From df5dcf087b8b34e37655de55f6766c8652c8c928 Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Wed, 23 Sep 2020 15:48:35 -0600
Subject: [PATCH] Remove JBoss EAP6
- Product is wayyy past EOL
---
CMakeLists.txt | 5 -
build_product | 1 -
docs/manual/developer_guide.adoc | 1 -
docs/manual/user_guide.adoc | 8 +-
eap6/CMakeLists.txt | 18 -
eap6/checks/oval/installed_app_is_eap6.xml | 96 --
eap6/cpe/eap6-cpe-dictionary.xml | 137 --
eap6/guide/benchmark.yml | 53 -
eap6/guide/eap6/group.yml | 5 -
.../rule.yml | 50 -
.../oval/eap6.xml | 49 -
.../rule.yml | 57 -
.../oval/eap6.xml | 45 -
.../jboss_eap_configure_auditing/rule.yml | 58 -
.../rule.yml | 48 -
.../eap6/jboss_eap_configure_ha_lb/rule.yml | 63 -
.../rule.yml | 59 -
.../eap6/jboss_eap_configure_https/rule.yml | 63 -
.../oval/eap6.xml | 45 -
.../jboss_eap_configure_keystore/rule.yml | 46 -
.../eap6/jboss_eap_configure_ldap/rule.yml | 53 -
.../rule.yml | 66 -
.../oval/eap6.xml | 65 -
.../rule.yml | 68 -
.../oval/eap6.xml | 49 -
.../rule.yml | 58 -
.../rule.yml | 58 -
.../rule.yml | 74 -
.../rule.yml | 82 --
.../rule.yml | 39 -
.../eap6/jboss_eap_configure_ports/rule.yml | 60 -
.../rule.yml | 53 -
.../oval/eap6.xml | 43 -
.../rule.yml | 94 --
.../rule.yml | 67 -
.../jboss_eap_configure_syslog/oval/eap6.xml | 45 -
.../eap6/jboss_eap_configure_syslog/rule.yml | 69 -
.../rule.yml | 50 -
.../jboss_eap_configure_user_roles/rule.yml | 56 -
.../eap6/jboss_eap_disable_analytics/rule.yml | 40 -
.../rule.yml | 55 -
.../rule.yml | 51 -
.../rule.yml | 48 -
.../guide/eap6/jboss_eap_enable_rbac/rule.yml | 55 -
.../rule.yml | 46 -
.../jboss_eap_file_permissions/oval/eap6.xml | 45 -
.../eap6/jboss_eap_file_permissions/rule.yml | 55 -
.../eap6/jboss_eap_log_deployments/rule.yml | 53 -
.../jboss_eap_logs_permissions/oval/eap6.xml | 60 -
.../eap6/jboss_eap_logs_permissions/rule.yml | 80 --
.../jboss_eap_remove_group_accounts/rule.yml | 75 -
.../eap6/jboss_eap_remove_jmx/oval/eap6.xml | 45 -
eap6/guide/eap6/jboss_eap_remove_jmx/rule.yml | 57 -
.../oval/eap6.xml | 35 -
.../jboss_eap_remove_quickstarts/rule.yml | 26 -
.../oval/eap6.xml | 36 -
.../rule.yml | 43 -
.../rule.yml | 43 -
.../jboss_eap_restrict_jboss_account/rule.yml | 39 -
.../oval/eap6.xml | 45 -
.../rule.yml | 75 -
.../rule.yml | 56 -
.../rule.yml | 76 -
.../eap6/jboss_eap_system_up_to_date/rule.yml | 35 -
.../eap6/jboss_eap_unprivileged_mode/rule.yml | 58 -
.../jboss_eap_use_approved_ca_cert/rule.yml | 49 -
.../jboss_eap_use_approved_ciphers/rule.yml | 72 -
.../jboss_eap_use_dod_approved_certs/rule.yml | 49 -
.../jboss_eap_use_secure_ldap_port/rule.yml | 54 -
eap6/guide/eap6/jboss_eap_use_tls/rule.yml | 59 -
.../jboss_eap_vendor_supported/oval/eap6.xml | 14 -
.../eap6/jboss_eap_vendor_supported/rule.yml | 35 -
eap6/guide/eap6/var_jboss_profile.var | 15 -
eap6/overlays/srg_support.xml | 0
eap6/overlays/stig_overlay.xml | 271 ----
eap6/product.yml | 7 -
eap6/profiles/stig.profile | 57 -
eap6/transforms/cci2html.xsl | 6 -
eap6/transforms/constants.xslt | 21 -
eap6/transforms/shorthand2xccdf.xslt | 9 -
eap6/transforms/table-add-srgitems.xslt | 7 -
eap6/transforms/table-sortbyref.xslt | 6 -
eap6/transforms/table-srgmap.xslt | 11 -
eap6/transforms/table-style.xslt | 5 -
eap6/transforms/xccdf-apply-overlay-stig.xslt | 8 -
eap6/transforms/xccdf2stigformat.xslt | 7 -
eap6/transforms/xccdf2table-byref.xslt | 9 -
eap6/transforms/xccdf2table-cce.xslt | 9 -
.../xccdf2table-profileccirefs.xslt | 9 -
.../xccdf2table-profilecisrefs.xslt | 9 -
.../xccdf2table-profilenistrefs.xslt | 8 -
eap6/transforms/xccdf2table-stig.xslt | 9 -
.../disa-stig-eap6-v1r2-xccdf-manual.xml | 1275 -----------------
ssg/constants.py | 37 -
94 files changed, 6 insertions(+), 5509 deletions(-)
delete mode 100644 eap6/CMakeLists.txt
delete mode 100644 eap6/checks/oval/installed_app_is_eap6.xml
delete mode 100644 eap6/cpe/eap6-cpe-dictionary.xml
delete mode 100644 eap6/guide/benchmark.yml
delete mode 100644 eap6/guide/eap6/group.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_audit_privileged_actions/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_application_authentication/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_application_authentication/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_auditing/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_auditing/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_auditor_roles/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_ha_lb/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_host_access_restrictions/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_https/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_keystore/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_keystore/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_ldap/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_log_permissions/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_logging_level/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_logging_level/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_management_authentication/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_management_authentication/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_management_ldap/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_management_network/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_multifactor_authentication/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_offloading_max/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_ports/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_secure_management_access/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_security_manager/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_security_manager/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_security_realm/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_syslog/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_syslog/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_user_permissions/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_configure_user_roles/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_disable_analytics/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_disable_automatic_deployment/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_disable_domain_admin_console/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_disable_replace_welcome_page/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_enable_rbac/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_encrypt_keystore_passwords/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_file_permissions/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_file_permissions/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_log_deployments/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_logs_permissions/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_logs_permissions/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_remove_group_accounts/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_remove_jmx/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_remove_jmx/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_remove_quickstarts/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_remove_quickstarts/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_require_password_access/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_restrict_jboss_account/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_secure_keystore_permissions/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_service_separate_networks/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_system_up_to_date/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_unprivileged_mode/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_use_approved_ca_cert/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_use_approved_ciphers/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_use_dod_approved_certs/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_use_secure_ldap_port/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_use_tls/rule.yml
delete mode 100644 eap6/guide/eap6/jboss_eap_vendor_supported/oval/eap6.xml
delete mode 100644 eap6/guide/eap6/jboss_eap_vendor_supported/rule.yml
delete mode 100644 eap6/guide/eap6/var_jboss_profile.var
delete mode 100644 eap6/overlays/srg_support.xml
delete mode 100644 eap6/overlays/stig_overlay.xml
delete mode 100644 eap6/product.yml
delete mode 100644 eap6/profiles/stig.profile
delete mode 100644 eap6/transforms/cci2html.xsl
delete mode 100644 eap6/transforms/constants.xslt
delete mode 100644 eap6/transforms/shorthand2xccdf.xslt
delete mode 100644 eap6/transforms/table-add-srgitems.xslt
delete mode 100644 eap6/transforms/table-sortbyref.xslt
delete mode 100644 eap6/transforms/table-srgmap.xslt
delete mode 100644 eap6/transforms/table-style.xslt
delete mode 100644 eap6/transforms/xccdf-apply-overlay-stig.xslt
delete mode 100644 eap6/transforms/xccdf2stigformat.xslt
delete mode 100644 eap6/transforms/xccdf2table-byref.xslt
delete mode 100644 eap6/transforms/xccdf2table-cce.xslt
delete mode 100644 eap6/transforms/xccdf2table-profileccirefs.xslt
delete mode 100644 eap6/transforms/xccdf2table-profilecisrefs.xslt
delete mode 100644 eap6/transforms/xccdf2table-profilenistrefs.xslt
delete mode 100644 eap6/transforms/xccdf2table-stig.xslt
delete mode 100644 shared/references/disa-stig-eap6-v1r2-xccdf-manual.xml
diff --git a/CMakeLists.txt b/CMakeLists.txt
index ca5fe336b5..1a62258cfb 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -64,7 +64,6 @@ option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built
option(SSG_PRODUCT_DEBIAN8 "If enabled, the Debian 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_DEBIAN9 "If enabled, the Debian 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_DEBIAN10 "If enabled, the Debian 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-option(SSG_PRODUCT_EAP6 "If enabled, the JBoss EAP6 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE)
option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -238,7 +237,6 @@ message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}")
message(STATUS "Debian 8: ${SSG_PRODUCT_DEBIAN8}")
message(STATUS "Debian 9: ${SSG_PRODUCT_DEBIAN9}")
message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}")
-message(STATUS "JBoss EAP 6: ${SSG_PRODUCT_EAP6}")
message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}")
message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}")
message(STATUS "Firefox: ${SSG_PRODUCT_FIREFOX}")
@@ -309,9 +307,6 @@ endif()
if (SSG_PRODUCT_DEBIAN10)
add_subdirectory("debian10")
endif()
-if (SSG_PRODUCT_EAP6)
- add_subdirectory("eap6")
-endif()
if (SSG_PRODUCT_EXAMPLE)
add_subdirectory("example")
endif()
diff --git a/build_product b/build_product
index 4cf68366e4..d2b762f577 100755
--- a/build_product
+++ b/build_product
@@ -257,7 +257,6 @@ all_cmake_products=(
DEBIAN8
DEBIAN9
DEBIAN10
- EAP6
EXAMPLE
FEDORA
FIREFOX
diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
index d2794ce1c9..42d47ba221 100644
--- a/docs/manual/developer_guide.adoc
+++ b/docs/manual/developer_guide.adoc
@@ -515,7 +515,6 @@ We have multiple benchmarks in our project:
| Applications | `/applications` (Notice no `guide` subdirectory there!)
| Java Runtime Environment | `/jre/guide`
| Fuse 6 | `/fuse6/guide`
-| EAP6 | `/eap6/guide`
| Firefox | `/firefox/guide`
| Chromium | `/chromium/guide`
|===
diff --git a/docs/manual/user_guide.adoc b/docs/manual/user_guide.adoc
index d2fc8dbba0..4d5d3ab8c6 100644
--- a/docs/manual/user_guide.adoc
+++ b/docs/manual/user_guide.adoc
@@ -10,8 +10,7 @@ toc::[]
The ComplianceAsCode (SSG) project delivers security guidance, baselines and
associated validation mechanisms utilizing the Security Content Automation
-Protocol (SCAP). SSG provides content for Red Hat Enterprise Linux and JBoss
-Enterprise Application Server (JBoss EAP).
+Protocol (SCAP). SSG provides content for Red Hat Enterprise Linux.
In addition to hardening advice, SSG links back to compliance requirements in
order to eease deployment activities, such as certification and accreditation.
These include requirements in the U.S. Government (Federal, Defense, and
@@ -304,6 +303,11 @@ If you need content for RHV based on el7, use the Red Hat Enterprise Linux 7 (`r
|November 30, 2016
| link:https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35[SSG 0.1.35]
+|JBoss EAP 6
+|June 30, 2019
+| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53[content 0.1.53]
+
+
|Red Hat Enterprise Linux 5
|March 31, 2017
| link:https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.34[SSG 0.1.34]
diff --git a/eap6/CMakeLists.txt b/eap6/CMakeLists.txt
deleted file mode 100644
index 9833bf0c2e..0000000000
--- a/eap6/CMakeLists.txt
+++ /dev/null
@@ -1,18 +0,0 @@
-# Sometimes our users will try to do: "cd jboss_eap6; cmake ." That needs to error in a nice way.
-if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
- message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the developer_guide.adoc for more details!")
-endif()
-
-set(PRODUCT "eap6")
-set(DISA_SRG_TYPE "application")
-
-ssg_build_product(${PRODUCT})
-
-ssg_build_html_nistrefs_table(${PRODUCT} "stig")
-
-ssg_build_html_cce_table(${PRODUCT})
-
-ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
-
-ssg_build_html_stig_tables(${PRODUCT} "stig")
-
diff --git a/eap6/checks/oval/installed_app_is_eap6.xml b/eap6/checks/oval/installed_app_is_eap6.xml
deleted file mode 100644
index 59f580e073..0000000000
--- a/eap6/checks/oval/installed_app_is_eap6.xml
+++ /dev/null
@@ -1,96 +0,0 @@
-<def-group>
- <definition version="1" class="inventory" id="installed_app_is_eap6">
- <metadata>
- <title>JBoss Enterprise Application Platform 6</title>
- <description>EAP Version should be version 6</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.0.1" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.1.0" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.1.1" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.0" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.1" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.2" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.3" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.4" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.0" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.1" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.2" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.3" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.0" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.1" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.2" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.3" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.4" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.5" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.6" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.7" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.8" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.9" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.10" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.11" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.12" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.13" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.14" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.15" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.16" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.17" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.18" />
- <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.19" />
- </metadata>
- <criteria operator="OR">
- <criterion test_ref="test_installed_eap_version_6" />
- <criterion test_ref="test_installed_eap_version_6_container" />
- <criterion test_ref="test_package_eap6_installed" />
- </criteria>
- </definition>
-
- <linux:rpminfo_test check="all" check_existence="all_exist"
- id="test_package_eap6_installed" version="1"
- comment="package eap6 is installed">
- <linux:object object_ref="obj_package_eap6_installed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_eap6_installed" version="1">
- <linux:name>eap6</linux:name>
- </linux:rpminfo_object>
-
- <ind:environmentvariable58_object id="obj_env_installed_eap6_home" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <ind:textfilecontent54_test id="test_installed_eap_version_6" version="1" check="all" comment="Check EAP Version">
- <ind:object object_ref="obj_installed_eap_version_6" />
- <ind:state state_ref="state_installed_eap_version_6" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_installed_eap_version_6" version="1">
- <ind:path var_ref="local_var_installed_eap_version_6"/>
- <ind:filename>version.txt</ind:filename>
- <ind:pattern operation="pattern match">Red[\s]+Hat[\s]+JBoss[\s]+Enterprise[\s]+Application[\s]+Platform[\s]+\-[\s]+Version[\s]+(.*)GA</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_test id="test_installed_eap_version_6_container" version="1" check="all" comment="Check EAP Version">
- <ind:object object_ref="obj_installed_eap_version_6_container" />
- <ind:state state_ref="state_installed_eap_version_6" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_installed_eap_version_6_container" version="1">
- <ind:filepath>/opt/eap/version.txt</ind:filepath>
- <ind:pattern operation="pattern match">Red[\s]+Hat[\s]+JBoss[\s]+Enterprise[\s]+Application[\s]+Platform[\s]+\-[\s]+Version[\s]+(.*)GA</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_installed_eap_version_6" version="1">
- <ind:subexpression operation="pattern match">6\.[0-4]+\.[0-9]+</ind:subexpression>
- </ind:textfilecontent54_state>
-
- <local_variable id="local_var_installed_eap_version_6" version="1" datatype="string" comment="version location">
- <concat>
- <object_component object_ref="obj_env_installed_eap6_home" item_field="value" />
- <literal_component datatype="string">/</literal_component>
- </concat>
- </local_variable>
-
-</def-group>
diff --git a/eap6/cpe/eap6-cpe-dictionary.xml b/eap6/cpe/eap6-cpe-dictionary.xml
deleted file mode 100644
index 6a1d490b5f..0000000000
--- a/eap6/cpe/eap6-cpe-dictionary.xml
+++ /dev/null
@@ -1,137 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-
-<cpe-list xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xmlns="http://cpe.mitre.org/dictionary/2.0" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 http://nvd.nist.gov/schema/cpe-dictionary-metadata_0.2.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.2.xsd">
-
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.0.0</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.0.1">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.0.1</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.1.0">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.1.0</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.1.1">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.1.1</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.0">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.2.0</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.1">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.2.1</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.2">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.2.2</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.3">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.2.3</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.4">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.2.4</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.0">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.3.0</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.1">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.3.1</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.2">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.3.2</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.3">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.3.3</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.0">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.0</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.1">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.1</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.2">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.2</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.3">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.3</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.4">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.4</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.5">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.5</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.6">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.6</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.7">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.7</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.8">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.8</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.9">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.9</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.10">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.10</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.11">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.11</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.12">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.12</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.13">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.13</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.14">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.14</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.15">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.15</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.16">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.16</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.17">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.17</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.18">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.18</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
- <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.19">
- <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.19</title>
- <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
- </cpe-item>
-</cpe-list>
diff --git a/eap6/guide/benchmark.yml b/eap6/guide/benchmark.yml
deleted file mode 100644
index 229e81e807..0000000000
--- a/eap6/guide/benchmark.yml
+++ /dev/null
@@ -1,53 +0,0 @@
----
-documentation_complete: true
-
-title: Guide to the Secure Configuration of {{{ full_name }}}
-
-status: draft
-
-description: |
- This guide presents a catalog of security-relevant
- configuration settings for {{{ full_name }}}. It is a rendering of
- content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
- in order to support security automation. The SCAP content is
- is available in the <tt>scap-security-guide</tt> package which is developed at
- {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}.
- <br/><br/>
- Providing system administrators with such guidance informs them how to securely
- configure systems under their control in a variety of network roles. Policy
- makers and baseline creators can use this catalog of settings, with its
- associated references to higher-level security control catalogs, in order to
- assist them in security baseline creation. This guide is a <em>catalog, not a
- checklist</em>, and satisfaction of every item is not likely to be possible or
- sensible in many operational scenarios. However, the XCCDF format enables
- granular selection and adjustment of settings, and their association with OVAL
- and OCIL content provides an automated checking capability. Transformations of
- this document, and its associated automated checking content, are capable of
- providing baselines that meet a diverse set of policy objectives. Some example
- XCCDF <em>Profiles</em>, which are selections of items that form checklists and
- can be used as baselines, are available with this guide. They can be
- processed, in an automated fashion, with tools that support the Security
- Content Automation Protocol (SCAP). The DISA STIG for {{{ full_name }}},
- which provides required settings for US Department of Defense systems, is
- one example of a baseline created from this guidance.
-
-notice:
- id: terms_of_use
- description: |
- Do not attempt to implement any of the settings in
- this guide without first testing them in a non-operational environment. The
- creators of this guidance assume no responsibility whatsoever for its use by
- other parties, and makes no guarantees, expressed or implied, about its
- quality, reliability, or any other characteristic.
-
-front-matter: |
- The SCAP Security Guide Project<br/>
- {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}
-
-rear-matter: |
- Red Hat and Red Hat Enterprise Linux are either registered
- trademarks or trademarks of Red Hat, Inc. in the United States and other
- countries. All other names are registered trademarks or trademarks of their
- respective companies.
-
-version: 0.9
diff --git a/eap6/guide/eap6/group.yml b/eap6/guide/eap6/group.yml
deleted file mode 100644
index 8401098c5a..0000000000
--- a/eap6/guide/eap6/group.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-documentation_complete: true
-
-title: 'JBoss Enterprise Application Platform 6'
-
-description: "JBoss Enterprise Application Platform is a popular Java \nEnterprise Edition application server platform by Red Hat. It is based\non the open-source JBoss Application Server, Community Edition.\nLeveraging robust container architecture, JBoss EAP is capable of\nhosting a wide variety of applications - anything from simple, static\nHTML pages all the way to distributed, transaction-based Java Enterprise\nEdition applications. JBoss EAP is known for being dependable, fast,\nflexible, and cost-effective. This section provides settings for\nconfiguring the JBoss Enterprise Application Platform running on \nRed Hat Enterprise Linux systems."
diff --git a/eap6/guide/eap6/jboss_eap_audit_privileged_actions/rule.yml b/eap6/guide/eap6/jboss_eap_audit_privileged_actions/rule.yml
deleted file mode 100644
index 25b7c41119..0000000000
--- a/eap6/guide/eap6/jboss_eap_audit_privileged_actions/rule.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-documentation_complete: true
-
-title: 'Audit JBoss Privileged Actions'
-
-description: |-
- Launch the jboss-cli management interface substituting standalone or domain for
- <i>CONFIG</i> based upon the server installation.
- <br /><br />
- <pre><JBOSS_HOME>/<i>CONFIG/</i>/bin/jboss-cli</pre>
- <br /><br />
- connect to the server and run the following command:
- <br /><br />
- <pre>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</pre>
-
-rationale: |-
- In order to be able to provide a forensic history of activity, the application
- server must ensure users who are granted a privileged role or those who utilize
- a separate distinct account when accessing privileged functions or data have
- their actions logged.
- <br /><br />
- If privileged activity is not logged, no forensic logs
- can be used to establish accountability for privileged actions that occur on the
- system.
