\nCentralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to off-load log records onto a different system or media than the system being logged.", "severity": "medium" }, { "id": "V-62311", "title": "Production JBoss servers must not allow automatic application deployment.", "description": "When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant effects on the overall security of the system.\n\nAccess restrictions for changes also include application software libraries.\n\nIf the application server provides automatic code deployment capability, (where updates to applications hosted on the application server are automatically performed, usually by the developers' IDE tool), it must also provide a capability to restrict the use of automatic application deployment. Automatic code deployments are allowable in a development environment, but not in production.", "severity": "medium" }, { "id": "V-62313", "title": "Production JBoss servers must log when failed application deployments occur.", "description": "Without logging the enforcement of access restrictions against changes to the application server configuration, it will be difficult to identify attempted attacks, and a log trail will not be available for forensic investigation for after-the-fact actions. Configuration changes may occur to any of the modules within the application server through the management interface, but logging of actions to the configuration of a module outside the application server is not logged.\n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Log items may consist of lists of actions blocked by access restrictions or changes identified after the fact.", "severity": "medium" }, { "id": "V-62315", "title": "Production JBoss servers must log when successful application deployments occur.", "description": "Without logging the enforcement of access restrictions against changes to the application server configuration, it will be difficult to identify attempted attacks, and a log trail will not be available for forensic investigation for after-the-fact actions. Configuration changes may occur to any of the modules within the application server through the management interface, but logging of actions to the configuration of a module outside the application server is not logged.\n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Log items may consist of lists of actions blocked by access restrictions or changes identified after the fact.", "severity": "medium" }, { "id": "V-62317", "title": "JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.", "description": "Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.\n\nThe DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. The application server must only allow the use of DoD PKI-established certificate authorities for verification.", "severity": "medium" }, { "id": "V-62319", "title": "The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.", "description": "A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provides high availability.", "severity": "medium" }, { "id": "V-62321", "title": "JBoss must be configured to use an approved TLS version.", "description": "Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS). \n\nJBoss relies on the underlying SSL implementation running on the OS. This can be either Java based or OpenSSL. The SSL protocol setting determines which SSL protocol is used. SSL has known security vulnerabilities, so TLS should be used instead. \n\nIf data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.\n\nFIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\nTLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.", "severity": "medium" }, { "id": "V-62323", "title": "JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.", "description": "Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec tunnel.\n\nIf data in transit is unencrypted, it is vulnerable to disclosure and modification. If approved cryptographic algorithms are not used, encryption strength cannot be assured.\n\nFIPS 140-2 approved TLS versions include TLS V1.0 or greater.\n\nTLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.", "severity": "medium" }, { "id": "V-62325", "title": "Production JBoss servers must be supported by the vendor.", "description": "The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus on unpatched systems. It is critical that support be obtained and made available.", "severity": "high" }, { "id": "V-62327", "title": "The JRE installed on the JBoss server must be kept up to date.", "description": "The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus on unpatched systems. It is critical that support be obtained and made available.", "severity": "high" }, { "id": "V-62329", "title": "JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur.", "description": "Changing privileges of a subject/object may cause a subject/object to gain or lose capabilities. When successful/unsuccessful changes are made, the event needs to be logged. By logging the event, the modification or attempted modification can be investigated to determine if it was performed inadvertently or maliciously.", "severity": "medium" }, { "id": "V-62331", "title": "JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur.", "description": "Deleting privileges of a subject/object may cause a subject/object to gain or lose capabilities. When successful and unsuccessful privilege deletions are made, the events need to be logged. By logging the event, the modification or attempted modification can be investigated to determine if it was performed inadvertently or maliciously.", "severity": "medium" }, { "id": "V-62333", "title": "JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur.", "description": "Logging the access to the application server allows the system administrators to monitor user accounts. By logging successful/unsuccessful logons, the system administrator can determine if an account is compromised (e.g., frequent logons) or is in the process of being compromised (e.g., frequent failed logons) and can take actions to thwart the attack.\n\nLogging successful logons can also be used to determine accounts that are no longer in use.", "severity": "medium" }, { "id": "V-62335", "title": "JBoss must be configured to generate log records for privileged activities.", "description": "Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nPrivileged activities would occur through the management interface. This interface can be web-based or can be command line utilities. Whichever method is utilized by the application server, these activities must be logged.", "severity": "medium" }, { "id": "V-62337", "title": "JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface.", "description": "Determining when a user has accessed the management interface is important to determine the timeline of events when a security incident occurs. Generating these events, especially if the management interface is accessed via a stateless protocol like HTTP, the log events will be generated when the user performs a logon (start) and when the user performs a logoff (end). Without these events, the user and later investigators cannot determine the sequence of events and therefore cannot determine what may have happened and by whom it may have been done.\n\nThe generation of start and end times within log events allows the user to perform their due diligence in the event of a security breach.", "severity": "medium" }, { "id": "V-62339", "title": "JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface.", "description": "Concurrent logons from different systems could possibly indicate a compromised account. When concurrent logons are made from different workstations to the management interface, a log record needs to be generated. This configuration setting provides forensic evidence that allows the system administrator to investigate access to the system and determine if the duplicate access was authorized or not.\n\nJBoss provides a multitude of different log formats, and API calls that log access to the system. If the default format and location is not used, the system admin must provide the configuration documentation and settings that show that this requirement is being met.", "severity": "medium" }, { "id": "V-62341", "title": "JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events.", "description": "The maintenance of user accounts is a key activity within the system to determine access and privileges. Through changes to accounts, an attacker can create an account for persistent access, modify an account to elevate privileges, or terminate/disable an account(s) to cause a DoS for user(s). To be able to track and investigate these actions, log records must be generated for any account modification functions.\n\nApplication servers either provide a local user store, or they can integrate with enterprise user stores like LDAP. As such, the application server must be able to generate log records on account creation, modification, disabling, and termination.", "severity": "medium" }, { "id": "V-62343", "title": "The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.", "description": "Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The application server must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions.", "severity": "medium" }, { "id": "V-62345", "title": "JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.", "description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can track and understand what may have occurred. Off-loading should be set up as a scheduled task but can be configured to be run manually, if other processes during the off-loading are manual.\n\nOff-loading is a common process in information systems with limited log storage capacity.", "severity": "medium" } ] }