-
-severity: medium
-
-identifiers:
- cce: CCE-80487-2
-
-references:
- disa: CCI-002234
- srg: SRG-APP-000343-AS-000030
- stigid: JBOS-AS-000480
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Run the command:
- <br /><br />
- <pre>/core-service=management/access=audit:read-resource(recursive=true)</pre>
- <br /><br />
- Under the <pre>"logger" => {audit-log}</pre> section of
- the returned response:
- If <pre>"enabled" =>.</pre>, this is a finding
diff --git a/eap6/guide/eap6/jboss_eap_configure_application_authentication/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_application_authentication/oval/eap6.xml
deleted file mode 100644
index 85a50ad122..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_application_authentication/oval/eap6.xml
+++ /dev/null
@@ -1,49 +0,0 @@
-<def-group>
- <definition version="1" class="compliance" id="jboss_eap_configure_application_authentication">
- <metadata>
- <title>Remove Silent Authentication - Application Security Realm</title>
- <description>Verify that Silent Authentication has been removed from the default Application security realm.</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- </metadata>
- <criteria>
- <criterion test_ref="test_eap_configure_application_authentication" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_eap_configure_application_authentication" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <local_variable id="local_var_eap_configure_application_authentication" version="1" datatype="string" comment="configuration location">
- <concat>
- <object_component object_ref="obj_env_eap_configure_application_authentication" item_field="value" />
- <literal_component datatype="string">/standalone/configuration/</literal_component>
- </concat>
- </local_variable>
-
- <local_variable id="local_var_profile_application_authentication" version="1" datatype="string" comment="configuration profile">
- <concat>
- <variable_component var_ref="var_jboss_profile" />
- <literal_component datatype="string">.xml</literal_component>
- </concat>
- </local_variable>
-
- <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
-
- <ind:xmlfilecontent_test id="test_eap_configure_application_authentication" version="1" check="all" comment="Check EAP Audit Logging is Enabled">
- <ind:object object_ref="obj_eap_configure_application_authentication" />
- <ind:state state_ref="state_eap_configure_application_authentication" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="obj_eap_configure_application_authentication" version="1">
- <ind:path var_ref="local_var_eap_configure_application_authentication"/>
- <ind:filename var_ref="local_var_eap_configure_application_authentication" />
- <ind:xpath>count(//*[name()='server']/*[name()='management']/*[name()='security-realms']/*[name()='security-realm'][@name='ApplicationRealm']/*[name()='authentication']/*[name()='local'])</ind:xpath>
- </ind:xmlfilecontent_object>
-
- <ind:xmlfilecontent_state id="state_eap_configure_application_authentication" comment="ensure that the number of local authentication elements in the ApplicationRealm is 0" version="1">
- <ind:value_of datatype="int" operation="equals">0</ind:value_of>
- </ind:xmlfilecontent_state>
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_configure_application_authentication/rule.yml b/eap6/guide/eap6/jboss_eap_configure_application_authentication/rule.yml
deleted file mode 100644
index 1498e7ed3e..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_application_authentication/rule.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-documentation_complete: true
-
-title: 'Remove Silent Authentication - Application Security Realm'
-
-description: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Remove the local element from the Application Realm.
- For standalone servers, run
- the following command:
- <pre>/core-service=management/securityrealm=ApplicationRealm/authentication=local:remove</pre>
- <br /><br />
- For managed domain installations,
- run the following command:
- <pre>/host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication=local:remove</pre>
-
-rationale: |-
- Silent Authentication is a configuration setting that allows local OS users
- access to the JBoss server and a wide range of operations without specifically
- authenticating on an individual user basis. By default $localuser is a
- Superuser. This introduces an integrity and availability vulnerability and
- violates best practice requirements regarding accountability.
-
-severity: high
-
-identifiers:
- cce: CCE-80456-7
-
-references:
- disa: CCI-000213
- srg: SRG-APP-000033-AS-000024
- stigid: JBOS-AS-000045
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the
- <tt><JBOSS_HOME>/bin/</tt> folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Verify that Silent Authentication has been removed from the default Application
- security realm.
- Run the following command.
- <br /><br />
- For standalone servers, run the following command:
- <pre>ls /core-service=management/securityrealm=ApplicationRealm/authentication</pre>
- <br /><br />
- For managed domain installations, run the following command:
- <pre>ls /host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication</pre>
- <br /><br />
- If <tt>local</tt> is returned, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_auditing/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_auditing/oval/eap6.xml
deleted file mode 100644
index 1ae11d1062..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_auditing/oval/eap6.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<def-group>
- <definition version="1" class="compliance" id="jboss_eap_configure_auditing">
- <metadata>
- <title>Configure Audit Logging</title>
- <description>Audit logging must be enabled</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- </metadata>
- <criteria>
- <criterion test_ref="test_eap_configure_auditing" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_eap_configure_auditing" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <local_variable id="local_var_eap_configure_auditing" version="1" datatype="string" comment="configuration location">
- <concat>
- <object_component object_ref="obj_env_eap_configure_auditing" item_field="value" />
- <literal_component datatype="string">/standalone/configuration/</literal_component>
- </concat>
- </local_variable>
-
- <local_variable id="local_var_profile_auditing" version="1" datatype="string" comment="configuration profile">
- <concat>
- <variable_component var_ref="var_jboss_profile" />
- <literal_component datatype="string">.xml</literal_component>
- </concat>
- </local_variable>
-
- <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
-
- <ind:xmlfilecontent_test id="test_eap_configure_auditing" version="1" check="all" comment="Check EAP Audit Logging is Enabled">
- <ind:object object_ref="obj_eap_configure_auditing" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="obj_eap_configure_auditing" version="1">
- <ind:path var_ref="local_var_eap_configure_auditing"/>
- <ind:filename var_ref="local_var_profile_auditing" />
- <ind:xpath>//*[name()='server']/*[name()='management']/*[name()='audit-log']/*[name()='logger'][@enabled='true']</ind:xpath>
- </ind:xmlfilecontent_object>
-
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_configure_auditing/rule.yml b/eap6/guide/eap6/jboss_eap_configure_auditing/rule.yml
deleted file mode 100644
index a60181be8e..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_auditing/rule.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-documentation_complete: true
-
-title: 'Configure JBoss Auditing and Logging'
-
-description: |-
- Launch the jboss-cli management interface.
- Connect to the server by typing
- <tt>connect</tt>, authenticate as a user in the Superuser role, and run the
- following command:
- <br /><br />
- For a Managed Domain configuration:
- <pre>host=master/server/<i>SERVERNAME</i>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</pre>
- <br /><br />
- For a Standalone
- configuration:
- <pre>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</pre>
-
-rationale: |-
- Log records can be generated from various components within the JBoss
- application server. The minimum list of logged events should be those
- pertaining to access and authentication events to the management interface as
- well as system startup and shutdown events.
- <br /><br />
- By default, JBoss does not log
- management interface access but does provide a default file handler. This
- handler needs to be enabled. Configuring this setting meets several STIG
- auditing requirements.
-
-severity: medium
-
-identifiers:
- cce: CCE-80459-1
-
-references:
- disa: CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000169,CCI-000172,CCI-001464
- srg: SRG-APP-000089-AS-000050,SRG-APP-000092-AS-000053,SRG-APP-000095-AS-000056,SRG-APP-000096-AS-000059,SRG-APP-000096-AS-000060,SRG-APP-000098-AS-000061,SRG-APP-000099-AS-000062,SRG-APP-000495-AS-000220,SRG-APP-000499-AS-000224,SRG-APP-000499-AS-000224,SRG-APP-000503-AS-000228,SRG-APP-000504-AS-000229,SRG-APP-000505-AS-000230,SRG-APP-000506-AS-000231,SRG-APP-000509-AS-000234
- stigid: JBOS-AS-000080
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script to start the Command Line Interface (CLI).
- Connect to the server and authenticate.
- Run the command:
- <br /><br />
- For a Managed Domain
- configuration:
- <pre>ls host=master/server/<i>SERVERNAME</i>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</pre>
- <br /><br />
- For a Standalone configuration:
- <pre>ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</pre>
- <br /><br />
- If <pre>"enabled" =.</pre>, this is
- a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_auditor_roles/rule.yml b/eap6/guide/eap6/jboss_eap_configure_auditor_roles/rule.yml
deleted file mode 100644
index 4a888efc4f..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_auditor_roles/rule.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-documentation_complete: true
-
-title: 'Configure JBoss Auditor Role'
-
-description: |-
- Obtain documented approvals from ISSM, and assign the appropriate personnel
- into the <pre>Auditor</pre> role.
-
-rationale: |-
- The JBoss server must be configured to select which personnel are assigned the
- role of selecting which loggable events are to be logged.
- In JBoss, the role
- designated for selecting auditable events is the <tt>Auditor</tt> role.
- The
- personnel or roles that can select loggable events are only the ISSM (or
- individuals or roles appointed by the ISSM).
-
-severity: medium
-
-identifiers:
- cce: CCE-80460-9
-
-references:
- disa: CCI-000171
- srg: SRG-APP-000090-AS-000051
- stigid: JBOS-AS-000085
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script to start the Command Line Interface (CLI).
- Connect to the server and authenticate.
- Run the command:
- <br /><br />
- For a Managed Domain
- configuration:
- <pre>ls host=master/server/<i>SERVERNAME</i>/core-service=management/access=authorization/role-mapping=Auditor/include=</pre>
- <br /><br />
- For a Standalone configuration:
- <pre>ls /core-service=management/access=authorization/role-mapping=Auditor/include=</pre>
- <br /><br />
- If
- the list of users in the Auditors group is not approved by the ISSM, this is a
- finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_ha_lb/rule.yml b/eap6/guide/eap6/jboss_eap_configure_ha_lb/rule.yml
deleted file mode 100644
index 66d0d2e2b1..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_ha_lb/rule.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-documentation_complete: true
-
-title: 'Configure Load Balancing (LB) or High Availability (HA)'
-
-description: |-
- Configure the application server to provide LB or HA services for the hosted
- application.
-
-rationale: |-
- A MAC I system is a system that handles data vital to the organization's
- operational readiness or effectiveness of deployed or contingency forces. A MAC
- I system must maintain the highest level of integrity and availability. By HA
- clustering the application server, the hosted application and data are given a
- platform that is load-balanced and provides high availability.
-
-severity: medium
-
-identifiers:
- cce: CCE-80492-2
-
-references:
- disa: CCI-002385
- srg: SRG-APP-000435-AS-000069
- stigid: JBOS-AS-000640
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Interview the system admin and determine if the applications hosted on the
- application server are mission critical and require load balancing (LB) or high
- availability (HA).
- <br /><br />
- If the applications do not require LB or HA, this
- requirement is NA.
- <br /><br />
- If the documentation shows the LB or HA services are being
- provided by another system other than the application server, this requirement
- is NA.
- <br /><br />
- If applications require LB or HA, request documentation from the system
- admin that identifies what type of LB or HA configuration has been implemented
- on the application server.
- <br /><br />
- Ask the system admin to identify the components that
- require protection. Some options are included here as an example. Bear in mind
- the examples provided are not complete and absolute and are only provided as
- examples. The components being made redundant or HA by the application server
- will vary based upon application availability requirements.
- <br /><br />
- Examples are:
- Instances of the Application Server
- Web Applications
- Stateful, stateless and
- entity Enterprise Java Beans (EJBs)
- Single Sign On (SSO) mechanisms
- Distributed
- Cache
- HTTP sessions
- JMS and Message Services.
- <br /><br />
- If the hosted application
- requirements specify LB or HA and the JBoss server has not been configured to
- offer HA or LB, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_host_access_restrictions/rule.yml b/eap6/guide/eap6/jboss_eap_configure_host_access_restrictions/rule.yml
deleted file mode 100644
index a9b7f1b3b7..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_host_access_restrictions/rule.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-documentation_complete: true
-
-title: 'Configure Host Access Restrictions for Applications'
-
-description: |-
- Configure the Java security manager to enforce access restrictions to the host
- system resources in accordance with application design and resource
- requirements.
-
-rationale: |-
- The Java Security Manager is a java class that manages the external boundary of
- the Java Virtual Machine (JVM) sandbox, controlling how code executing within
- the JVM can interact with resources outside the JVM.
- <br /><br />
- The JVM requires a
- security policy in order to restrict application access. A properly configured
- security policy will define what rights the application has to the underlying
- system. For example, rights to make changes to files on the host system or to
- initiate network sockets in order to connect to another system.
-
-severity: high
-
-identifiers:
- cce: CCE-80452-6
-
-references:
- disa: CCI-000213
- srg: SRG-APP-000033-AS-000024
- stigid: JBOS-AS-000025
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Obtain documentation from the admin that identifies the applications hosted on
- the JBoss server as well as the corresponding rights the application requires.
- For example, if the application requires network socket permissions and file
- write permissions, those requirements should be documented.
- <br /><br />
- 1. Identify the
- JBoss installation as either domain or standalone and review the relevant
- configuration file.
- For domain installs: <tt>JBOSS_HOME/bin/domain.conf</tt>
- For
- standalone installs: <tt>JBOSS_HOME/bin/standalone.conf</tt>
- <br /><br />
- 2. Identify the location
- and name of the security policy by reading the JAVA_OPTS flag
- <pre>-Djava.security.policy=<i>file name</i></pre>
- where <i>file name</i> will indicate name and
- location of security policy. If the application uses a policy URL, obtain URL
- and policy file from system admin.
- <br /><br />
- 3. Review security policy and ensure hosted
- applications have the appropriate restrictions placed on them as per documented
- application functionality requirements.
- <br /><br />
- If the security policy does not
- restrict application access to host resources as per documented requirements,
- this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_https/rule.yml b/eap6/guide/eap6/jboss_eap_configure_https/rule.yml
deleted file mode 100644
index a18298502d..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_https/rule.yml
+++ /dev/null
@@ -1,63 +0,0 @@
-documentation_complete: true
-
-title: 'Enable HTTPS for JBoss Web Interface'
-
-description: |-
- Follow procedure "4.4. Configure the JBoss Web Server to use HTTPS."
- The detailed procedure is found in the JBoss EAP 6.3 Security Guide available at
- the vendor's site, RedHat.com. An overview of steps is provided here.
- <br /><br />
- 1. Obtain or generate DoD-approved SSL certificates.
- 2. Configure the SSL certificate using your certificate values.
- 3. Set the SSL protocol to TLS V1.1 or V1.2.
-
-rationale: |-
- Encryption is critical for protection of remote access sessions. If encryption
- is not being used for integrity, malicious users may gain the ability to modify
- the application server configuration. The use of cryptography for ensuring
- integrity of remote access sessions mitigates that risk.
- <br /><br />
- Application servers
- utilize a web management interface and scripted commands when allowing remote
- access. Web access requires the use of TLS, and scripted access requires using
- ssh or some other form of approved cryptography. Application servers must have a
- capability to enable a secure remote admin capability.
- <br /><br />
- FIPS 140-2 approved TLS
- versions include TLS V1.0 or greater.
- <br /><br />
- FIPS 140-2 approved TLS versions must be
- enabled, and non-FIPS-approved SSL versions must be disabled.
- <br /><br />
- NIST SP 800-52
- specifies the preferred configurations for government systems.
-
-severity: medium
-
-identifiers:
- cce: CCE-80451-8
-
-references:
- disa: CCI-001453
- srg: SRG-APP-000015-AS-000010
- stigid: JBOS-AS-000015
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- <br /><br />
- Using the relevant OS commands and syntax, cd to the
- <tt><JBOSS_HOME>/bin/</tt> folder
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Review the web subsystem and ensure that HTTPS is enabled.
- Run the command:
- <br /><br />
- For a managed domain:
- <pre>ls /profile=<i>PROFILE_NAME</i>/subsystem=web/connector=</pre>
- For a standalone system:
- <pre>ls /subsystem=web/connector=</pre>
- <br /><br />
- If <tt>https</tt> is not returned, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_keystore/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_keystore/oval/eap6.xml
deleted file mode 100644
index 96599de3d6..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_keystore/oval/eap6.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<def-group>
- <definition version="1" class="compliance" id="jboss_eap_configure_keystore">
- <metadata>
- <title>Configure Vault for Passwords</title>
- <description>The vault should be configured for storing passwords.</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- </metadata>
- <criteria>
- <criterion test_ref="test_eap_configure_keystore" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_configure_keystore" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <local_variable id="local_var_configure_keystore_jboss_home" version="1" datatype="string" comment="version location">
- <concat>
- <object_component object_ref="obj_env_configure_keystore" item_field="value" />
- <literal_component datatype="string">/standalone/configuration/</literal_component>
- </concat>
- </local_variable>
-
- <local_variable id="local_var_profile_vault_passwords" version="1" datatype="string" comment="configuration profile">
- <concat>
- <variable_component var_ref="var_jboss_profile" />
- <literal_component datatype="string">.xml</literal_component>
- </concat>
- </local_variable>
-
- <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
-
- <ind:xmlfilecontent_test id="test_eap_configure_keystore" version="1" check="all" comment="Check EAP for vault">
- <ind:object object_ref="obj_eap_configure_keystore" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="obj_eap_configure_keystore" version="1">
- <ind:path var_ref="local_var_rollover_jboss_home"/>
- <ind:filename var_ref="local_var_profile_vault_passwords" />
- <ind:xpath>//*[name()='server']/*[name()='vault']</ind:xpath>
- </ind:xmlfilecontent_object>
-
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_configure_keystore/rule.yml b/eap6/guide/eap6/jboss_eap_configure_keystore/rule.yml
deleted file mode 100644
index 34d8111266..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_keystore/rule.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-documentation_complete: true
-
-title: 'Enable the JBoss Keystore'
-
-description: |-
- Configure the application server to use the java keystore and JBoss vault as
- per section 11.13.1 -Password Vault System in the
- JBoss_Enterprise_Application_Platform-6.3
- -Administration_and_Configuration_Guide-en-US document.
- <br /><br />
- 1. Create a java keystore.
- 2. Mask the keystore password and initialize the password vault.
- 3. Configure JBoss to use the password vault.
-
-rationale: |-
- JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an
- encrypted keystore, and decrypt them for applications and verification systems.
- Plain-text configuration files, such as XML deployment descriptors, need to
- specify passwords and other sensitive information. Use the JBoss EAP Password
- Vault to securely store sensitive strings in plain-text files.
-
-severity: medium
-
-identifiers:
- cce: CCE-80478-1
-
-references:
- disa: CCI-000196
- srg: SRG-APP-000171-AS-000119
- stigid: JBOS-AS-000295
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Run the command:
- <br /><br />
- <pre>ls /core-service=vault</pre>
- <br /><br />
- If <pre>code=undefined</pre> and <pre>module=undefined</pre>,
- this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_ldap/rule.yml b/eap6/guide/eap6/jboss_eap_configure_ldap/rule.yml
deleted file mode 100644
index 59a4282407..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_ldap/rule.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-documentation_complete: true
-
-title: 'Configure LDAP'
-
-description: |-
- Follow steps in section 11.8 - Management Interface Security in the
- JBoss_Enterprise_Application_Platform-6.3
- -Administration_and_Configuration_Guide-en-US document.
- <br /><br />
- 1. Create an outbound connection to the LDAP server.
- 2. Create an LDAP-enabled security realm.
- 3. Reference the new security domain in the Management Interface.
-
-rationale: |-
- To assure accountability and prevent unauthorized access, application server
- users must be uniquely identified and authenticated. This is typically
- accomplished via the use of a user store that is either local (OS-based) or
- centralized (Active Directory/LDAP) in nature. It should be noted that JBoss
- does not specifically mention Active Directory since AD is LDAP aware.
- <br /><br />
- To
- ensure accountability and prevent unauthorized access, the JBoss Server must be
- configured to utilize a centralized authentication mechanism.
-
-severity: medium
-
-identifiers:
- cce: CCE-80473-2
-
-references:
- disa: CCI-000764
- srg: SRG-APP-000148-AS-000101
- stigid: JBOS-AS-000260
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- <br /><br />
- To obtain the list of security realms run the command:
- <pre>ls /core-service=management/security-realm=</pre>
- <br /><br />
- Review each security realm using the
- command:
- <pre>ls /core-service=management/security-realm=<i>SECURITY_REALM_NAME</i>/authentication</pre>
- <br /><br />
- If this command does not
- return a security realm that uses LDAP for authentication, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_log_permissions/rule.yml b/eap6/guide/eap6/jboss_eap_configure_log_permissions/rule.yml
deleted file mode 100644
index c3333eeb0f..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_log_permissions/rule.yml
+++ /dev/null
@@ -1,66 +0,0 @@
-documentation_complete: true
-
-title: 'Configure JBoss Log Permissions'
-
-description: |-
- Configure the OS file permissions on the application server to protect log
- information from unauthorized access.
-
-rationale: |-
- If log data were to become compromised, then competent forensic analysis and
- discovery of the true source of potentially malicious system activity is
- difficult, if not impossible, to achieve.
- <br /><br />
- When not configured to use a
- centralized logging solution like a syslog server, the JBoss EAP application
- server writes log data to log files that are stored on the OS; appropriate file
- permissions must be used to restrict access.
- <br /><br />
- Log information includes all
- information (e.g., log records, log settings, transaction logs, and log reports)
- needed to successfully log information system activity. Application servers must
- protect log information from unauthorized access.
-
-severity: medium
-
-identifiers:
- cce: CCE-80462-5
-
-references:
- disa: CCI-000162,CCI-000163,CCI-000164
- srg: SRG-APP-000118-AS-000078,SRG-APP-000119-AS-000079,SRG-APP-000120-AS-000080
- stigid: JBOS-AS-000165
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Examine the log file locations and inspect the file permissions. Interview the
- system admin to determine log file locations. The default location for the log
- files is:
- <br /><br />
- Standalone configuration:
- <pre>
- <JBOSS_HOME>/standalone/log/
- </pre>
- <br /><br />
- Managed
- Domain configuration:
- <pre>
- <JBOSS_HOME>/domain/servers/<i>servername</i>/log/
- <JBOSS_HOME>/domain/log/
- </pre>
- <br /><br />
- Review the file permissions for the log file
- directories. The method used for identifying file permissions will be based
- upon the OS the EAP server is installed on.
- <br /><br />
- Identify all users with file
- permissions that allow them to read, modify, or delete log files.
- <br /><br />
- Request documentation from
- system admin that identifies the users who are authorized to read, modify, or delete log files.
- <br /><br />
- If
- unauthorized users are allowed to read, modify, or delete log files, or if documentation that
- identifies the users who are authorized to read, modify, or delete log files is missing, this is a
- finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_logging_level/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_logging_level/oval/eap6.xml
deleted file mode 100644
index 7022ef72a1..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_logging_level/oval/eap6.xml
+++ /dev/null
@@ -1,65 +0,0 @@
-<def-group>
- <definition version="1" class="compliance" id="jboss_eap_configure_logging_level">
- <metadata>
- <title>Configure JBoss Logging Level</title>
- <description>Verify that the logging level for the ROOT logger is INFO.</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- </metadata>
- <criteria operator="OR">
- <criterion test_ref="test_jboss_eap_configure_logging_level_info" />
- <criterion test_ref="test_jboss_eap_configure_logging_level_debug" />
- <criterion test_ref="test_jboss_eap_configure_logging_level_trace" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_jboss_eap_configure_logging_level" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <local_variable id="local_var_jboss_eap_configure_logging_level" version="1" datatype="string" comment="configuration location">
- <concat>
- <object_component object_ref="obj_env_jboss_eap_configure_logging_level" item_field="value" />
- <literal_component datatype="string">/standalone/configuration/</literal_component>
- </concat>
- </local_variable>
-
- <local_variable id="local_var_profile_logging_level" version="1" datatype="string" comment="configuration profile">
- <concat>
- <variable_component var_ref="var_jboss_profile" />
- <literal_component datatype="string">.xml</literal_component>
- </concat>
- </local_variable>
-
- <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
-
- <ind:xmlfilecontent_test id="test_jboss_eap_configure_logging_level_info" version="1" check="all" comment="Check that root logging is INFO level">
- <ind:object object_ref="obj_jboss_eap_configure_logging_level_info" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="obj_jboss_eap_configure_logging_level_info" version="1">
- <ind:path var_ref="local_var_jboss_eap_configure_logging_level"/>
- <ind:filename var_ref="local_var_jboss_eap_configure_logging_level" />
- <ind:xpath>//*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='root-logger']/*[name()='level'][@name='INFO']</ind:xpath>
- </ind:xmlfilecontent_object>
-
- <ind:xmlfilecontent_test id="test_jboss_eap_configure_logging_level_debug" version="1" check="all" comment="Check that root logging is DEBUG level">
- <ind:object object_ref="obj_jboss_eap_configure_logging_level_trace" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="obj_jboss_eap_configure_logging_level_debug" version="1">
- <ind:path var_ref="local_var_jboss_eap_configure_logging_level"/>
- <ind:filename var_ref="local_var_jboss_eap_configure_logging_level" />
- <ind:xpath>//*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='root-logger']/*[name()='level'][@name='DEBUG']</ind:xpath>
- </ind:xmlfilecontent_object>
-
- <ind:xmlfilecontent_test id="test_jboss_eap_configure_logging_level_trace" version="1" check="all" comment="Check that root logging is TRACE level">
- <ind:object object_ref="obj_jboss_eap_configure_logging_level_debug" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="obj_jboss_eap_configure_logging_level_trace" version="1">
- <ind:path var_ref="local_var_jboss_eap_configure_logging_level"/>
- <ind:filename var_ref="local_var_jboss_eap_configure_logging_level" />
- <ind:xpath>//*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='root-logger']/*[name()='level'][@name='TRACE']</ind:xpath>
- </ind:xmlfilecontent_object>
-
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_configure_logging_level/rule.yml b/eap6/guide/eap6/jboss_eap_configure_logging_level/rule.yml
deleted file mode 100644
index 2d392a1820..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_logging_level/rule.yml
+++ /dev/null
@@ -1,68 +0,0 @@
-documentation_complete: true
-
-title: 'Configure JBoss Logging Level'
-
-description: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script to start the Command Line Interface (CLI).
- Connect to the server and authenticate.
- <br /><br />
- The PROFILE NAMEs included with a
- Managed Domain JBoss configuration are:
- <tt>default</tt>, <tt>full</tt>, <tt>full-ha</tt>, or <tt>ha</tt>
- For a Managed Domain configuration, you must check
- each profile name:
- <br /><br />
- For each PROFILE NAME, run the command:
- <pre>/profile=<i>PROFILE NAME</i>/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)</pre>
- <br /><br />
- For a Standalone configuration:
- <pre>/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)</pre>
-
-rationale: |-
- 800 records less data and may result in an insufficient amount of information
- being logged by the ROOT logger. This can result in failed forensic
- investigations. The ROOT logger level must be INFO level or lower to provide
- adequate log information.
-
-severity: medium
-
-identifiers:
- cce: CCE-80461-7
-
-references:
- disa: CCI-001487
- srg: SRG-APP-000100-AS-000063
- stigid: JBOS-AS-000135
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script to start the Command Line Interface (CLI).
- Connect to the server and authenticate.
- <br /><br />
- The PROFILE NAMEs included with a
- Managed Domain JBoss configuration are:
- <tt>default</tt>, <tt>full</tt>, <tt>full-ha</tt>, or <tt>ha</tt>
- For a Managed Domain configuration, you must check
- each profile name:
- <br /><br />
- For each PROFILE NAME, run the command:
- <pre>ls /profile=<i>PROFILE NAME</i>/subsystem=logging/root-logger=ROOT</pre>
- <br /><br />
- If ROOT logger
- <tt>level</tt> is not set to INFO, DEBUG or TRACE
- This is a finding for each
- <i>PROFILE NAME</i> (default, full, full-ha and ha)
- <br /><br />
- For a Standalone configuration:
- <pre>ls /subsystem=logging/root-logger=ROOT</pre>
- <br /><br />
- If "level" not = INFO, DEBUG or TRACE, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_management_authentication/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_management_authentication/oval/eap6.xml
deleted file mode 100644
index b7d180238c..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_management_authentication/oval/eap6.xml
+++ /dev/null
@@ -1,49 +0,0 @@
-<def-group>
- <definition version="1" class="compliance" id="jboss_eap_configure_management_authentication">
- <metadata>
- <title>Remove Silent Authentication - Management Security Realm</title>
- <description>Verify that Silent Authentication has been removed from the default Management security realm.</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- </metadata>
- <criteria>
- <criterion test_ref="test_eap_configure_management_authentication" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_eap_configure_management_authentication" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <local_variable id="local_var_eap_configure_management_authentication" version="1" datatype="string" comment="configuration location">
- <concat>
- <object_component object_ref="obj_env_eap_configure_management_authentication" item_field="value" />
- <literal_component datatype="string">/standalone/configuration/</literal_component>
- </concat>
- </local_variable>
-
- <local_variable id="local_var_profile_management_authentication" version="1" datatype="string" comment="configuration profile">
- <concat>
- <variable_component var_ref="var_jboss_profile" />
- <literal_component datatype="string">.xml</literal_component>
- </concat>
- </local_variable>
-
- <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
-
- <ind:xmlfilecontent_test id="test_eap_configure_management_authentication" version="1" check="all" comment="Check EAP Audit Logging is Enabled">
- <ind:object object_ref="obj_eap_configure_management_authentication" />
- <ind:state state_ref="state_eap_configure_management_authentication" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="obj_eap_configure_management_authentication" version="1">
- <ind:path var_ref="local_var_eap_configure_management_authentication"/>
- <ind:filename var_ref="local_var_profile_management_authentication" />
- <ind:xpath>count(//*[name()='server']/*[name()='management']/*[name()='security-realms']/*[name()='security-realm'][@name='ManagementRealm']/*[name()='authentication']/*[name()='local'])</ind:xpath>
- </ind:xmlfilecontent_object>
-
- <ind:xmlfilecontent_state id="state_eap_configure_management_authentication" comment="ensure that the number of local authentication elements in the ManagementRealm is 0" version="1">
- <ind:value_of datatype="int" operation="equals">0</ind:value_of>
- </ind:xmlfilecontent_state>
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_configure_management_authentication/rule.yml b/eap6/guide/eap6/jboss_eap_configure_management_authentication/rule.yml
deleted file mode 100644
index 1da3591c7e..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_management_authentication/rule.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-documentation_complete: true
-
-title: 'Remove Silent Authentication - Management Security Realm'
-
-description: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <pre><JBOSS_HOME>/bin/</pre>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Remove the local element from the Management Realm.
- For standalone servers run
- the following command:
- <pre>/core-service=management/securityrealm=ManagementRealm/authentication=local:remove</pre>
- <br /><br />
- For managed domain installations run the following command:
- <pre>/host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication=local:remove</pre>
-
-rationale: |-
- Silent Authentication is a configuration setting that allows local OS users
- access to the JBoss server and a wide range of operations without specifically
- authenticating on an individual user basis. By default $localuser is a
- Superuser. This introduces an integrity and availability vulnerability and
- violates best practice requirements regarding accountability.
-
-severity: high
-
-identifiers:
- cce: CCE-80457-5
-
-references:
- disa: CCI-000213
- srg: SRG-APP-000033-AS-000024
- stigid: JBOS-AS-000050
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Verify that Silent Authentication has been removed from the default Management
- security realm.
- Run the following command.
- <br /><br />
- For standalone servers run the
- following command:
- <pre>ls /core-service=management/securityrealm=ManagementRealm/authentication</pre>
- <br /><br />
- For
- managed domain installations run the following command:
- <pre>ls /host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication</pre>
- <br /><br />
- If <tt>local</tt> is returned, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_management_ldap/rule.yml b/eap6/guide/eap6/jboss_eap_configure_management_ldap/rule.yml
deleted file mode 100644
index 46af8da8dc..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_management_ldap/rule.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-documentation_complete: true
-
-title: 'Configure LDAP for Management Interfaces'
-
-description: |-
- Follow steps in section 11.8 - Management Interface Security in the
- JBoss_Enterprise_Application_Platform-6.3
- -Administration_and_Configuration_Guide-en-US document.
- <br /><br />
- 1. Create an outbound connection to the LDAP server.
- 2. Create an LDAP-enabled security realm.
- 3. Reference the new security domain in the Management Interface.
-
-rationale: |-
- JBoss EAP provides a security realm called ManagementRealm. By default, this
- realm uses the mgmt-users.properties file for authentication. Using file-based
- authentication does not allow the JBoss server to be in compliance with a wide
- range of user management requirements such as automatic disabling of inactive
- accounts as per DoD policy. To address this issue, the management interfaces
- used to manage the JBoss server must be associated with a security realm that
- provides centralized authentication management. Examples are AD or LDAP.
- Management of user identifiers is not applicable to shared information system
- accounts (e.g., guest and anonymous accounts). It is commonly the case that a
- user account is the name of an information system account associated with an
- individual.
-
-severity: medium
-
-identifiers:
- cce: CCE-80477-3
-
-references:
- disa: CCI-000795
- srg: SRG-APP-000163-AS-000111
- stigid: JBOS-AS-000290
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Obtain the list of management interfaces by running the command:
- <pre>ls /core-service=management/management-interface</pre>
- <br /><br />
- Identify the security realm used
- by each management interface configuration by running the command:
- <pre>ls /core-service=management/management-interface=<i>MANAGEMENT-INTERFACE-NAME</i></pre>
- Determine if the security realm assigned to the management interface uses LDAP
- for authentication by running the command:
- <pre>ls /core-service=management/security-realm=<i>SECURITY_REALM_NAME</i>/authentication</pre>
- <br /><br />
- If the security
- realm assigned to the management interface does not utilize LDAP for
- authentication, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_management_network/rule.yml b/eap6/guide/eap6/jboss_eap_configure_management_network/rule.yml
deleted file mode 100644
index 537cd8e656..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_management_network/rule.yml
+++ /dev/null
@@ -1,74 +0,0 @@
-documentation_complete: true
-
-title: 'Separate JBoss Management Network'
-
-description: |-
- Refer to Section 4.9 of the JBoss EAP 6.3 Installation guide for detailed
- instructions on how to start JBoss as a service.
- <br /><br />
- Use the following command line
- parameters to assign the management interface to a specific management network.
- These command line flags must be added both when starting JBoss as a service and
- when starting from the command line.
- <br /><br />
- Substitute your actual network address for
- the 10.x.x.x addresses provided as an example below.
- <br /><br />
- For a standalone
- configuration:
- <pre>
- JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1
- JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1
- </pre>
- <br /><br />
- If a management
- network is not available, you may substitute localhost/127.0.0.1 for management
- address. This will force you to manage the JBoss server from the local host.
-
-rationale: |-
- JBoss provides multiple interfaces for accessing the system. By default,
- these are called public and management. Allowing non-
- management traffic to access the JBoss management interface increases the
- chances of a security compromise. The JBoss server must be configured to bind
- the management interface to a network that controls access. This is usually a
- network that has been designated as a management network and has restricted
- access. Similarly, the public interface must be bound to a network that is not
- on the same segment as the management interface.
-
-severity: medium
-
-identifiers:
- cce: CCE-80476-5
-
-references:
- disa: CCI-000778
- srg: SRG-APP-000158-AS-000108
- stigid: JBOS-AS-000285
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Obtain documentation and network drawings from system admin that shows the
- network interfaces on the JBoss server and the networks they are configured for.
- If a management network is not used, you may substitute localhost/127.0.0.1 for
- management address. If localhost/127.0.0.1 is used for management interface,
- this is not a finding.
- <br /><br />
- From the JBoss server open the web-based admin console
- by pointing a browser to <pre>HTTP://127.0.0.1:9990</pre>.
- Log on to the management console
- with admin credentials.
- Select <tt>RUNTIME</tt>.
- Expand <tt>STATUS</tt> by clicking on <tt>+</tt>.
- Expand <tt>PLATFORM</tt> by clicking on <tt>+</tt>.
- In the <tt>Environment</tt> tab, click the <tt>></tt>
- arrow until you see the <tt>jboss.bind.properties</tt> and the
- <pre>jboss.bind.properties.management</pre> values.
- <br /><br />
- If the
- jboss.bind.properties and the jboss.bind.properties.management do not have
- different IP network addresses assigned, this is a finding.
- <br /><br />
- Review the network
- documentation. If access to the management IP address is not restricted, this
- is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_multifactor_authentication/rule.yml b/eap6/guide/eap6/jboss_eap_configure_multifactor_authentication/rule.yml
deleted file mode 100644
index 8b3bbb71d6..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_multifactor_authentication/rule.yml
+++ /dev/null
@@ -1,82 +0,0 @@
-documentation_complete: true
-
-title: 'Configure Multi-Factor Authentication'
-
-description: |-
- Configure the application server to authenticate privileged users via
- multifactor/certificate-based authentication mechanisms when using network
- access to the management interface.
-
-rationale: |-
- Multifactor authentication creates a layered defense and makes it more
- difficult for an unauthorized person to access the application server. If one
- factor is compromised or broken, the attacker still has at least one more
- barrier to breach before successfully breaking into the target. Unlike a simple
- username/password scenario where the attacker could gain access by knowing both
- the username and password without the user knowing his account was compromised,
- multifactor authentication adds the requirement that the attacker must have
- something from the user, such as a token, or to biometrically be the user.
- Multifactor authentication is defined as: using two or more factors to achieve
- authentication.
- <br /><br />
- Factors include:
- (i) something a user knows (e.g.,
- password/PIN);
- (ii) something a user has (e.g., cryptographic identification
- device, token); or
- (iii) something a user is (e.g., biometric). A CAC or PKI
- Hardware Token meets this definition.
- <br /><br />
- A privileged account is defined as an
- information system account with authorizations of a privileged user. These
- accounts would be capable of accessing the web management interface.
- <br /><br />
- When
- accessing the application server via a network connection, administrative access
- to the application server must be PKI Hardware Token enabled or a DoD-approved
- soft certificate.
-
-severity: medium
-
-identifiers:
- cce: CCE-80474-0
-
-references:
- disa: CCI-000765
- srg: SRG-APP-000149-AS-000102
- stigid: JBOS-AS-000265
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Follow these steps:
- 1. Identify the security realm assigned to the management
- interfaces by using the following command:
- <br /><br />
- For standalone systems:
- <pre>ls /core-service=management/management-interface=<i>INTERFACE-NAME</i></pre>
- <br /><br />
- For
- managed domain systems:
- <pre>ls /host=master/core-service=management/management-interface=<i>INTERFACE-NAME</i></pre>
- <br /><br />
- Document the name of the security-realm associated with each management interface.
- <br /><br />
- 2. Review the security realm
- using the command:
- <br /><br />
- For standalone systems:
- <pre>ls /core-service=management/security-realm=<i>SECURITY_REALM_NAME</i>/authentication</pre>
- <br /><br />
- For managed domains:
- <pre>ls /host=master/core-service=management/security-realm=<i>SECURITY_REALM_NAME</i>/authentication</pre>
- <br /><br />
- If the command in step 2 does
- not return a security realm that uses certificates for authentication, this is a
- finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_offloading_max/rule.yml b/eap6/guide/eap6/jboss_eap_configure_offloading_max/rule.yml
deleted file mode 100644
index ab21300c16..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_offloading_max/rule.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-documentation_complete: true
-
-title: 'Configure JBoss Log Off-Loading Frequency'
-
-description: |-
- Configure the application server to off-load log records every seven days onto
- a different system or media from the system being logged.
-
-rationale: |-
- JBoss logs by default are written to the local file system. A centralized
- logging solution like syslog should be used whenever possible; however, any log
- data stored to the file system needs to be off-loaded. JBoss EAP does not
- provide an automated backup capability. Instead, reliance is placed on OS or
- third-party tools to back up or off-load the log files.
- <br /><br />
- Protection of log data
- includes assuring log data is not accidentally lost or deleted. Off-loading log
- records to a different system or onto separate media from the system the
- application server is actually running on helps to assure that, in the event of
- a catastrophic system failure, the log records will be retained.
-
-severity: medium
-
-identifiers:
- cce: CCE-80463-3
-
-references:
- disa: CCI-001348
- srg: SRG-APP-000125-AS-000084
- stigid: JBOS-AS-000195
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Interview the system admin and obtain details on how the log files are being
- off-loaded to a different system or media.
- <br /><br />
- If the log files are not off-loaded
- a minimum of every 7 days, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_ports/rule.yml b/eap6/guide/eap6/jboss_eap_configure_ports/rule.yml
deleted file mode 100644
index 272648843e..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_ports/rule.yml
+++ /dev/null
@@ -1,60 +0,0 @@
-documentation_complete: true
-
-title: 'Configure JBoss Management and Application Ports'
-
-description: |-
- Open the EAP web console by pointing a web browser to <pre>HTTPS://<i>Servername</i>:9990</pre>
- Log on to the admin console using admin credentials
- Select the
- <tt>Configuration</tt> tab
- Expand the <tt>General Configuration</tt> sub
- system by clicking on the <tt>+</tt>
- Select <tt>Socket Binding</tt>
- Select the
- <tt>View</tt> option next to <tt>standard-sockets</tt>
- Select
- <tt>Inbound</tt>
- <br /><br />
- Select the port that needs to be reconfigured and select
- <tt>Edit</tt>.
-
-rationale: |-
- Some networking protocols may not meet organizational security requirements to
- protect data and components.
- <br /><br />
- Application servers natively host a number of
- various features, such as management interfaces, httpd servers and message
- queues. These features all run on TCPIP ports. This creates the potential that
- the vendor may choose to utilize port numbers or network services that have been
- deemed unusable by the organization. The application server must have the
- capability to both reconfigure and disable the assigned ports without adversely
- impacting application server operation capabilities.
-
-severity: medium
-
-identifiers:
- cce: CCE-80472-4
-
-references:
- disa: CCI-000382
- srg: SRG-APP-000142-AS-000014
- stigid: JBOS-AS-000255
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Open the EAP web console by pointing a web browser to <pre>HTTPS://<i>Servername</i>:9443</pre>
- or <pre>HTTP://<i>Servername</i>:9990</pre>
- <br /><br />
- Log on to the admin console using admin credentials
- Select the <tt>Configuration</tt> tab
- Expand the <tt>General Configuration</tt> sub system by clicking on the <tt>+</tt>
- Select <tt>Socket Binding</tt>
- Select the <tt>View</tt> option next to <tt>standard-sockets</tt>
- Select <tt>Inbound</tt>
- <br /><br />
- Review the configured ports and
- determine if they are all approved by the PPSM CAL.
- <br /><br />
- If all the ports are not
- approved by the PPSM CAL, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_secure_management_access/rule.yml b/eap6/guide/eap6/jboss_eap_configure_secure_management_access/rule.yml
deleted file mode 100644
index 6b2e354b7c..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_secure_management_access/rule.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-documentation_complete: true
-
-title: 'Enable HTTPS for Management Sessions'
-
-description: |-
- Follow the specific instructions in the Red Hat Security Guide for EAP version
- 6.3 to configure the management console for HTTPS.
- <br /><br />
- This involves the following steps.
- 1. Create a keystore in JKS format.
- 2. Ensure the management console binds to HTTPS.
- 3. Create a new Security Realm.
- 4. Configure Management Interface to use new security realm.
- 5. Configure the management console to use the keystore.
- 6. Restart the EAP server.
-
-rationale: |-
- Types of management interfaces utilized by the JBoss EAP application server
- include web-based HTTP interfaces as well as command line-based management
- interfaces. In the event remote HTTP management is required, the access must be
- via HTTPS.
- <br /><br />
- This requirement is in conjunction with the requirement to isolate
- all management access to a restricted network.
-
-severity: medium
-
-identifiers:
- cce: CCE-80450-0
-
-references:
- disa: CCI-000068
- srg: SRG-APP-000014-AS-000009
- stigid: JBOS-AS-000010
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss. Using the relevant OS commands and syntax, cd to the
- <tt><JBOSS_HOME>/bin/</tt>
- folder. Run the <pre>jboss-cli</pre> script. Connect to the server and authenticate.
- <br /><br />
- For a standalone configuration run the following command:
- <pre>ls /core-service=management/management-interface=http-interface</pre>
- <br /><br />
- If <pre>"secure-socket-binding"=undefined</pre>, this is a finding.
- <br /><br />
- For a domain configuration run
- the following command:
- <pre>ls /host=master/core-service=management/management-interface=http-interface</pre>
- <br /><br />
- If <tt>secure-port</tt> is undefined, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_security_manager/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_security_manager/oval/eap6.xml
deleted file mode 100644
index ff58454341..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_security_manager/oval/eap6.xml
+++ /dev/null
@@ -1,43 +0,0 @@
-<def-group>
- <definition version="1" class="compliance" id="jboss_eap_configure_security_manager">
- <metadata>
- <title>JBoss Enterprise Application Platform 6 Security Manager</title>
- <description>Java security manager must be installed</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- </metadata>
- <criteria>
- <criterion test_ref="test_eap_sec_mgr" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_eap_sec_mgr_home" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <ind:textfilecontent54_test id="test_eap_sec_mgr" version="1" check="all" comment="Check EAP Security Manager">
- <ind:object object_ref="obj_eap_sec_mgr" />
- <ind:state state_ref="state_eap_sec_mgr" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="obj_eap_sec_mgr" version="1">
- <ind:path var_ref="local_var_eap_sec_mgr_path"/>
- <ind:filename>standalone.conf</ind:filename>
- <ind:pattern operation="pattern match">^SECMGR="(.*)"</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_state id="state_eap_sec_mgr" version="1">
- <ind:subexpression operation="pattern match">true</ind:subexpression>
- </ind:textfilecontent54_state>
-
- <local_variable id="local_var_eap_sec_mgr_path" version="1" datatype="string" comment="version location">
- <concat>
- <object_component object_ref="obj_env_eap_sec_mgr_home" item_field="value" />
- <literal_component>/bin/</literal_component>
- </concat>
- </local_variable>
-
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_configure_security_manager/rule.yml b/eap6/guide/eap6/jboss_eap_configure_security_manager/rule.yml
deleted file mode 100644
index 65a676e55b..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_security_manager/rule.yml
+++ /dev/null
@@ -1,94 +0,0 @@
-documentation_complete: true
-
-title: 'Enable the Java Security Manager'
-
-description: |-
- For a domain installation:
- Enable the respective JAVA_OPTS flag in both the
- domain.conf and the domain.conf.bat files.
- <br /><br />
- For a standalone installation:
- Enable the respective JAVA_OPTS flag in both the standalone.conf and the
- standalone.conf.bat files.
-
-rationale: |-
- The Java Security Manager is a java class that manages the external boundary of
- the Java Virtual Machine (JVM) sandbox, controlling how code executing within
- the JVM can interact with resources outside the JVM.
- <br /><br />
- The Java Security Manager
- uses a security policy to determine whether a given action will be
- permitted or
- denied.
- <br /><br />
- To protect the host system, the JBoss application server must be run
- within the Java Security Manager.
-
-severity: high
-
-identifiers:
- cce: CCE-80453-4
-
-references:
- disa: CCI-000213
- srg: SRG-APP-000033-AS-000024
- stigid: JBOS-AS-000030
-
-ocil_clause: 'it is not'
-
-ocil: |-
- To determine if the Java Security Manager is enabled for JBoss, you must
- examine the startup commands. JBoss can be configured to run in either
- <tt>domain</tt> or a <tt>standalone</tt> mode. <i>JBOSS_HOME</i> is the variable
- home directory for the JBoss installation. Use relevant OS commands to navigate
- the file system.
- <br /><br />
- A. For a managed domain installation, review the domain.conf
- and domain.conf.bat files:
- <br /><br />
- <pre>JBOSS_HOME/bin/domain.conf
- JBOSS_HOME/bin/domain.conf.bat</pre>
- <br /><br />
- In domain.conf file, ensure there is a JAVA_OPTS
- flag that loads the Java Security Manager as well as a relevant Java Security
- policy. The following is an example:
- <br /><br />
- <pre>JAVA_OPTS="$JAVA_OPTS
- -Djava.security.manager -Djava.security.policy==$PWD/server.policy
- -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-
- permissions=true"</pre>
- <br /><br />
- In domain.conf.bat file, ensure JAVA_OPTS flag is set.
- The following is an example:
- <br /><br />
- set <pre>JAVA_OPTS="%JAVA_OPTS%
- -Djava.security.manager -Djava.security.policy==/path/to/server.policy
- -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-
- permissions=true"</pre>
- <br /><br />
- B. For a standalone installation, review the
- standalone.conf and standalone.conf.bat files:
- <br /><br />
- <pre>
- JBOSS_HOME/bin/standalone.conf
- JBOSS_HOME/bin/standalone.conf.bat
- </pre>
- <br /><br />
- In the standalone.conf file, ensure the
- JAVA_OPTS flag is set. The following is an example:
- <br /><br />
- <pre>
- JAVA_OPTS="$JAVA_OPTS
- -Djava.security.manager -Djava.security.policy==$PWD/server.policy
- -Djboss.home.dir=$JBOSS_HOME -Djboss.modules.policy-permissions=true"</pre>
- <br /><br />
- In
- the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. The following
- is an example:
- <br /><br />
- set <pre>JAVA_OPTS="%JAVA_OPTS% -Djava.security.manager
- -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME%
- -Djboss.modules.policy-permissions=true"</pre>
- <br /><br />
- If the security manager is not
- enabled and a security policy not defined, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_security_realm/rule.yml b/eap6/guide/eap6/jboss_eap_configure_security_realm/rule.yml
deleted file mode 100644
index 3c52dbe107..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_security_realm/rule.yml
+++ /dev/null
@@ -1,67 +0,0 @@
-documentation_complete: true
-
-title: 'Secure the JBoss Management Interfaces'
-
-description: |-
- Identify the security realm used for management of the system. By default,
- this is called <tt>Management Realm</tt>.
- <br /><br />
- If a management security realm is not
- already available, reference the Jboss EAP 6.3 system administration guide for
- instructions on how to create a security realm for management purposes. Create
- the management realm, and assign authentication and authorization access
- restrictions to the management realm.
- <br /><br />
- Assign the management interfaces to the management realm.
-
-rationale: |-
- JBoss utilizes the concept of security realms to secure the management
- interfaces used for JBoss server administration. If the security realm
- attribute is omitted or removed from the management interface definition, access
- to that interface is no longer secure. The JBoss management interfaces must be
- secured.
-
-severity: high
-
-identifiers:
- cce: CCE-80458-3
-
-references:
- disa: CCI-000213
- srg: SRG-APP-000033-AS-000024
- stigid: JBOS-AS-000075
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <pre><JBOSS_HOME>/bin/</pre>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Identify the management interfaces. To identity the management interfaces, run
- the following command:
- <br /><br />
- For standalone servers:
- <pre>ls /core-service=management/management-interface=</pre>
- <br /><br />
- For managed domain installations:
- <pre>ls /host=HOST_NAME/core-service=management/management-interface=</pre>
- <br /><br />
- By default,
- JBoss provides two management interfaces; they are named <tt>NATIVE-INTERFACE</tt>
- and <tt>HTTP-INTERFACE</tt>. The system may or may not have both
- interfaces enabled. For each management interface listed as a result of the
- previous command, append the name of the management interface to the end of the
- following command.
- <br /><br />
- For a standalone system:
- <br /><br />
- <pre>ls /core-service=management/management-interface=<MANAGEMENT INTERFACE NAME></pre>
- <br /><br />
- For a managed domain:
- <pre>ls /host=HOST_NAME/core-service=management/management-interface=<MANAGEMENT INTERFACE NAME></pre>
- <br /><br />
- If the <pre>security-realm=</pre> attribute is not
- associated with a management realm, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_syslog/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_syslog/oval/eap6.xml
deleted file mode 100644
index 782c16f4e2..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_syslog/oval/eap6.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<def-group>
- <definition version="1" class="compliance" id="jboss_eap_configure_syslog">
- <metadata>
- <title>Configure JBoss to Use Syslog</title>
- <description>EAP should be configured to export logs to syslog</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- </metadata>
- <criteria>
- <criterion test_ref="test_jboss_eap_configure_syslog" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_configure_syslog" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <local_variable id="local_var_configure_syslog_jboss_home" version="1" datatype="string" comment="version location">
- <concat>
- <object_component object_ref="obj_env_configure_syslog" item_field="value" />
- <literal_component datatype="string">/standalone/configuration/</literal_component>
- </concat>
- </local_variable>
-
- <local_variable id="local_var_profile_syslog" version="1" datatype="string" comment="configuration profile">
- <concat>
- <variable_component var_ref="var_jboss_profile" />
- <literal_component datatype="string">.xml</literal_component>
- </concat>
- </local_variable>
-
- <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
-
- <ind:xmlfilecontent_test id="test_jboss_eap_configure_syslog" version="1" check="all" comment="Check EAP for ">
- <ind:object object_ref="obj_jboss_eap_configure_syslog_logs" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="obj_jboss_eap_configure_syslog_logs" version="1">
- <ind:path var_ref="local_var_configure_syslog_jboss_home"/>
- <ind:filename var_ref="local_var_profile_syslog" />
- <ind:xpath>//*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='syslog-handler']</ind:xpath>
- </ind:xmlfilecontent_object>
-
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_configure_syslog/rule.yml b/eap6/guide/eap6/jboss_eap_configure_syslog/rule.yml
deleted file mode 100644
index bc0e1a4822..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_syslog/rule.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-documentation_complete: true
-
-title: 'Enable Logging to syslog'
-
-description: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Run
- the command:
- <br /><br />
- Standalone configuration:
- <pre>ls /subsystem=logging/syslog-handler=</pre>
- <br /><br />
- Domain configuration:
- <pre>ls /profile=default/subsystem=logging/syslog-handler=</pre>
- <br /><br />
- If no values are returned, this is a finding.
-
-rationale: |-
- Information system logging capability is critical for accurate forensic
- analysis. Log record content that may be necessary to satisfy the requirement of
- this control includes, but is not limited to, time stamps, source and
- destination IP addresses, user/process identifiers, event descriptions,
- application-specific events, success/fail indications, filenames involved,
- access control or flow control rules invoked.
- <br /><br />
- Off-loading is a common process
- in information systems with limited log storage capacity.
- <br /><br />
- Centralized
- management of log records provides for efficiency in maintenance and management
- of records, as well as the backup and archiving of those records. Application
- servers and their related components are required to off-load log records onto a
- different system or media than the system being logged.
-
-severity: medium
-
-identifiers:
- cce: CCE-80488-0
-
-references:
- disa: CCI-001851
- srg: SRG-APP-000358-AS-000064
- stigid: JBOS-AS-000505
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Run the command:
- <br /><br />
- Standalone configuration:
- <pre>ls /subsystem=logging/syslog-handler=</pre>
- <br /><br />
- Domain configuration:
- <pre>ls /profile=<i>specify</i>/subsystem=logging/syslog-handler=</pre>
- Where <i>specify</i> = the
- selected application server profile of; default,full, full-ha or ha.
- <br /><br />
- If no values are returned, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_user_permissions/rule.yml b/eap6/guide/eap6/jboss_eap_configure_user_permissions/rule.yml
deleted file mode 100644
index 69839b549f..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_user_permissions/rule.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-documentation_complete: true
-
-title: 'Configure mgmt-users.properties File Permissions'
-
-description: "Configure the file permissions to allow access to authorized users only.\nOwner can be full access. Group can be full access. \nAll others must have execute\npermissions only."
-
-rationale: |-
- The mgmt-users.properties file contains the password hashes of all users who
- are in a management role and must be protected. Application servers have the
- ability to specify that the hosted applications utilize shared libraries. The
- application server must have a capability to divide roles based upon duties
- wherein one project user (such as a developer) cannot modify the shared library
- code of another project user. The application server must also be able to
- specify that non-privileged users cannot modify any shared library code at
- all.
-
-severity: medium
-
-identifiers:
- cce: CCE-80464-1
-
-references:
- disa: CCI-001499
- srg: SRG-APP-000133-AS-000092
- stigid: JBOS-AS-000210
-
-ocil_clause: 'it is not'
-
-ocil: |-
- The mgmt-users.properties files are located in the standalone or domain
- configuration folder.
- <br /><br />
- <pre>
- <JBOSS_HOME>/domain/configuration/mgmt-users.properties.
- <JBOSS_HOME>/standalone/configuration/mgmt-users.properties.
- </pre>
- <br /><br />
- Identify users who
- have access to the files using relevant OS commands.
- <br /><br />
- Obtain documentation from
- system admin identifying authorized users.
- <br /><br />
- Owner can be full access. Group can be full access.
- All others must have execute permissions only.
- <br /><br />
- If the file
- permissions are not configured so as to restrict access to only authorized
- users, or if documentation that identifies authorized users is missing, this is
- a finding.
diff --git a/eap6/guide/eap6/jboss_eap_configure_user_roles/rule.yml b/eap6/guide/eap6/jboss_eap_configure_user_roles/rule.yml
deleted file mode 100644
index 32793dbc69..0000000000
--- a/eap6/guide/eap6/jboss_eap_configure_user_roles/rule.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-documentation_complete: true
-
-title: 'Configure JBoss User Roles'
-
-description: |-
- Document approved management users and their roles. Configure the application
- server to use RBAC and ensure users are placed into the appropriate roles.
-
-rationale: |-
- Security realms are a series of mappings between users and passwords and users
- and roles. There are 2 JBoss security realms provided by default; they are
- <tt>management realm</tt> and <tt>application realm</tt>.
- <br /><br />
- Management realm
- stores authentication information for the management API, which provides
- functionality for the web-based management console and the management command
- line interface (CLI).
- <br /><br />
- mgmt-groups.properties stores user to group mapping for
- the ManagementRealm but only when role-based access controls (RBAC) is enabled.
- If management users are not in the appropriate role, unauthorized access to
- JBoss resources can occur.
-
-severity: medium
-
-identifiers:
- cce: CCE-80455-9
-
-references:
- disa: CCI-000213
- srg: SRG-APP-000033-AS-000024
- stigid: JBOS-AS-000040
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Review the <tt>mgmt-users.properties</tt> file. Also review the <tt><management /></tt> section
- in the standalone.xml or domain.xml configuration files. The relevant xml file
- will depend on if the JBoss server is configured in standalone or domain mode.
- Ensure all users listed in these files are approved for management access to the
- JBoss server and are in the appropriate role.
- <br /><br />
- For domain configurations:
- <pre>
- <JBOSS_HOME>/domain/configuration/mgmt-users.properties.
- <JBOSS_HOME>/domain/configuration/domain.xml
- </pre>
- <br /><br />
- For standalone configurations:
- <pre>
- <JBOSS_HOME>/standalone/configuration/mgmt-users.properties.
- <JBOSS_HOME>/standalone/configuration/standalone.xml
- </pre>
- <br /><br />
- If the users listed are
- not in the appropriate role, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_disable_analytics/rule.yml b/eap6/guide/eap6/jboss_eap_disable_analytics/rule.yml
deleted file mode 100644
index 863824afa4..0000000000
--- a/eap6/guide/eap6/jboss_eap_disable_analytics/rule.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-documentation_complete: true
-
-title: 'Disable Google Analytics'
-
-description: |-
- Using the EAP web console, log on using admin credentials.
- On the bottom right-hand side of the screen, select <tt>Settings</tt>,
- uncheck the <tt>Enable Data Usage Collection</tt> box, and save the
- configuration.
-
-rationale: |-
- The Google Analytics feature aims to help Red Hat EAP team understand how
- customers are using the console and which parts of the console matter the most
- to the customers. This information will, in turn, help the team to adapt the
- console design, features, and content to the immediate needs of the customers.
- Sending analytical data to the vendor introduces risk of unauthorized data
- exfiltration. This capability must be disabled.
-
-severity: medium
-
-identifiers:
- cce: CCE-80466-6
-
-references:
- disa: CCI-000381
- srg: SRG-APP-000141-AS-000095
- stigid: JBOS-AS-000225
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Open the EAP web console by pointing a web browser to
- <pre>HTTPS://<i>SERVERNAME</i>:9443</pre>
- or <pre>HTTP://<i>SERVERNAME</i>:9990</pre>
- <br /><br />
- Log on to the admin console using admin
- credentials.
- On the bottom right-hand side of the screen, select <tt>Settings</tt>.
- If the <tt>Enable Data Usage Collection</tt> box is checked, this is a
- finding.
diff --git a/eap6/guide/eap6/jboss_eap_disable_automatic_deployment/rule.yml b/eap6/guide/eap6/jboss_eap_disable_automatic_deployment/rule.yml
deleted file mode 100644
index 1d52804bca..0000000000
--- a/eap6/guide/eap6/jboss_eap_disable_automatic_deployment/rule.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-documentation_complete: true
-
-title: 'Disable Automatic Deployment'
-
-description: |-
- Determine the JBoss server configuration as being either standalone or domain.
- Launch the relevant jboss-cli management interface substituting standalone or
- domain for <i>CONFIG</i>
- <br /><br />
- <pre><JBOSS_HOME>/<i>CONFIG</i>/bin/jboss-cli</pre>
- <br /><br />
- connect to the server and run the command:
- <pre>/subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-enabled,value.)</pre>
-
-rationale: |-
- When dealing with access restrictions pertaining to change control, it should
- be noted that any changes to the software and/or application server
- configuration can potentially have significant effects on the overall security
- of the system.
- <br /><br />
- Access restrictions for changes also include application
- software libraries.
- <br /><br />
- If the application server provides automatic code
- deployment capability, (where updates to applications hosted on the application
- server are automatically performed, usually by the developers' IDE tool), it
- must also provide a capability to restrict the use of automatic application
- deployment. Automatic code deployments are allowable in a development
- environment, but not in production.
-
-severity: medium
-
-identifiers:
- cce: CCE-80489-8
-
-references:
- disa: CCI-001813
- srg: SRG-APP-000380-AS-000088
- stigid: JBOS-AS-000545
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Run
- the command:
- <br /><br />
- <pre>ls /subsystem=deployment-scanner/scanner=default</pre>
- <br /><br />
- If <pre>"scan-enabled"=true</pre>, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_disable_domain_admin_console/rule.yml b/eap6/guide/eap6/jboss_eap_disable_domain_admin_console/rule.yml
deleted file mode 100644
index 2bc97d9cba..0000000000
--- a/eap6/guide/eap6/jboss_eap_disable_domain_admin_console/rule.yml
+++ /dev/null
@@ -1,51 +0,0 @@
-documentation_complete: true
-
-title: 'Disable Network Access to the Admin Console'
-
-description: |-
- Run the <pre><JBOSS_HOME>/bin/jboss-clii</pre> command line interface utility.
- Connect to
- the JBoss server and run the following command.
- <pre>/core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value.)</pre>
- <br /><br />
- Successful command execution returns
- <pre>{"outcome" => success"}</pre>,
- and future attempts to access the management console via web
- browser at <tt><i>SERVERNAME</i>:9990</tt> will result in no access to the admin console.
-
-rationale: |-
- When configuring JBoss application servers into a domain configuration, HTTP
- management capabilities are not required on domain member servers as management
- is done via the server that has been designated as the domain controller.
- Leaving HTTP management capabilities enabled on domain member servers increases
- the attack surfaces; therefore, management services on domain member servers
- must be disabled and management services performed via the domain
- controller.
-
-severity: medium
-
-identifiers:
- cce: CCE-80486-4
-
-references:
- disa: CCI-002322
- srg: SRG-APP-000316-AS-000199
- stigid: JBOS-AS-000470
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to each of the JBoss domain member servers.
- <br /><br />
- Note: Sites that manage
- systems using the JBoss Operations Network client require HTTP interface access.
- It is acceptable that the management console alone be disabled rather than
- disabling the entire interface itself.
- <br /><br />
- Run the <pre><JBOSS_HOME>/bin/jboss-cli</pre>
- command line interface utility and connect to the JBoss server.
- Run the
- following command:
- <pre>ls /core-service=management/management-interface=httpinterface/</pre>
- <br /><br />
- If <pre>console-enabled=true</pre>, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_disable_replace_welcome_page/rule.yml b/eap6/guide/eap6/jboss_eap_disable_replace_welcome_page/rule.yml
deleted file mode 100644
index 1ac7ad45a8..0000000000
--- a/eap6/guide/eap6/jboss_eap_disable_replace_welcome_page/rule.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-documentation_complete: true
-
-title: 'Disable or Replace the JBoss Welcome Page'
-
-description: |-
- Use the Management CLI script <pre>$JBOSS_HOME/bin/jboss-cli.sh</pre> to run the following
- command. You may need to change the profile to modify a different managed domain
- profile, or remove the <pre>/profile=default</pre> portion of the command for a
- standalone server.
- <br /><br />
- <pre>/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value.)</pre>
- <br /><br />
- To configure
- your web application to use the root context (/) as its URL address, modify the
- applications jboss-web.xml, which is located in the applications <tt>META-INF/</tt> or
- <tt>WEB-INF/</tt> directory. Replace its <tt><context-root></tt> directive with one that looks
- like the following:
- <br /><br />
- <pre>
- <jboss-web>
- <context-root>/</context-root>
- </jboss-web>
- </pre>
-
-rationale: |-
- The Welcome to JBoss web page provides a redirect to the JBoss admin console,
- which, by default, runs on TCP 9990 as well as redirects to the Online User
- Guide and Online User Groups hosted at locations on the Internet. The welcome
- page is unnecessary and should be disabled or replaced with a valid web
- page.
-
-severity: low
-
-identifiers:
- cce: CCE-80470-8
-
-references:
- disa: CCI-000381
- srg: SRG-APP-000141-AS-000095
- stigid: JBOS-AS-000245
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Use a web browser and browse to <pre>HTTP://JBOSS SERVER IP ADDRESS:8080</pre>
- <br /><br />
- If the
- JBoss Welcome page is displayed, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_enable_rbac/rule.yml b/eap6/guide/eap6/jboss_eap_enable_rbac/rule.yml
deleted file mode 100644
index b1f33d2c8f..0000000000
--- a/eap6/guide/eap6/jboss_eap_enable_rbac/rule.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-documentation_complete: true
-
-title: 'Enable Role Based Access Control (RBAC)'
-
-description: |-
- Run the following command.
- <pre><JBOSS_HOME>/bin/jboss-cli.sh -c -> connect -> cd
- /core-service=management/access-authorization :write-attribute(name=provider,
- value=rbac)</pre>
- <br /><br />
- Restart JBoss.
- <br /><br />
- Map users to roles by running the following
- command. Upper-case words are variables.
- <br /><br />
- <pre>role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)</pre>
-
-rationale: |-
- By default, the JBoss server is not configured to utilize role based access
- controls (RBAC). RBAC provides the capability to restrict user access to their
- designated management role, thereby limiting access to only the JBoss
- functionality that they are supposed to have. Without RBAC, the JBoss server is
- not able to enforce authorized access according to role.
-
-severity: high
-
-identifiers:
- cce: CCE-80454-2
-
-references:
- disa: CCI-000213,CCI-002235
- srg: SRG-APP-000033-AS-000024,SRG-APP-000340-AS-000185
- stigid: JBOS-AS-000035
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the
- <pre><JBOSS_HOME>/bin/</pre>
- folder. Run the jboss-cli script.
- Connect to the server and authenticate.
- <br /><br />
- Run the following command:
- <br /><br />
- For standalone servers:
- <pre>ls /core-service=management/access=authorization/</pre>
- <br /><br />
- For managed domain
- installations:
- <pre>ls /host=master/core-service=management/access=authorization/</pre>
- <br /><br />
- If the <tt>provider</tt>
- attribute is not set to <tt>rbac</tt>, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_encrypt_keystore_passwords/rule.yml b/eap6/guide/eap6/jboss_eap_encrypt_keystore_passwords/rule.yml
deleted file mode 100644
index aba5971d7d..0000000000
--- a/eap6/guide/eap6/jboss_eap_encrypt_keystore_passwords/rule.yml
+++ /dev/null
@@ -1,46 +0,0 @@
-documentation_complete: true
-
-title: 'Encrypt JBoss Keystore Passwords'
-
-description: |-
- Configure the application server to mask the java keystore password as per the
- procedure described in section 11.13.3 -Password Vault System in the
- JBoss_Enterprise_Application_Platform-6.3
- -Administration_and_Configuration_Guide-en-US document.
-
-rationale: |-
- Access to the JBoss Password Vault must be secured, and the password used to
- access must be encrypted. There is a specific process used to generate the
- encrypted password hash. This process must be followed in order to store the
- password in an encrypted format.
- <br /><br />
- The admin must utilize this process in order
- to ensure the Keystore password is encrypted.
-
-severity: medium
-
-identifiers:
- cce: CCE-80479-9
-
-references:
- disa: CCI-000196
- srg: SRG-APP-000171-AS-000119
- stigid: JBOS-AS-000300
-
-ocil_clause: 'it is not'
-
-ocil: |-
- The default location for the keystore used by the JBoss vault is the
- <tt><JBOSS_HOME>/vault/</tt> folder.
- <br /><br />
- If a vault keystore has been created, by default it
- will be in the file: <tt><JBOSS_HOME>/vault/vault.keystore</tt>. The file stores a
- single key, with the default alias vault, which will be used to store encrypted
- strings, such as passwords, for JBoss EAP.
- <br /><br />
- Have the system admin provide the
- procedure used to encrypt the keystore password that unlocks the keystore.
- <br /><br />
- If
- the system administrator is unable to demonstrate or provide written process
- documentation on how to encrypt the keystore password, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_file_permissions/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_file_permissions/oval/eap6.xml
deleted file mode 100644
index 1fb3ab2d7f..0000000000
--- a/eap6/guide/eap6/jboss_eap_file_permissions/oval/eap6.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<def-group>
- <definition class="compliance" id="jboss_eap_file_permissions" version="2">
- <metadata>
- <title>Configure JBoss Directory Permissions</title>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- <description>File permissions for JBOSS_HOME should be set correctly.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_jboss_eap_file_permissions" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_jboss_eap_file_permissions" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <local_variable id="local_var_jboss_eap_file_permissions" version="1" datatype="string" comment="JBOSS_HOME location">
- <concat>
- <object_component object_ref="obj_env_jboss_eap_file_permissions" item_field="value" />
- <literal_component datatype="string">/</literal_component>
- </concat>
- </local_variable>
-
- <!-- check folders -->
- <unix:file_test check="all" check_existence="all_exist" id="test_jboss_eap_file_permissions" version="1" comment="testing that the all files have the required permissions">
- <unix:object object_ref="object_jboss_eap_file_permissions" />
- <unix:state state_ref="state_jboss_eap_file_permissions" />
- </unix:file_test>
-
- <unix:file_object id="object_jboss_eap_file_permissions" version="1" comment="JBOSS_HOME">
- <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="local" /> <!-- recurse, don't just test that folder -->
- <unix:path var_ref="local_var_jboss_eap_file_permissions" />
- <unix:filename operation="pattern match">.+</unix:filename>
- </unix:file_object>
-
- <!-- single shared condition -->
- <unix:file_state id="state_jboss_eap_file_permissions" version="1" comment="checks for o-rw">
- <unix:oread datatype="boolean">false</unix:oread>
- <unix:owrite datatype="boolean">false</unix:owrite>
- </unix:file_state>
-
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_file_permissions/rule.yml b/eap6/guide/eap6/jboss_eap_file_permissions/rule.yml
deleted file mode 100644
index f8837501f4..0000000000
--- a/eap6/guide/eap6/jboss_eap_file_permissions/rule.yml
+++ /dev/null
@@ -1,55 +0,0 @@
-documentation_complete: true
-
-title: 'Configure JBoss Application File Permissions'
-
-description: |-
- Configure file permissions on the JBoss folder to protect from unauthorized
- access.
-
-rationale: |-
- The JBoss EAP Application Server is a Java-based AS. It is installed on the OS
- file system and depends upon file system access controls to protect application
- data at rest. The file permissions set on the JBoss EAP home folder must be
- configured so as to limit access to only authorized people and processes. The
- account used for operating the JBoss server and any designated administrative or
- operational accounts are the only accounts that should have access.
- <br /><br />
- When data
- is written to digital media such as hard drives, mobile computers,
- external/removable hard drives, personal digital assistants, flash/thumb drives,
- etc., there is risk of data loss and data compromise. Steps must be taken to
- ensure data stored on the device is protected.
-
-severity: medium
-
-identifiers:
- cce: CCE-80484-9
-
-references:
- disa: CCI-001199
- srg: SRG-APP-000231-AS-000133
- stigid: JBOS-AS-000400
-
-ocil_clause: 'it is not'
-
-ocil: |-
- By default, JBoss installs its files into a folder called <tt>jboss-eap-6.3</tt>.
- This folder by default is stored within the home folder of the JBoss user
- account. The installation process, however, allows for the override of default
- values to obtain folder and user account information from the system admin.
- <br /><br />
- Log
- on with a user account with JBoss access and permissions.
- <br /><br />
- Navigate to the <tt>Jboss-eap-6.3</tt>
- folder using the relevant OS commands for either a UNIX-
- like OS or a Windows OS.
- <br /><br />
- Examine the permissions of the JBoss folder.
- <br /><br />
- Owner can be full access. Group can be full access.
- All others must be restricted to
- execute access or no permission.
- <br /><br />
- If the JBoss folder is world readable or world
- writeable, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_log_deployments/rule.yml b/eap6/guide/eap6/jboss_eap_log_deployments/rule.yml
deleted file mode 100644
index 9a0d46809e..0000000000
--- a/eap6/guide/eap6/jboss_eap_log_deployments/rule.yml
+++ /dev/null
@@ -1,53 +0,0 @@
-documentation_complete: true
-
-title: 'Log Application Deployments'
-
-description: |-
- Launch the jboss-cli management interface substituting standalone or domain for
- <i>CONFIG</i> based upon the server installation.
- <br /><br />
- <pre><JBOSS_HOME>/<i>CONFIG</i>/bin/jboss-cli</pre>
- <br /><br />
- connect to the server and run the following command:
- <br /><br />
- <pre>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</pre>
-
-rationale: |-
- Without logging the enforcement of access restrictions against changes to the
- application server configuration, it will be difficult to identify attempted
- attacks, and a log trail will not be available for forensic investigation for
- after-the-fact actions. Configuration changes may occur to any of the modules
- within the application server through the management interface, but logging of
- actions to the configuration of a module outside the application server is not
- logged.
- <br /><br />
- Enforcement actions are the methods or mechanisms used to prevent
- unauthorized changes to configuration settings. Enforcement action methods may
- be as simple as denying access to a file based on the application of file
- permissions (access restriction). Log items may consist of lists of actions
- blocked by access restrictions or changes identified after the fact.
-
-severity: medium
-
-identifiers:
- cce: CCE-80490-6
-
-references:
- disa: CCI-001814
- srg: SRG-APP-000381-AS-000089
- stigid: JBOS-AS-000550
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Run the command:
- <br /><br />
- <pre>ls /core-service=management/access=audit/logger=audit-log</pre>
- <br /><br />
- If <pre>"enabled" =.</pre>, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_logs_permissions/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_logs_permissions/oval/eap6.xml
deleted file mode 100644
index 7ac1bc5df5..0000000000
--- a/eap6/guide/eap6/jboss_eap_logs_permissions/oval/eap6.xml
+++ /dev/null
@@ -1,60 +0,0 @@
-<def-group>
- <definition class="compliance" id="jboss_eap_logs_permissions" version="2">
- <metadata>
- <title>Configure JBoss Log Directory Permissions</title>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- <description>File permissions for JBOSS_HOME/standalone/log should be set correctly.</description>
- </metadata>
- <criteria operator="AND">
- <criterion test_ref="test_jboss_eap_logs_permissions_folder" />
- <criterion test_ref="test_jboss_eap_logs_permissions_files" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_jboss_eap_logs_permissions" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <local_variable id="local_var_jboss_eap_logs_permissions_folder" version="1" datatype="string" comment="configuration location">
- <concat>
- <object_component object_ref="obj_env_jboss_eap_logs_permissions" item_field="value" />
- <literal_component datatype="string">/standalone/log</literal_component>
- </concat>
- </local_variable>
-
- <!-- check folders -->
- <unix:file_test check="all" check_existence="all_exist" id="test_jboss_eap_logs_permissions_folder" version="1" comment="testing that the folder has the required permissions">
- <unix:object object_ref="object_jboss_eap_logs_permissions_folder" />
- <unix:state state_ref="state_jboss_eap_logs_permissions" />
- </unix:file_test>
-
- <unix:file_object id="object_jboss_eap_logs_permissions_folder" version="1" comment="JBOSS_HOME/standalone/log">
- <unix:path var_ref="local_var_jboss_eap_logs_permissions_folder" />
- <unix:filename xsi:nil="true"/> <!-- xsi:nil tests the folder -->
- </unix:file_object>
-
- <!-- check files -->
- <unix:file_test check="all" check_existence="all_exist" id="test_jboss_eap_logs_permissions_files" version="1" comment="testing that the folder has the required permissions">
- <unix:object object_ref="object_jboss_eap_logs_permissions_files" />
- <unix:state state_ref="state_jboss_eap_logs_permissions" />
- </unix:file_test>
-
- <unix:file_object id="object_jboss_eap_logs_permissions_files" version="1" comment="JBOSS_HOME/standalone/log/*.log">
- <unix:path var_ref="local_var_jboss_eap_logs_permissions_folder" />
- <unix:filename operation="pattern match">.*\.log$</unix:filename>
- </unix:file_object>
-
- <!-- single shared condition -->
- <unix:file_state id="state_jboss_eap_logs_permissions" version="1" comment="checks for g-rwo,o-rwo">
- <unix:gread datatype="boolean">false</unix:gread>
- <unix:gwrite datatype="boolean">false</unix:gwrite>
- <unix:gexec datatype="boolean">false</unix:gexec>
- <unix:oread datatype="boolean">false</unix:oread>
- <unix:owrite datatype="boolean">false</unix:owrite>
- <unix:oexec datatype="boolean">false</unix:oexec>
- </unix:file_state>
-
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_logs_permissions/rule.yml b/eap6/guide/eap6/jboss_eap_logs_permissions/rule.yml
deleted file mode 100644
index ace2e17d57..0000000000
--- a/eap6/guide/eap6/jboss_eap_logs_permissions/rule.yml
+++ /dev/null
@@ -1,80 +0,0 @@
-documentation_complete: true
-
-title: 'Configure JBoss Log Directory Permissions'
-
-description: |-
- Configure file permissions on the JBoss log folder to protect from unauthorized
- access.
-
-rationale: |-
- If the application provides too much information in error logs and
- administrative messages to the screen, this could lead to compromise. The
- structure and content of error messages need to be carefully considered by the
- organization and development team. The extent to which the information system is
- able to identify and handle error conditions is guided by organizational policy
- and operational requirements.
- <br /><br />
- Application servers must protect the error
- messages that are created by the application server. All application server
- users' accounts are used for the management of the server and the applications
- residing on the application server. All accounts are assigned to a certain role
- with corresponding access rights. The application server must restrict access to
- error messages so only authorized users may view them. Error messages are
- usually written to logs contained on the file system. The application server
- will usually create new log files as needed and must take steps to ensure that
- the proper file permissions are utilized when the log files are created.
-
-severity: medium
-
-identifiers:
- cce: CCE-80485-6
-
-references:
- disa: CCI-001314
- srg: SRG-APP-000267-AS-000170
- stigid: JBOS-AS-000425
-
-ocil_clause: 'it is not'
-
-ocil: |-
- If the JBoss log folder is installed in the default location and
- AS-000133-JBOSS-00079 is not a finding, the log folders are protected and this
- requirement is not a finding.
- <br /><br />
- By default, JBoss installs its log files into a
- sub-folder of the <pre>jboss-eap-6.3</pre> home folder.
- Using a UNIX like OS
- example, the default location for log files is:
- <br /><br />
- <pre>
- JBOSS_HOME/standalone/log
- JBOSS_HOME/domain/log
- </pre>
- <br /><br />
- For a standalone configuration:
- <tt>JBOSS_HOME/standalone/log/server.log</tt> Contains all server log messages,
- including server startup messages.
- <br /><br />
- For a domain configuration:
- <tt>JBOSS_HOME/domain/log/hostcontroller.log</tt>
- Host Controller boot log. Contains log
- messages related to the startup of the host controller.
- <tt>JBOSS_HOME/domain/log/processcontroller.log</tt>
- Process controller boot log.
- Contains log messages related to the startup of the process controller.
- <tt>JBOSS_HOME/domain/servers/SERVERNAME/log/server.log</tt>
- The server log for the named
- server. Contains all log messages for that server, including server startup
- messages.
- <br /><br />
- Log on with an OS user account with JBoss access and permissions.
- Navigate to the <tt>Jboss-eap-6.3</tt> folder using the relevant OS commands
- for either a UNIX like OS or a Windows OS.
- <br /><br />
- Examine the permissions of the JBoss logs folders.
- <br /><br />
- Owner can be full access. Group can be full access.
- All others must be restricted.
- <br /><br />
- If the JBoss log folder is world readable or world
- writeable, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_remove_group_accounts/rule.yml b/eap6/guide/eap6/jboss_eap_remove_group_accounts/rule.yml
deleted file mode 100644
index 0e4bb929cf..0000000000
--- a/eap6/guide/eap6/jboss_eap_remove_group_accounts/rule.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-documentation_complete: true
-
-title: 'Remove JBoss Group Acount Access'
-
-description: |-
- Configure the application server so required users are individually
- authenticated by creating individual user accounts. Utilize an LDAP server that
- is configured according to DOD policy.
-
-rationale: |-
- To assure individual accountability and prevent unauthorized access,
- application server users (and any processes acting on behalf of application
- server users) must be individually identified and authenticated.
- <br /><br />
- A group
- authenticator is a generic account used by multiple individuals. Use of a group
- authenticator alone does not uniquely identify individual users.
- <br /><br />
- Application
- servers must ensure that individual users are authenticated prior to
- authenticating via role or group authentication. This is to ensure that there is
- non-repudiation for actions taken.
-
-severity: medium
-
-identifiers:
- cce: CCE-80475-7
-
-references:
- disa: CCI-000770
- srg: SRG-APP-000153-AS-000104
- stigid: JBOS-AS-000275
-
-ocil_clause: 'it is not'
-
-ocil: |-
- If the application server management interface is configured to use LDAP
- authentication this requirement is NA.
- <br /><br />
- Determine the mode in which the JBoss
- server is operating by authenticating to the OS, changing to the
- <tt><JBOSS_HOME>/bin/</tt> folder and executing the <pre>jboss-cli</pre> script.
- Connect to the
- server and authenticate.
- Run the command: <pre>ls</pre> and examine the <tt>launch-type</tt> setting.
- <br /><br />
- User account information is stored in the following
- files for a JBoss server configured in standalone mode. The command line flags
- passed to the <tt>standalone</tt> startup script determine the standalone
- operating mode:
- <pre>
- <JBOSS_HOME>/standalone/configuration/standalone.xml
- <JBOSS_HOME>/standalone/configuration/standalone-full.xml
- <JBOSS_HOME>/standalone/configuration/standalone.-full-ha.xml
- <JBOSS_HOME>/standalone/configuration/standalone.ha.xml
- </pre>
- <br /><br />
- For a Managed Domain:
- <pre>
- <JBOSS_HOME>/domain/configuration/domain.xml
- </pre>
- <br /><br />
- Review both files for generic or
- shared user accounts.
- <br /><br />
- Open each xml file with a text editor and locate the
- <management-interfaces> section.
- Review the <pre><user name = "xxxxx"></pre> sub-
- section where <pre>xxxxx</pre> will be a user name.
- <br /><br />
- Have the system
- administrator identify the user of each user account.
- <br /><br />
- If user accounts are not
- assigned to individual users, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_remove_jmx/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_remove_jmx/oval/eap6.xml
deleted file mode 100644
index 78693c4790..0000000000
--- a/eap6/guide/eap6/jboss_eap_remove_jmx/oval/eap6.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<def-group>
- <definition version="1" class="compliance" id="jboss_eap_remove_jmx">
- <metadata>
- <title>Remove JMX Subsystem</title>
- <description>EAP should be configured to remove the JMX subsystem</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- </metadata>
- <criteria>
- <criterion test_ref="test_jboss_eap_jmx_installed" negate="true" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_remove_jmx" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <local_variable id="local_var_remove_jmx_jboss_home" version="1" datatype="string" comment="version location">
- <concat>
- <object_component object_ref="obj_env_remove_jmx" item_field="value" />
- <literal_component datatype="string">/standalone/configuration/</literal_component>
- </concat>
- </local_variable>
-
- <local_variable id="local_var_profile_remove_jmx" version="1" datatype="string" comment="configuration profile">
- <concat>
- <variable_component var_ref="var_jboss_profile" />
- <literal_component datatype="string">.xml</literal_component>
- </concat>
- </local_variable>
-
- <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
-
- <ind:xmlfilecontent_test id="test_jboss_eap_jmx_installed" version="1" check="all" comment="Check EAP for ">
- <ind:object object_ref="obj_jboss_eap_remove_jmx" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="obj_jboss_eap_remove_jmx" version="1">
- <ind:path var_ref="local_var_remove_jmx_jboss_home"/>
- <ind:filename var_ref="local_var_profile_remove_jmx"/>
- <ind:xpath>//*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='remoting-connector']</ind:xpath>
- </ind:xmlfilecontent_object>
-
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_remove_jmx/rule.yml b/eap6/guide/eap6/jboss_eap_remove_jmx/rule.yml
deleted file mode 100644
index abcf97f88e..0000000000
--- a/eap6/guide/eap6/jboss_eap_remove_jmx/rule.yml
+++ /dev/null
@@ -1,57 +0,0 @@
-documentation_complete: true
-
-title: 'Remove the JMX Subsystem'
-
-description: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script to start the Command Line Interface (CLI).
- Connect to the server and authenticate.
- <br /><br />
- For a Managed Domain configuration you
- must check each profile name:
- <br /><br />
- For each PROFILE NAME, run the command:
- <pre>/profile=<i>PROFILE NAME</i>/subsystem=jmx/remoting-connector=jmx:remove</pre>
- For a Standalone configuration:
- <pre>/subsystem=jmx/remoting-connector=jmx:remove</pre>
-
-rationale: |-
- The JMX subsystem allows you to trigger JDK and application management
- operations remotely. In a managed domain configuration, the JMX subsystem is
- removed by default. For a standalone configuration, it is enabled by default and
- must be removed.
-
-severity: medium
-
-identifiers:
- cce: CCE-80469-0
-
-references:
- disa: CCI-000381
- srg: SRG-APP-000141-AS-000095
- stigid: JBOS-AS-000240
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script to start the Command Line Interface (CLI).
- Connect to the server and authenticate.
- <br /><br />
- For a Managed Domain configuration, you
- must check each profile name:
- <br /><br />
- For each <i>PROFILE NAME</i>, run the command:
- <pre>ls /profile=<i>PROFILE NAME</i>/subsystem=jmx/remoting-connector</pre>
- <br /><br />
- For a Standalone
- configuration:
- <pre>ls /subsystem=jmx/remoting-connector</pre>
- <br /><br />
- If <tt>jmx</tt> is returned, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_remove_quickstarts/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_remove_quickstarts/oval/eap6.xml
deleted file mode 100644
index 3c2fb9cfcb..0000000000
--- a/eap6/guide/eap6/jboss_eap_remove_quickstarts/oval/eap6.xml
+++ /dev/null
@@ -1,35 +0,0 @@
-<def-group>
- <definition version="1" class="compliance" id="jboss_eap_remove_quickstarts">
- <metadata>
- <title>JBoss Enterprise Application Platform 6 Security Manager Remove Quickstarts</title>
- <description>Quickstarts must be removed</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- </metadata>
- <criteria>
- <criterion test_ref="test_eap_quickstarts" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_eap_quickstarts_home" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <unix:file_test id="test_eap_quickstarts" version="1" check="all" check_existence="none_exist" comment="Check EAP for Quickstarts">
- <unix:object object_ref="obj_eap_quickstarts" />
- </unix:file_test>
- <unix:file_object id="obj_eap_quickstarts" version="1">
- <unix:path operation="pattern match" var_ref="local_var_eap_quickstart_path"/>
- <unix:filename operation="pattern match">*</unix:filename>
- </unix:file_object>
-
- <local_variable id="local_var_eap_quickstart_path" version="1" datatype="string" comment="version location">
- <concat>
- <object_component object_ref="obj_env_eap_quickstarts_home" item_field="value" />
- <literal_component>/.*quickstart.*</literal_component>
- </concat>
- </local_variable>
-
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_remove_quickstarts/rule.yml b/eap6/guide/eap6/jboss_eap_remove_quickstarts/rule.yml
deleted file mode 100644
index 19f7a86979..0000000000
--- a/eap6/guide/eap6/jboss_eap_remove_quickstarts/rule.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-documentation_complete: true
-
-title: 'Remove JBoss Quickstarts'
-
-description: 'Delete the QuickStarts folder.'
-
-rationale: |-
- JBoss QuickStarts are demo applications that can be deployed quickly. Demo
- applications are not written with security in mind and often open new attack
- vectors. QuickStarts must be removed.
-
-severity: medium
-
-identifiers:
- cce: CCE-80468-2
-
-references:
- disa: CCI-000381
- srg: SRG-APP-000141-AS-000095
- stigid: JBOS-AS-000235
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Examine the <tt><JBOSS_HOME></tt> folder. If a <tt>jboss-eap-6.3.0-GA-quickstarts</tt> folder
- exits, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/oval/eap6.xml
deleted file mode 100644
index c2ad4fe12b..0000000000
--- a/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/oval/eap6.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<def-group>
- <definition version="1" class="compliance" id="jboss_eap_remove_unnecessary_apps">
- <metadata>
- <title>JBoss Enterprise Application Platform 6 Security Manager Remove Unnecessary Applications</title>
- <description>Unnecessary apps must be removed</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- </metadata>
- <criteria>
- <criterion test_ref="test_eap_remove_apps" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_eap_remove_apps_home" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <unix:file_test id="test_eap_remove_apps" version="1" check="all" check_existence="none_exist" comment="Check EAP for installed apps">
- <unix:object object_ref="obj_eap_remove_apps" />
- </unix:file_test>
- <unix:file_object id="obj_eap_remove_apps" version="1">
- <unix:behaviors recurse_direction="down"/>
- <unix:path var_ref="local_var_eap_remove_apps_path"/>
- <unix:filename operation="pattern match">^((?!(README.txt|.*\.rar|.*\.deployed|.*\.undeployed)|.*\.dodeploy).)*$</unix:filename>
- </unix:file_object>
-
- <local_variable id="local_var_eap_remove_apps_path" version="1" datatype="string" comment="version location">
- <concat>
- <object_component object_ref="obj_env_eap_remove_apps_home" item_field="value" />
- <literal_component>/standalone/deployments</literal_component>
- </concat>
- </local_variable>
-
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/rule.yml b/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/rule.yml
deleted file mode 100644
index 2f5834ce67..0000000000
--- a/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/rule.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-documentation_complete: true
-
-title: 'Remove Unnecessary Applications'
-
-description: |-
- Identify, authorize, and document all applications that are deployed to the
- application server. Remove unauthorized applications.
-
-rationale: |-
- Extraneous services and applications running on an application server expands
- the attack surface and increases risk to the application server. Securing any
- server involves identifying and removing any unnecessary services and, in the
- case of an application server, unnecessary and/or unapproved applications.
-
-severity: medium
-
-identifiers:
- cce: CCE-80471-6
-
-references:
- disa: CCI-000381
- srg: SRG-APP-000141-AS-000095
- stigid: JBOS-AS-000250
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Run the command:
- <br /><br />
- <pre>ls /deployment</pre>
- <br /><br />
- The list of deployed applications is displayed.
- Have the system admin identify the applications listed and confirm they are
- approved applications.
- <br /><br />
- If the system admin cannot provide documentation proving
- their authorization for deployed applications, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_require_password_access/rule.yml b/eap6/guide/eap6/jboss_eap_require_password_access/rule.yml
deleted file mode 100644
index dab739e326..0000000000
--- a/eap6/guide/eap6/jboss_eap_require_password_access/rule.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-documentation_complete: true
-
-title: 'Require Password Authentication'
-
-description: |-
- Configure the LDAP Security Realm using default settings that sets <tt>allow-empty-values</tt>
- to <tt>..</tt> LDAP Security Realm creation is described in
- section 11.9 -Add an LDAP Security Realm in the
- JBoss_Enterprise_Application_Platform-6.3
- -Administration_and_Configuration_Guide-en-US document.
-
-rationale: |-
- Passwords need to be protected at all times, and encryption is the standard
- method for protecting passwords during transmission. If passwords are not
- encrypted, they can be plainly read (i.e., clear text) and easily compromised.
- Application servers have the capability to utilize either certificates (tokens)
- or user IDs and passwords in order to authenticate. When the application server
- transmits or receives passwords, the passwords must be encrypted.
-
-severity: medium
-
-identifiers:
- cce: CCE-80480-7
-
-references:
- disa: CCI-000197
- srg: SRG-APP-000172-AS-000120
- stigid: JBOS-AS-000305
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Run the command:
- <br /><br />
- <pre>ls /core-service=management/security-realm=ldap_security_realm/authentication=ldap</pre>
- <br /><br />
- If <pre>allow-empty-passwords=true</pre>, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_restrict_jboss_account/rule.yml b/eap6/guide/eap6/jboss_eap_restrict_jboss_account/rule.yml
deleted file mode 100644
index 9c58850fce..0000000000
--- a/eap6/guide/eap6/jboss_eap_restrict_jboss_account/rule.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-documentation_complete: true
-
-title: 'Restrict the JBoss Account'
-
-description: |-
- Use the relevant OS commands to restrict JBoss user account from interactively
- logging on to the console of the JBoss system.
- <br /><br />
- For Windows systems, use GPO.
- For UNIX like systems using ssh DenyUsers <i>account id</i> or follow established
- procedure for restricting access.
-
-rationale: |-
- JBoss does not require admin rights to operate and should be run as a regular
- user. In addition, if the user account was to be compromised and the account
- was allowed interactive logon rights, this would increase the risk and attack
- surface against the JBoss system. The right to interactively log on to the
- system using the JBoss account should be limited according to the OS
- capabilities.
-
-severity: high
-
-identifiers:
- cce: CCE-80465-8
-
-references:
- disa: CCI-000381
- srg: SRG-APP-000141-AS-000095
- stigid: JBOS-AS-000220
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Identify the user account used to run the JBoss server. Use relevant OS
- commands to determine logon rights to the system. This account should not have
- full shell/interactive access to the system.
- <br /><br />
- If the user account used to
- operate JBoss can log on interactively, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/oval/eap6.xml
deleted file mode 100644
index 073c561202..0000000000
--- a/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/oval/eap6.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<def-group>
- <definition version="1" class="compliance" id="jboss_eap_roll_over_transfer_logs">
- <metadata>
- <title>Configure Logs to Rollover</title>
- <description>Logger should be configured to rollover log files</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- </metadata>
- <criteria>
- <criterion test_ref="test_eap_roll_over_transfer_logs" />
- </criteria>
- </definition>
-
- <ind:environmentvariable58_object id="obj_env_rollover_log" version="1">
- <ind:pid xsi:nil="true" datatype="int" />
- <ind:name>JBOSS_HOME</ind:name>
- </ind:environmentvariable58_object>
-
- <local_variable id="local_var_rollover_jboss_home" version="1" datatype="string" comment="version location">
- <concat>
- <object_component object_ref="obj_env_rollover_log" item_field="value" />
- <literal_component datatype="string">/standalone/configuration/</literal_component>
- </concat>
- </local_variable>
-
- <local_variable id="local_var_profile_transfer_logs" version="1" datatype="string" comment="configuration profile">
- <concat>
- <variable_component var_ref="var_jboss_profile" />
- <literal_component datatype="string">.xml</literal_component>
- </concat>
- </local_variable>
-
- <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
-
- <ind:xmlfilecontent_test id="test_eap_roll_over_transfer_logs" version="1" check="all" comment="Check EAP roll over transfer logs">
- <ind:object object_ref="obj_eap_roll_over_transfer_logs" />
- </ind:xmlfilecontent_test>
- <ind:xmlfilecontent_object id="obj_eap_roll_over_transfer_logs" version="1">
- <ind:path var_ref="local_var_rollover_jboss_home"/>
- <ind:filename var_ref="local_var_profile_transfer_logs" />
- <ind:xpath>//*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='periodic-rotating-file-handler'][@name='FILE']</ind:xpath>
- </ind:xmlfilecontent_object>
-
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/rule.yml b/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/rule.yml
deleted file mode 100644
index c35a9791c6..0000000000
--- a/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/rule.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-documentation_complete: true
-
-title: 'Roll Over and Transfer JBoss Logs'
-
-description: |-
- Open the web-based management interface by opening a browser and pointing it to
- <tt>HTTPS://<i>EAP_SERVER</i>:9990/</tt>
- <br /><br />
- Authenticate as a user with Admin rights.
- Navigate
- to the <tt>Configuration</tt> tab.
- Expand <tt>+</tt> Subsystems.
- Expand <tt>+</tt> Core.
- Select
- <tt>Logging</tt>.
- Select the <tt>Handler</tt> tab.
- Select <tt>Periodic</tt>.
- <br /><br />
- If a
- periodic file handler does not exist, reference JBoss admin guide for
- instructions on how to create a file handler that will rotate logs on a daily
- basis.
- Create scripts that package and off-load log data at least weekly.
-
-rationale: |-
- Information stored in one location is vulnerable to accidental or incidental
- deletion or alteration. Protecting log data is important during a forensic
- investigation to ensure investigators can track and understand what may have
- occurred. Off-loading should be set up as a scheduled task but can be
- configured to be run manually, if other processes during the off-loading are
- manual.
- <br /><br />
- Off-loading is a common process in information systems with limited log
- storage capacity.
-
-severity: medium
-
-identifiers:
- cce: CCE-80498-9
-
-references:
- disa: CCI-001851
- srg: SRG-APP-000515-AS-000203
- stigid: JBOS-AS-000735
-
-ocil_clause: 'it is not'
-
-ocil: |-
- If the JBoss server is configured to use a Syslog Handler, this is not a
- finding.
- <br /><br />
- Log on to the OS of the JBoss server with OS permissions that allow
- access to JBoss.
- Using the relevant OS commands and syntax, cd to the
- <tt><JBOSS_HOME>/bin/</tt> folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- <br /><br />
- Determine if there is a periodic rotating file handler.
- <br /><br />
- For a
- domain configuration run the following command; where <i>SERVERNAME</i> is a variable
- for all of the servers in the domain. Usually <tt>server-one</tt>, <tt>server-two</tt>, etc.:
- <br /><br />
- <pre>ls /host=master/server=<i>SERVERNAME</i>/subsystem=logging/periodic-rotating-file-handler=</pre>
- <br /><br />
- For a standalone configuration run the command:
- <pre>ls /subsystem=logging/periodic-rotating-file-handler=</pre>
- <br /><br />
- If the command does not return <tt>FILE</tt>, this is a finding.
- <br /><br />
- Review the
- <tt><JBOSS_HOME>/standalone/log</tt> folder for the existence of rotated logs, and ask
- the admin to demonstrate how rotated logs are packaged and transferred to
- another system on at least a weekly basis.
diff --git a/eap6/guide/eap6/jboss_eap_secure_keystore_permissions/rule.yml b/eap6/guide/eap6/jboss_eap_secure_keystore_permissions/rule.yml
deleted file mode 100644
index a924976020..0000000000
--- a/eap6/guide/eap6/jboss_eap_secure_keystore_permissions/rule.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-documentation_complete: true
-
-title: 'Restrict Access to the JBoss Keystore'
-
-description: |-
- Configure the application server OS file permissions on the corresponding
- private key to restrict access to authorized accounts or roles.
-
-rationale: |-
- The cornerstone of the PKI is the private key used to encrypt or digitally sign
- information.
- <br /><br />
- If the private key is stolen, this will lead to the compromise of
- the authentication and non-repudiation gained through PKI because the attacker
- can use the private key to digitally sign documents and can pretend to be the
- authorized user.
- <br /><br />
- Both the holders of a digital certificate and the issuing
- authority must protect the computers, storage devices, or whatever they use to
- keep the private keys. Java-based application servers utilize the Java keystore,
- which provides storage for cryptographic keys and certificates. The keystore is
- usually maintained in a file stored on the file system.
-
-severity: medium
-
-identifiers:
- cce: CCE-80482-3
-
-references:
- disa: CCI-000186
- srg: SRG-APP-000176-AS-000125
- stigid: JBOS-AS-000320
-
-ocil_clause: 'it is not'
-
-ocil: |-
- The default location for the keystore used by the JBoss vault is the
- <tt><JBOSS_HOME>/vault/</tt> folder.
- <br /><br />
- If a vault keystore has been created, by default it
- will be in the file: <tt><JBOSS_HOME>/vault/vault.keystore</tt>. The file stores a
- single key, with the default alias vault, which will be used to store encrypted
- strings, such as passwords, for JBoss EAP.
- <br /><br />
- Browse to the JBoss vault folder
- using the relevant OS commands.
- Review the file permissions and ensure only
- system administrators and JBoss users are allowed access.
- <br /><br />
- Owner can be full access. Group can be full access.
- All others must be restricted to execute access
- or no permission.
- <br /><br />
- If non-system administrators are allowed to access the
- <tt><JBOSS_HOME>/vault/</tt>
- folder, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_service_separate_networks/rule.yml b/eap6/guide/eap6/jboss_eap_service_separate_networks/rule.yml
deleted file mode 100644
index 3b679c17ac..0000000000
--- a/eap6/guide/eap6/jboss_eap_service_separate_networks/rule.yml
+++ /dev/null
@@ -1,76 +0,0 @@
-documentation_complete: true
-
-title: 'Use Separate Management and Application Networks'
-
-description: |-
- Start the application server with a <tt>-bmanagement</tt> and a <tt>-b</tt> flag so that admin
- management functionality and hosted applications are separated.
- <br /><br />
- Refer to
- section 4.9 in the JBoss EAP 6.3 Installation Guide for specific instructions on
- how to start the JBoss server as a service.
-
-rationale: |-
- The application server consists of the management interface and hosted
- applications. By separating the management interface from hosted applications,
- the user must authenticate as a privileged user to the management interface
- before being presented with management functionality. This prevents non-
- privileged users from having visibility to functions not available to the user.
- By limiting visibility, a compromised non-privileged account does not offer
- information to the attacker or functionality and information needed to further
- the attack on the application server.
- <br /><br />
- JBoss is designed to operate with
- separate application and management interfaces.
- The JBoss server is started via
- a script. To start the JBoss server in domain mode, the admin will execute the
- /bin/domain.sh or domain.bat script.
- <br /><br />
- To start the JBoss server in standalone
- mode, the admin will execute /bin/standalone.bat or standalone.sh.
- <br /><br />
- Command line
- flags are used to specify which network address is used for management and which
- address is used for public/application access.
-
-severity: medium
-
-identifiers:
- cce: CCE-80483-1
-
-references:
- disa: CCI-001082
- srg: SRG-APP-000211-AS-000146
- stigid: JBOS-AS-000355
-
-ocil_clause: 'it is not'
-
-ocil: |-
- If JBoss is not started with separate management and public interfaces, this is
- a finding.
- <br /><br />
- Review the network design documents to identify the IP address space
- for the management network.
- <br /><br />
- Use relevant OS commands and administrative
- techniques to determine how the system administrator starts the JBoss server.
- This includes interviewing the system admin, using the <pre>ps -ef|grep</pre>
- command for UNIX like systems or checking command line flags and properties on
- batch scripts for Windows systems.
- <br /><br />
- Ensure the startup syntax used to start
- JBoss specifies a management network address and a public network address.
- <br /><br />
- The
- <tt>-b</tt> flag specifies the public address space.
- The
- <tt>-bmanagement</tt> flag specifies the management address space.
- <br /><br />
- Example:
- <pre>
- <JBOSS_HOME>/bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25
- </pre>
- <br /><br />
- If
- JBoss is not started with separate management and public interfaces, this is a
- finding.
diff --git a/eap6/guide/eap6/jboss_eap_system_up_to_date/rule.yml b/eap6/guide/eap6/jboss_eap_system_up_to_date/rule.yml
deleted file mode 100644
index 1f4ba3eb89..0000000000
--- a/eap6/guide/eap6/jboss_eap_system_up_to_date/rule.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-documentation_complete: true
-
-title: 'JBoss System Is Patched'
-
-description: |-
- Configure the operating system and the application server to use a patch
- management system or process that ensures security-relevant updates are
- installed within the time period directed by the ISSM.
-
-rationale: |-
- The JBoss product is available as Open Source; however, the Red Hat vendor
- provides updates, patches and support for the JBoss product. It is imperative
- that patches and updates be applied to JBoss in a timely manner as many attacks
- against JBoss focus on unpatched systems. It is critical that support be
- obtained and made available.
-
-severity: high
-
-identifiers:
- cce: CCE-80496-3
-
-references:
- disa: CCI-002605
- srg: SRG-APP-000456-AS-000266
- stigid: JBOS-AS-000685
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Interview the system admin and obtain details on their patch management
- processes as it relates to the OS and the Application Server.
- <br /><br />
- If there is no
- active, documented patch management process in use for these components, this is
- a finding.
diff --git a/eap6/guide/eap6/jboss_eap_unprivileged_mode/rule.yml b/eap6/guide/eap6/jboss_eap_unprivileged_mode/rule.yml
deleted file mode 100644
index 48cbd575c6..0000000000
--- a/eap6/guide/eap6/jboss_eap_unprivileged_mode/rule.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-documentation_complete: true
-
-title: 'Restrict JBoss Account'
-
-description: 'Run the JBoss server with non-admin rights.'
-
-rationale: |-
- JBoss EAP application server can be run as the OS admin, which is not advised.
- Running the application server with admin privileges increases the attack
- surface by granting the application server more rights than it requires in order
- to operate. If the server is compromised, the attacker will have the same
- rights as the application server, which in that case would be admin rights. The
- JBoss EAP server must not be run as the admin user.
-
-severity: high
-
-identifiers:
- cce: CCE-80467-4
-
-references:
- disa: CCI-000381
- srg: SRG-APP-000141-AS-000095
- stigid: JBOS-AS-000230
-
-ocil_clause: 'it is not'
-
-ocil: |-
- The script that is used to start JBoss determines the mode in which JBoss will
- operate, which will be in either in standalone mode or domain mode. Both
- scripts are installed by default in the <tt><JBOSS_HOME>/bin/</tt> folder.
- <br /><br />
- In addition
- to running the JBoss server as an interactive script launched from the command
- line, JBoss can also be started as a service.
- <br /><br />
- The scripts used to start JBoss are:
- Red Hat:
- <pre>
- standalone.sh
- domain.sh
- </pre>
- <br /><br />
- Windows:
- <pre>
- standalone.bat
- domain.bat
- </pre>
- <br /><br />
- Use the relevant OS commands to determine JBoss ownership.
- <br /><br />
- When running as a process:
- Red Hat: <pre>ps -ef|grep -i jboss</pre>.
- Windows: <pre>services.msc</pre>.
- Search for the JBoss process, which by default is named <tt>JBOSSEAP6</tt>.
- <br /><br />
- If
- the user account used to launch the JBoss script or start the JBoss process has
- admin rights on the system, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_use_approved_ca_cert/rule.yml b/eap6/guide/eap6/jboss_eap_use_approved_ca_cert/rule.yml
deleted file mode 100644
index b304e49b52..0000000000
--- a/eap6/guide/eap6/jboss_eap_use_approved_ca_cert/rule.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-documentation_complete: true
-
-title: 'Use Approved DoD Certificate Authorities'
-
-description: |-
- Locate the cacerts file for the JVM. This can be done using the appropriate
- find command for the OS and change to the directory where the cacerts file is
- located.
- <br /><br />
- Remove the certificates that have a CA that is non-DoD approved, and
- import DoD CA-approved certificates.
-
-rationale: |-
- Untrusted Certificate Authorities (CA) can issue certificates, but they may be
- issued by organizations or individuals that seek to compromise DoD systems or by
- organizations with insufficient security controls. If the CA used for verifying
- the certificate is not a DoD-approved CA, trust of this CA has not been
- established.
- <br /><br />
- The DoD will only accept PKI certificates obtained from a DoD-
- approved internal or external certificate authority. Reliance on CAs for the
- establishment of secure sessions includes, for example, the use of SSL/TLS
- certificates. The application server must only allow the use of DoD PKI-
- established certificate authorities for verification.
-
-severity: medium
-
-identifiers:
- cce: CCE-80491-4
-
-references:
- disa: CCI-002470
- srg: SRG-APP-000427-AS-000264
- stigid: JBOS-AS-000625
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Locate the cacerts file for the JVM. This can be done using the appropriate
- find command for the OS and change to the directory where the cacerts file is
- located.
- <br /><br />
- To view the certificates stored within this file, execute the java
- command <pre>keytool -list -v -keystore ./cacerts</pre>.
- Verify that the Certificate
- Authority (CA) for each certificate is DoD-approved.
- <br /><br />
- If any certificates have a
- CA that are not DoD-approved, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_use_approved_ciphers/rule.yml b/eap6/guide/eap6/jboss_eap_use_approved_ciphers/rule.yml
deleted file mode 100644
index 89dc6278bb..0000000000
--- a/eap6/guide/eap6/jboss_eap_use_approved_ciphers/rule.yml
+++ /dev/null
@@ -1,72 +0,0 @@
-documentation_complete: true
-
-title: 'Use Approved Ciphers'
-
-description: |-
- Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red
- Hat vendor's website for step-by-step instructions on establishing SSL
- encryption on JBoss.
- <br /><br />
- The overall steps include:
- <br /><br />
- 1. Add an HTTPS connector.
- 2. Configure the SSL encryption certificate and keys.
- 3. Set the Cipher to an approved algorithm.
-
-rationale: |-
- Preventing the disclosure or modification of transmitted information requires
- that application servers take measures to employ approved cryptography in order
- to protect the information during transmission over the network. This is usually
- achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec
- tunnel.
- <br /><br />
- If data in transit is unencrypted, it is vulnerable to disclosure and
- modification. If approved cryptographic algorithms are not used, encryption
- strength cannot be assured.
- <br /><br />
- FIPS 140-2 approved TLS versions include TLS V1.0
- or greater.
- <br /><br />
- TLS must be enabled, and non-FIPS-approved SSL versions must be
- disabled. NIST SP 800-52 specifies the preferred configurations for government
- systems.
-
-severity: medium
-
-identifiers:
- cce: CCE-80494-8
-
-references:
- disa: CCI-002421
- srg: SRG-APP-000440-AS-000167
- stigid: JBOS-AS-000655
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Validate that the TLS protocol is used for HTTPS connections.
- Run the command:
- <pre>ls /subsystem=web/connector=https/ssl=configuration</pre>
- <br /><br />
- Review the
- cipher suites. The following suites are acceptable as per NIST 800-52r1 section
- 3.3.1 - Cipher Suites. Refer to the NIST document for a complete list of
- acceptable cipher suites. The source NIST document and approved encryption
- algorithms/cipher suites are subject to change and should be referenced.
- <pre>
- AES_128_CBC
- AES_256_CBC
- AES_128_GCM
- AES_128_CCM
- AES_256_CCM
- </pre>
- <br /><br />
- If the cipher
- suites utilized by the TLS server are not approved by NIST as per 800-52r1, this
- is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_use_dod_approved_certs/rule.yml b/eap6/guide/eap6/jboss_eap_use_dod_approved_certs/rule.yml
deleted file mode 100644
index 98c78cbba5..0000000000
--- a/eap6/guide/eap6/jboss_eap_use_dod_approved_certs/rule.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-documentation_complete: true
-
-title: 'Use DoD Approved Certificates'
-
-description: |-
- Configure the application server to use DoD- or CNSS-approved Class 3 or Class
- 4 PKI certificates.
-
-rationale: |-
- Class 3 PKI certificates are used for servers and software signing rather than
- for identifying individuals. Class 4 certificates are used for business-to-
- business transactions. Utilizing unapproved certificates not issued or approved
- by DoD or CNS creates an integrity risk. The application server must utilize
- approved DoD or CNS Class 3 or Class 4 certificates for software signing and
- business-to-business transactions.
-
-severity: medium
-
-identifiers:
- cce: CCE-80497-1
-
-references:
- disa: CCI-002450
- srg: SRG-APP-000514-AS-000137
- stigid: JBOS-AS-000730
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Interview the administrator to determine if JBoss is using certificates for
- PKI. If JBoss is not performing any PKI functions, this finding is NA.
- <br /><br />
- The CA
- certs are usually stored in a file called cacerts located in the directory
- <tt>$JAVA_HOME/lib/security</tt>. If the file is not in this location, use a search
- command to locate the file, or ask the administrator where the certificate store
- is located.
- <br /><br />
- Open a dos shell or terminal window and change to the location of
- the certificate store. To view the certificates within the certificate store,
- run the command (in this example, the keystore file is cacerts.):
- <pre>keytool -list -v -keystore ./cacerts</pre>
- <br /><br />
- Locate the <pre>OU</pre> field for each certificate
- within the keystore. The field should contain either <pre>DoD</pre> or
- <pre>CNSS</pre> as the Organizational Unit (OU).
- <br /><br />
- If the OU does not show that
- the certificates are DoD or CNSS supplied, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_use_secure_ldap_port/rule.yml b/eap6/guide/eap6/jboss_eap_use_secure_ldap_port/rule.yml
deleted file mode 100644
index 51da42a453..0000000000
--- a/eap6/guide/eap6/jboss_eap_use_secure_ldap_port/rule.yml
+++ /dev/null
@@ -1,54 +0,0 @@
-documentation_complete: true
-
-title: 'Use Secure Standard LDAP Port'
-
-description: |-
- Follow steps in section 11.8 - Management Interface Security in the
- JBoss_Enterprise_Application_Platform-6.3
- -Administration_and_Configuration_Guide-en-US document.
- <br /><br />
- 1. Create an outbound connection to the LDAP server.
- 2. Create an LDAP-enabled security realm.
- 3. Reference the new security domain in the Management Interface.
-
-rationale: |-
- Passwords need to be protected at all times, and encryption is the standard
- method for protecting passwords during transmission.
- <br /><br />
- Application servers have
- the capability to utilize LDAP directories for authentication. If LDAP
- connections are not protected during transmission, sensitive authentication
- credentials can be stolen. When the application server utilizes LDAP, the LDAP
- traffic must be encrypted.
-
-severity: medium
-
-identifiers:
- cce: CCE-80481-5
-
-references:
- disa: CCI-000197
- srg: SRG-APP-000172-AS-000121
- stigid: JBOS-AS-000310
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- <br /><br />
- Run the following command:
- <br /><br />
- For standalone servers:
- <pre>ls /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=ldap_connection</pre>
- <br /><br />
- For managed domain installations:
- <pre>ls /socket-binding-group=<i>PROFILE</i>/remote-destination-outbound-socket-binding=</pre>
- <br /><br />
- The default port for secure LDAP is 636.
- <br /><br />
- If 636 or secure LDAP protocol is not utilized, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_use_tls/rule.yml b/eap6/guide/eap6/jboss_eap_use_tls/rule.yml
deleted file mode 100644
index 65d638c415..0000000000
--- a/eap6/guide/eap6/jboss_eap_use_tls/rule.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-documentation_complete: true
-
-title: 'Use Approves TLS version'
-
-description: |-
- Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red
- Hat vendor's web site for step-by-step instructions on establishing SSL
- encryption on JBoss.
- <br /><br />
- The overall steps include:
- <br /><br />
- 1. Add an HTTPS connector.
- 2. Configure the SSL encryption certificate and keys.
- 3. Set the protocol to TLS V1.1 or V1.2.
-
-rationale: |-
- Preventing the disclosure of transmitted information requires that the
- application server take measures to employ some form of cryptographic mechanism
- in order to protect the information during transmission. This is usually
- achieved through the use of Transport Layer Security (TLS).
- <br /><br />
- JBoss relies on
- the underlying SSL implementation running on the OS. This can be either Java
- based or OpenSSL. The SSL protocol setting determines which SSL protocol is
- used. SSL has known security vulnerabilities, so TLS should be used instead.
- If data is transmitted unencrypted, the data then becomes vulnerable to
- disclosure. The disclosure may reveal user identifier/password combinations,
- website code revealing business logic, or other user personal information.
- <br /><br />
- FIPS 140-2 approved TLS versions include TLS V1.0 or greater.
- <br /><br />
- TLS must be enabled,
- and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies
- the preferred configurations for government systems.
-
-severity: medium
-
-identifiers:
- cce: CCE-80493-0
-
-references:
- disa: CCI-002418
- srg: SRG-APP-000439-AS-000155
- stigid: JBOS-AS-000650
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Log on to the OS of the JBoss server with OS permissions that allow access to
- JBoss.
- Using the relevant OS commands and syntax, cd to the <tt><JBOSS_HOME>/bin/</tt>
- folder.
- Run the <pre>jboss-cli</pre> script.
- Connect to the server and authenticate.
- Validate that the TLS protocol is used for HTTPS connections.
- Run the command:
- <pre>ls /subsystem=web/connector=https/ssl=configuration</pre>
- <br /><br />
- If a TLS V1.1 or V1.2 protocol is not returned, this is a finding.
diff --git a/eap6/guide/eap6/jboss_eap_vendor_supported/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_vendor_supported/oval/eap6.xml
deleted file mode 100644
index f27aea41a4..0000000000
--- a/eap6/guide/eap6/jboss_eap_vendor_supported/oval/eap6.xml
+++ /dev/null
@@ -1,14 +0,0 @@
-<def-group>
- <definition version="1" class="compliance" id="jboss_eap_vendor_supported">
- <metadata>
- <title>JBoss Enterprise Application Platform Supported Version</title>
- <description>Installed version of JBoss is a vendor supported version.</description>
- <affected family="undefined">
- <platform>JBoss Enterprise Application Platform 6</platform>
- </affected>
- </metadata>
- <criteria>
- <extend_definition comment="EAP supported version" definition_ref="installed_app_is_eap6" />
- </criteria>
- </definition>
-</def-group>
diff --git a/eap6/guide/eap6/jboss_eap_vendor_supported/rule.yml b/eap6/guide/eap6/jboss_eap_vendor_supported/rule.yml
deleted file mode 100644
index 372aa87792..0000000000
--- a/eap6/guide/eap6/jboss_eap_vendor_supported/rule.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-documentation_complete: true
-
-title: 'JBoss Version Is Vendor Supported'
-
-description: 'Obtain vendor support from Red Hat.'
-
-rationale: |-
- The JBoss product is available as Open Source; however, the Red Hat vendor
- provides updates, patches and support for the JBoss product. It is imperative
- that patches and updates be applied to JBoss in a timely manner as many attacks
- against JBoss focus on unpatched systems. It is critical that support be
- obtained and made available.
-
-severity: high
-
-identifiers:
- cce: CCE-80495-5
-
-references:
- disa: CCI-002605
- srg: SRG-APP-000456-AS-000266
- stigid: JBOS-AS-000680
-
-ocil_clause: 'it is not'
-
-ocil: |-
- Interview the system admin and have them either show documented proof of
- current support, or have them demonstrate their ability to access the Red Hat
- Enterprise Support portal.
- <br /><br />
- Verify Red Hat support includes coverage for the
- JBoss product.
- <br /><br />
- If there is no current and active support from the vendor, this
- is a finding.
diff --git a/eap6/guide/eap6/var_jboss_profile.var b/eap6/guide/eap6/var_jboss_profile.var
deleted file mode 100644
index 51779c7798..0000000000
--- a/eap6/guide/eap6/var_jboss_profile.var
+++ /dev/null
@@ -1,15 +0,0 @@
-documentation_complete: true
-
-title: 'JBoss Configuration Profile'
-
-description: 'Choose JBoss configuration name (string)'
-
-type: string
-
-operator: equals
-
-interactive: false
-
-options:
- default: standalone
- openshift: standalone-openshift
diff --git a/eap6/overlays/srg_support.xml b/eap6/overlays/srg_support.xml
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/eap6/overlays/stig_overlay.xml b/eap6/overlays/stig_overlay.xml
deleted file mode 100644
index 9ea7d66b1d..0000000000
--- a/eap6/overlays/stig_overlay.xml
+++ /dev/null
@@ -1,271 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
- <overlay disa="68" owner="disastig" ownerid="JBOS-AS-000010" ruleid="jboss_eap_configure_secure_management_access" severity="medium">
- <VMSinfo SVKey="76563" VKey="62073" VRelease="1"/>
- <title>HTTP management session traffic must be encrypted.</title>
- </overlay>
- <overlay disa="1453" owner="disastig" ownerid="JBOS-AS-000015" ruleid="jboss_eap_configure_https" severity="medium">
- <VMSinfo SVKey="76705" VKey="62215" VRelease="1"/>
- <title>HTTPS must be enabled for JBoss web interfaces.</title>
- </overlay>
- <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000025" ruleid="jboss_eap_configure_host_access_restrictions" severity="high">
- <VMSinfo SVKey="76707" VKey="62217" VRelease="1"/>
- <title>Java permissions must be set for hosted applications.</title>
- </overlay>
- <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000030" ruleid="jboss_eap_configure_security_manager" severity="high">
- <VMSinfo SVKey="76715" VKey="62225" VRelease="1"/>
- <title>The Java Security Manager must be enabled for the JBoss application server.</title>
- </overlay>
- <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000035" ruleid="jboss_eap_enable_rbac" severity="high">
- <VMSinfo SVKey="76717" VKey="62227" VRelease="1"/>
- <title>The JBoss server must be configured with Role Based Access Controls.</title>
- </overlay>
- <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000040" ruleid="jboss_eap_configure_user_roles" severity="medium">
- <VMSinfo SVKey="76709" VKey="62219" VRelease="1"/>
- <title>Users in JBoss Management Security Realms must be in the appropriate role.</title>
- </overlay>
- <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000045" ruleid="jboss_eap_configure_application_authentication" severity="high">
- <VMSinfo SVKey="76711" VKey="62221" VRelease="1"/>
- <title>Silent Authentication must be removed from the Default Application Security Realm.</title>
- </overlay>
- <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000050" ruleid="jboss_eap_configure_management_authentication" severity="high">
- <VMSinfo SVKey="76713" VKey="62223" VRelease="1"/>
- <title>Silent Authentication must be removed from the Default Management Security Realm.</title>
- </overlay>
- <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000075" ruleid="jboss_eap_configure_security_realm" severity="high">
- <VMSinfo SVKey="76719" VKey="62229" VRelease="1"/>
- <title>JBoss management interfaces must be secured.</title>
- </overlay>
- <overlay disa="169" owner="disastig" ownerid="JBOS-AS-000080" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76721" VKey="62231" VRelease="1"/>
- <title>The JBoss server must generate log records for access and authentication events to the management interface.</title>
- </overlay>
- <overlay disa="171" owner="disastig" ownerid="JBOS-AS-000085" ruleid="jboss_eap_configure_auditor_roles" severity="medium">
- <VMSinfo SVKey="76723" VKey="62233" VRelease="1"/>
- <title>JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.</title>
- </overlay>
- <overlay disa="1464" owner="disastig" ownerid="JBOS-AS-000095" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76725" VKey="62235" VRelease="1"/>
- <title>JBoss must be configured to initiate session logging upon startup.</title>
- </overlay>
- <overlay disa="130" owner="disastig" ownerid="JBOS-AS-000105" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76727" VKey="62237" VRelease="1"/>
- <title>JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.</title>
- </overlay>
- <overlay disa="130" owner="disastig" ownerid="JBOS-AS-000110" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76729" VKey="62239" VRelease="1"/>
- <title>JBoss must be configured to produce log records containing information to establish what type of events occurred.</title>
- </overlay>
- <overlay disa="131" owner="disastig" ownerid="JBOS-AS-000115" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76731" VKey="62241" VRelease="1"/>
- <title>JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.</title>
- </overlay>
- <overlay disa="132" owner="disastig" ownerid="JBOS-AS-000120" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76733" VKey="62243" VRelease="1"/>
- <title>JBoss must be configured to produce log records that establish which hosted application triggered the events.</title>
- </overlay>
- <overlay disa="133" owner="disastig" ownerid="JBOS-AS-000125" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76735" VKey="62245" VRelease="1"/>
- <title>JBoss must be configured to record the IP address and port information used by management interface network traffic.</title>
- </overlay>
- <overlay disa="134" owner="disastig" ownerid="JBOS-AS-000130" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76737" VKey="62247" VRelease="1"/>
- <title>The application server must produce log records that contain sufficient information to establish the outcome of events.</title>
- </overlay>
- <overlay disa="1487" owner="disastig" ownerid="JBOS-AS-000135" ruleid="jboss_eap_configure_logging_level" severity="medium">
- <VMSinfo SVKey="76739" VKey="62249" VRelease="1"/>
- <title>JBoss ROOT logger must be configured to utilize the appropriate logging level.</title>
- </overlay>
- <overlay disa="162" owner="disastig" ownerid="JBOS-AS-000165" ruleid="jboss_eap_configure_log_permissions" severity="medium">
- <VMSinfo SVKey="76741" VKey="62251" VRelease="1"/>
- <title>File permissions must be configured to protect log information from any type of unauthorized read access.</title>
- </overlay>
- <overlay disa="163" owner="disastig" ownerid="JBOS-AS-000170" ruleid="jboss_eap_configure_log_permissions" severity="medium">
- <VMSinfo SVKey="76743" VKey="62253" VRelease="1"/>
- <title>File permissions must be configured to protect log information from unauthorized modification.</title>
- </overlay>
- <overlay disa="164" owner="disastig" ownerid="JBOS-AS-000175" ruleid="jboss_eap_configure_log_permissions" severity="medium">
- <VMSinfo SVKey="76745" VKey="62255" VRelease="1"/>
- <title>File permissions must be configured to protect log information from unauthorized deletion.</title>
- </overlay>
- <overlay disa="1348" owner="disastig" ownerid="JBOS-AS-000195" ruleid="jboss_eap_configure_offloading_max" severity="medium">
- <VMSinfo SVKey="76747" VKey="62257" VRelease="1"/>
- <title>JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.</title>
- </overlay>
- <overlay disa="1499" owner="disastig" ownerid="JBOS-AS-000210" ruleid="jboss_eap_configure_user_permissions" severity="medium">
- <VMSinfo SVKey="76749" VKey="62259" VRelease="1"/>
- <title>mgmt-users.properties file permissions must be set to allow access to authorized users only.</title>
- </overlay>
- <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000220" ruleid="jboss_eap_restrict_jboss_account" severity="high">
- <VMSinfo SVKey="76751" VKey="62261" VRelease="1"/>
- <title>JBoss process owner interactive access must be restricted.</title>
- </overlay>
- <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000225" ruleid="jboss_eap_disable_analytics" severity="medium">
- <VMSinfo SVKey="76753" VKey="62263" VRelease="1"/>
- <title>Google Analytics must be disabled in EAP Console.</title>
- </overlay>
- <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000230" ruleid="jboss_eap_unprivileged_mode" severity="high">
- <VMSinfo SVKey="76755" VKey="62265" VRelease="1"/>
- <title>JBoss process owner execution permissions must be limited.</title>
- </overlay>
- <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000235" ruleid="jboss_eap_remove_quickstarts" severity="medium">
- <VMSinfo SVKey="76757" VKey="62267" VRelease="1"/>
- <title>JBoss QuickStarts must be removed.</title>
- </overlay>
- <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000240" ruleid="jboss_eap_remove_jmx" severity="medium">
- <VMSinfo SVKey="76759" VKey="62269" VRelease="1"/>
- <title>Remote access to JMX subsystem must be disabled.</title>
- </overlay>
- <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000245" ruleid="jboss_eap_disable_replace_welcome_page" severity="low">
- <VMSinfo SVKey="76761" VKey="62271" VRelease="1"/>
- <title>Welcome Web Application must be disabled.</title>
- </overlay>
- <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000250" ruleid="jboss_eap_remove_unnecessary_apps" severity="medium">
- <VMSinfo SVKey="76763" VKey="62273" VRelease="1"/>
- <title>Any unapproved applications must be removed.</title>
- </overlay>
- <overlay disa="382" owner="disastig" ownerid="JBOS-AS-000255" ruleid="jboss_eap_configure_ports" severity="medium">
- <VMSinfo SVKey="76765" VKey="62275" VRelease="1"/>
- <title>JBoss application and management ports must be approved by the PPSM CAL.</title>
- </overlay>
- <overlay disa="764" owner="disastig" ownerid="JBOS-AS-000260" ruleid="jboss_eap_configure_ldap" severity="medium">
- <VMSinfo SVKey="76767" VKey="62277" VRelease="1"/>
- <title>The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.</title>
- </overlay>
- <overlay disa="765" owner="disastig" ownerid="JBOS-AS-000265" ruleid="jboss_eap_configure_multifactor_authentication" severity="medium">
- <VMSinfo SVKey="76769" VKey="62279" VRelease="1"/>
- <title>The JBoss Server must be configured to use certificates to authenticate admins.</title>
- </overlay>
- <overlay disa="770" owner="disastig" ownerid="JBOS-AS-000275" ruleid="jboss_eap_remove_group_accounts" severity="medium">
- <VMSinfo SVKey="76771" VKey="62281" VRelease="1"/>
- <title>The JBoss server must be configured to use individual accounts and not generic or shared accounts.</title>
- </overlay>
- <overlay disa="778" owner="disastig" ownerid="JBOS-AS-000285" ruleid="jboss_eap_configure_management_network" severity="medium">
- <VMSinfo SVKey="76773" VKey="62283" VRelease="1"/>
- <title>The JBoss server must be configured to bind the management interfaces to only management networks.</title>
- </overlay>
- <overlay disa="795" owner="disastig" ownerid="JBOS-AS-000290" ruleid="jboss_eap_configure_management_ldap" severity="medium">
- <VMSinfo SVKey="76775" VKey="62285" VRelease="1"/>
- <title>JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.</title>
- </overlay>
- <overlay disa="196" owner="disastig" ownerid="JBOS-AS-000295" ruleid="jboss_eap_configure_keystore" severity="medium">
- <VMSinfo SVKey="76777" VKey="62287" VRelease="1"/>
- <title>The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.</title>
- </overlay>
- <overlay disa="196" owner="disastig" ownerid="JBOS-AS-000300" ruleid="jboss_eap_encrypt_keystore_passwords" severity="medium">
- <VMSinfo SVKey="76779" VKey="62289" VRelease="1"/>
- <title>JBoss KeyStore and Truststore passwords must not be stored in clear text.</title>
- </overlay>
- <overlay disa="197" owner="disastig" ownerid="JBOS-AS-000305" ruleid="jboss_eap_require_password_access" severity="medium">
- <VMSinfo SVKey="76781" VKey="62291" VRelease="1"/>
- <title>LDAP enabled security realm value allow-empty-passwords must be set to false.</title>
- </overlay>
- <overlay disa="197" owner="disastig" ownerid="JBOS-AS-000310" ruleid="jboss_eap_use_secure_ldap_port" severity="medium">
- <VMSinfo SVKey="76783" VKey="62293" VRelease="1"/>
- <title>JBoss must utilize encryption when using LDAP for authentication.</title>
- </overlay>
- <overlay disa="186" owner="disastig" ownerid="JBOS-AS-000320" ruleid="jboss_eap_secure_keystore_permissions" severity="medium">
- <VMSinfo SVKey="76785" VKey="62295" VRelease="1"/>
- <title>The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.</title>
- </overlay>
- <overlay disa="1082" owner="disastig" ownerid="JBOS-AS-000355" ruleid="jboss_eap_service_separate_networks" severity="medium">
- <VMSinfo SVKey="76787" VKey="62297" VRelease="1"/>
- <title>The JBoss server must separate hosted application functionality from application server management functionality.</title>
- </overlay>
- <overlay disa="1199" owner="disastig" ownerid="JBOS-AS-000400" ruleid="jboss_eap_file_permissions" severity="medium">
- <VMSinfo SVKey="76789" VKey="62299" VRelease="1"/>
- <title>JBoss file permissions must be configured to protect the confidentiality and integrity of application files.</title>
- </overlay>
- <overlay disa="1314" owner="disastig" ownerid="JBOS-AS-000425" ruleid="jboss_eap_logs_permissions" severity="medium">
- <VMSinfo SVKey="76791" VKey="62301" VRelease="1"/>
- <title>Access to JBoss log files must be restricted to authorized users.</title>
- </overlay>
- <overlay disa="2322" owner="disastig" ownerid="JBOS-AS-000470" ruleid="jboss_eap_disable_domain_admin_console" severity="medium">
- <VMSinfo SVKey="76793" VKey="62303" VRelease="1"/>
- <title>Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller.</title>
- </overlay>
- <overlay disa="2235" owner="disastig" ownerid="JBOS-AS-000475" ruleid="jboss_eap_enable_rbac" severity="medium">
- <VMSinfo SVKey="76795" VKey="62305" VRelease="1"/>
- <title>The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</title>
- </overlay>
- <overlay disa="2234" owner="disastig" ownerid="JBOS-AS-000480" ruleid="jboss_eap_audit_privileged_actions" severity="medium">
- <VMSinfo SVKey="76797" VKey="62307" VRelease="1"/>
- <title>The JBoss server must be configured to log all admin activity.</title>
- </overlay>
- <overlay disa="1851" owner="disastig" ownerid="JBOS-AS-000505" ruleid="jboss_eap_configure_syslog" severity="medium">
- <VMSinfo SVKey="76799" VKey="62309" VRelease="1"/>
- <title>The JBoss server must be configured to utilize syslog logging.</title>
- </overlay>
- <overlay disa="1813" owner="disastig" ownerid="JBOS-AS-000545" ruleid="jboss_eap_disable_automatic_deployment" severity="medium">
- <VMSinfo SVKey="76801" VKey="62311" VRelease="1"/>
- <title>Production JBoss servers must not allow automatic application deployment.</title>
- </overlay>
- <overlay disa="1814" owner="disastig" ownerid="JBOS-AS-000550" ruleid="jboss_eap_log_deployments" severity="medium">
- <VMSinfo SVKey="76803" VKey="62313" VRelease="1"/>
- <title>Production JBoss servers must log when failed application deployments occur.</title>
- </overlay>
- <overlay disa="1814" owner="disastig" ownerid="JBOS-AS-000555" ruleid="jboss_eap_log_deployments" severity="medium">
- <VMSinfo SVKey="76805" VKey="62315" VRelease="1"/>
- <title>Production JBoss servers must log when successful application deployments occur.</title>
- </overlay>
- <overlay disa="2470" owner="disastig" ownerid="JBOS-AS-000625" ruleid="jboss_eap_use_approved_ca_cert" severity="medium">
- <VMSinfo SVKey="76807" VKey="62317" VRelease="1"/>
- <title>JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.</title>
- </overlay>
- <overlay disa="2385" owner="disastig" ownerid="JBOS-AS-000640" ruleid="jboss_eap_configure_ha_lb" severity="medium">
- <VMSinfo SVKey="76809" VKey="62319" VRelease="1"/>
- <title>The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.</title>
- </overlay>
- <overlay disa="2418" owner="disastig" ownerid="JBOS-AS-000650" ruleid="jboss_eap_use_tls" severity="medium">
- <VMSinfo SVKey="76811" VKey="62321" VRelease="2"/>
- <title>JBoss must be configured to use an approved TLS version.</title>
- </overlay>
- <overlay disa="2421" owner="disastig" ownerid="JBOS-AS-000655" ruleid="jboss_eap_use_approved_ciphers" severity="medium">
- <VMSinfo SVKey="76813" VKey="62323" VRelease="2"/>
- <title>JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.</title>
- </overlay>
- <overlay disa="2605" owner="disastig" ownerid="JBOS-AS-000680" ruleid="jboss_eap_vendor_supported" severity="high">
- <VMSinfo SVKey="76815" VKey="62325" VRelease="1"/>
- <title>Production JBoss servers must be supported by the vendor.</title>
- </overlay>
- <overlay disa="2605" owner="disastig" ownerid="JBOS-AS-000685" ruleid="jboss_eap_system_up_to_date" severity="high">
- <VMSinfo SVKey="76817" VKey="62327" VRelease="1"/>
- <title>The JRE installed on the JBoss server must be kept up to date.</title>
- </overlay>
- <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000690" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76819" VKey="62329" VRelease="1"/>
- <title>JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur.</title>
- </overlay>
- <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000695" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76821" VKey="62331" VRelease="1"/>
- <title>JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur.</title>
- </overlay>
- <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000700" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76823" VKey="62333" VRelease="1"/>
- <title>JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur.</title>
- </overlay>
- <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000705" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76825" VKey="62335" VRelease="1"/>
- <title>JBoss must be configured to generate log records for privileged activities.</title>
- </overlay>
- <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000710" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76827" VKey="62337" VRelease="1"/>
- <title>JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface.</title>
- </overlay>
- <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000715" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76829" VKey="62339" VRelease="1"/>
- <title>JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface.</title>
- </overlay>
- <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000720" ruleid="jboss_eap_configure_auditing" severity="medium">
- <VMSinfo SVKey="76831" VKey="62341" VRelease="1"/>
- <title>JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events.</title>
- </overlay>
- <overlay disa="2450" owner="disastig" ownerid="JBOS-AS-000730" ruleid="jboss_eap_use_dod_approved_certs" severity="medium">
- <VMSinfo SVKey="76833" VKey="62343" VRelease="1"/>
- <title>The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.</title>
- </overlay>
- <overlay disa="1851" owner="disastig" ownerid="JBOS-AS-000735" ruleid="jboss_eap_roll_over_transfer_logs" severity="medium">
- <VMSinfo SVKey="76835" VKey="62345" VRelease="1"/>
- <title>JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.</title>
- </overlay>
-</overlays>
diff --git a/eap6/product.yml b/eap6/product.yml
deleted file mode 100644
index edc8a0878c..0000000000
--- a/eap6/product.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-product: eap6
-full_name: JBoss EAP 6
-type: product
-
-benchmark_root: "./guide"
-
-profiles_root: "./profiles"
diff --git a/eap6/profiles/stig.profile b/eap6/profiles/stig.profile
deleted file mode 100644
index 8cd8e3235c..0000000000
--- a/eap6/profiles/stig.profile
+++ /dev/null
@@ -1,57 +0,0 @@
-documentation_complete: true
-
-title: 'STIG for JBoss Enterprise Application Platform 6'
-
-description: 'This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become
- a STIG in coordination with DISA FSO.'
-
-selections:
- - jboss_eap_configure_secure_management_access
- - jboss_eap_configure_https
- - jboss_eap_configure_host_access_restrictions
- - jboss_eap_configure_security_manager
- - jboss_eap_enable_rbac
- - jboss_eap_configure_user_roles
- - jboss_eap_configure_application_authentication
- - jboss_eap_configure_management_authentication
- - jboss_eap_configure_security_realm
- - jboss_eap_configure_auditing
- - jboss_eap_configure_auditor_roles
- - jboss_eap_configure_logging_level
- - jboss_eap_configure_log_permissions
- - jboss_eap_configure_offloading_max
- - jboss_eap_configure_user_permissions
- - jboss_eap_restrict_jboss_account
- - jboss_eap_disable_analytics
- - jboss_eap_unprivileged_mode
- - jboss_eap_remove_quickstarts
- - jboss_eap_remove_jmx
- - jboss_eap_disable_replace_welcome_page
- - jboss_eap_remove_unnecessary_apps
- - jboss_eap_configure_ports
- - jboss_eap_configure_ldap
- - jboss_eap_configure_multifactor_authentication
- - jboss_eap_remove_group_accounts
- - jboss_eap_configure_management_network
- - jboss_eap_configure_management_ldap
- - jboss_eap_configure_keystore
- - jboss_eap_encrypt_keystore_passwords
- - jboss_eap_require_password_access
- - jboss_eap_use_secure_ldap_port
- - jboss_eap_secure_keystore_permissions
- - jboss_eap_service_separate_networks
- - jboss_eap_file_permissions
- - jboss_eap_logs_permissions
- - jboss_eap_disable_domain_admin_console
- - jboss_eap_audit_privileged_actions
- - jboss_eap_configure_syslog
- - jboss_eap_disable_automatic_deployment
- - jboss_eap_log_deployments
- - jboss_eap_use_approved_ca_cert
- - jboss_eap_configure_ha_lb
- - jboss_eap_use_tls
- - jboss_eap_use_approved_ciphers
- - jboss_eap_vendor_supported
- - jboss_eap_system_up_to_date
- - jboss_eap_use_dod_approved_certs
- - jboss_eap_roll_over_transfer_logs
diff --git a/eap6/transforms/cci2html.xsl b/eap6/transforms/cci2html.xsl
deleted file mode 100644
index af9e4e5778..0000000000
--- a/eap6/transforms/cci2html.xsl
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cci="https://public.cyber.mil/stigs/cci">
-
-<xsl:include href="../../shared/transforms/shared_cci2html.xsl"/>
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/constants.xslt b/eap6/transforms/constants.xslt
deleted file mode 100644
index 336c2f8ed8..0000000000
--- a/eap6/transforms/constants.xslt
+++ /dev/null
@@ -1,21 +0,0 @@
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-
-<xsl:include href="../../shared/transforms/shared_constants.xslt"/>
-
-<xsl:variable name="product_long_name">JBoss EAP 6</xsl:variable>
-<xsl:variable name="product_short_name">EAP 6</xsl:variable>
-<xsl:variable name="product_stig_id_name">EAP_6_STIG</xsl:variable>
-<xsl:variable name="prod_type">eap6</xsl:variable>
-
-<xsl:variable name="cisuri">empty</xsl:variable>
-<xsl:variable name="product_guide_id_name">Jboss-EAP-6</xsl:variable>
-<xsl:variable name="disa-stigs-uri" select="$disa-stigs-apps-appserver-uri"/>
-<xsl:variable name="disa-srguri" select="$disa-appsrguri"/>
-
-<!-- Define URI for custom CCE identifier which can be used for mapping to corporate policy -->
-<!--xsl:variable name="custom-cce-uri">https://www.example.org</xsl:variable-->
-
-<!-- Define URI for custom policy reference which can be used for linking to corporate policy -->
-<!--xsl:variable name="custom-ref-uri">https://www.example.org</xsl:variable-->
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/shorthand2xccdf.xslt b/eap6/transforms/shorthand2xccdf.xslt
deleted file mode 100644
index de809d5f57..0000000000
--- a/eap6/transforms/shorthand2xccdf.xslt
+++ /dev/null
@@ -1,9 +0,0 @@
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-
-<xsl:import href="../../shared/transforms/shared_shorthand2xccdf.xslt"/>
-
-<xsl:include href="constants.xslt"/>
-<xsl:param name="ssg_version">unknown</xsl:param>
-<xsl:variable name="ovalfile">unlinked-eap6-oval.xml</xsl:variable>
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/table-add-srgitems.xslt b/eap6/transforms/table-add-srgitems.xslt
deleted file mode 100644
index f55b9a54f8..0000000000
--- a/eap6/transforms/table-add-srgitems.xslt
+++ /dev/null
@@ -1,7 +0,0 @@
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:cci="https://public.cyber.mil/stigs/cci">
-
-<xsl:include href="../../shared/transforms/shared_table-add-srgitems.xslt"/>
-<xsl:variable name="srgtable" select="document('../output/table-eap6-srgmap-flat.xhtml')/html/body/table" />
-<xsl:variable name="cci_list" select="document('../../shared/references/disa-cci-list.xml')/cci:cci_list" />
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/table-sortbyref.xslt b/eap6/transforms/table-sortbyref.xslt
deleted file mode 100644
index bd97ee1cab..0000000000
--- a/eap6/transforms/table-sortbyref.xslt
+++ /dev/null
@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
-
-<xsl:import href="../../shared/transforms/shared_table-sortbyref.xslt"/>
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/table-srgmap.xslt b/eap6/transforms/table-srgmap.xslt
deleted file mode 100644
index 23c2f60a2c..0000000000
--- a/eap6/transforms/table-srgmap.xslt
+++ /dev/null
@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
-
-<xsl:include href="../../shared/transforms/shared_table-srgmap.xslt"/>
-<xsl:include href="constants.xslt"/>
-<xsl:include href="table-style.xslt"/>
-
-<xsl:variable name="items" select="document($map-to-items)//*[cdf:reference]" />
-<xsl:variable name="title" select="document($map-to-items)/cdf:Benchmark/cdf:title" />
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/table-style.xslt b/eap6/transforms/table-style.xslt
deleted file mode 100644
index 218d0f7542..0000000000
--- a/eap6/transforms/table-style.xslt
+++ /dev/null
@@ -1,5 +0,0 @@
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-
-<xsl:import href="../../shared/transforms/shared_table-style.xslt"/>
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/xccdf-apply-overlay-stig.xslt b/eap6/transforms/xccdf-apply-overlay-stig.xslt
deleted file mode 100644
index 38b354afb8..0000000000
--- a/eap6/transforms/xccdf-apply-overlay-stig.xslt
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version="1.0"?>
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
-
-<xsl:include href="../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
-<xsl:include href="constants.xslt"/>
-<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/xccdf2stigformat.xslt b/eap6/transforms/xccdf2stigformat.xslt
deleted file mode 100644
index 5421604fa3..0000000000
--- a/eap6/transforms/xccdf2stigformat.xslt
+++ /dev/null
@@ -1,7 +0,0 @@
-<?xml version="1.0"?>
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" exclude-result-prefixes="cdf">
-
-<xsl:include href="../../shared/transforms/shared_xccdf2stigformat.xslt"/>
-<xsl:include href="constants.xslt"/>
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/xccdf2table-byref.xslt b/eap6/transforms/xccdf2table-byref.xslt
deleted file mode 100644
index 88a53f50ab..0000000000
--- a/eap6/transforms/xccdf2table-byref.xslt
+++ /dev/null
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
-
-<xsl:import href="../../shared/transforms/shared_xccdf2table-byref.xslt"/>
-
-<xsl:include href="constants.xslt"/>
-<xsl:include href="table-style.xslt"/>
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/xccdf2table-cce.xslt b/eap6/transforms/xccdf2table-cce.xslt
deleted file mode 100644
index 1ffb22215c..0000000000
--- a/eap6/transforms/xccdf2table-cce.xslt
+++ /dev/null
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
-
-<xsl:import href="../../shared/transforms/shared_xccdf2table-cce.xslt"/>
-
-<xsl:include href="constants.xslt"/>
-<xsl:include href="table-style.xslt"/>
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/xccdf2table-profileccirefs.xslt b/eap6/transforms/xccdf2table-profileccirefs.xslt
deleted file mode 100644
index 5a104d956f..0000000000
--- a/eap6/transforms/xccdf2table-profileccirefs.xslt
+++ /dev/null
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-
-<xsl:import href="../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
-
-<xsl:include href="constants.xslt"/>
-<xsl:include href="table-style.xslt"/>
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/xccdf2table-profilecisrefs.xslt b/eap6/transforms/xccdf2table-profilecisrefs.xslt
deleted file mode 100644
index 92cbdf9b45..0000000000
--- a/eap6/transforms/xccdf2table-profilecisrefs.xslt
+++ /dev/null
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
-
-<xsl:import href="../../shared/transforms/shared_xccdf2table-profilecisrefs.xslt"/>
-
-<xsl:include href="constants.xslt"/>
-<xsl:include href="table-style.xslt"/>
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/xccdf2table-profilenistrefs.xslt b/eap6/transforms/xccdf2table-profilenistrefs.xslt
deleted file mode 100644
index 8e97c33344..0000000000
--- a/eap6/transforms/xccdf2table-profilenistrefs.xslt
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
-
-<xsl:import href="../../shared/transforms/shared_xccdf2table-profilenistrefs.xslt"/>
-<xsl:include href="constants.xslt"/>
-<xsl:include href="table-style.xslt"/>
-
-</xsl:stylesheet>
diff --git a/eap6/transforms/xccdf2table-stig.xslt b/eap6/transforms/xccdf2table-stig.xslt
deleted file mode 100644
index 2fb56fa7d0..0000000000
--- a/eap6/transforms/xccdf2table-stig.xslt
+++ /dev/null
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="utf-8" standalone="yes"?>
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
-
-<xsl:import href="../../shared/transforms/shared_xccdf2table-stig.xslt"/>
-
-<xsl:include href="constants.xslt"/>
-<xsl:include href="table-style.xslt"/>
-
-</xsl:stylesheet>
diff --git a/shared/references/disa-stig-eap6-v1r2-xccdf-manual.xml b/shared/references/disa-stig-eap6-v1r2-xccdf-manual.xml
deleted file mode 100644
index 74aef4df7d..0000000000
--- a/shared/references/disa-stig-eap6-v1r2-xccdf-manual.xml
+++ /dev/null
@@ -1,1275 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="JBoss_EAP_6-3_STIG" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2017-03-20">accepted</status><title>JBoss EAP 6.3 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><reference href="http://iase.disa.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 2 Benchmark Date: 28 Apr 2017</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description><ProfileDescription></ProfileDescription></description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description><ProfileDescription></ProfileDescription></description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description><ProfileDescription></ProfileDescription></description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description><ProfileDescription></ProfileDescription></description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description><ProfileDescription></ProfileDescription></description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description><ProfileDescription></ProfileDescription></description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description><ProfileDescription></ProfileDescription></description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Group id="V-62073"><title>SRG-APP-000014-AS-000009</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76563r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000010</version><title>HTTP management session traffic must be encrypted.</title><description><VulnDiscussion>Types of management interfaces utilized by the JBoss EAP application server include web-based HTTP interfaces as well as command line-based management interfaces. In the event remote HTTP management is required, the access must be via HTTPS.
-
-This requirement is in conjunction with the requirement to isolate all management access to a restricted network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000068</ident><fixtext fixref="F-67993r1_fix">Follow the specific instructions in the Red Hat Security Guide for EAP version 6.3 to configure the management console for HTTPS.
-
-This involves the following steps.
-1. Create a keystore in JKS format.
-2. Ensure the management console binds to HTTPS.
-3. Create a new Security Realm.
-4. Configure Management Interface to use new security realm.
-5. Configure the management console to use the keystore.
-6. Restart the EAP server.</fixtext><fix id="F-67993r1_fix" /><check system="C-62877r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script. Connect to the server and authenticate.
-
-For a standalone configuration run the following command:
-"ls /core-service=management/management-interface=http-interface"
-
-If "secure-socket-binding"=undefined, this is a finding.
-
-For a domain configuration run the following command:
-"ls /host=master/core-service=management/management-interface=http-interface"
-
-If "secure-port" is undefined, this is a finding.</check-content></check></Rule></Group><Group id="V-62215"><title>SRG-APP-000015-AS-000010</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76705r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000015</version><title>HTTPS must be enabled for JBoss web interfaces.</title><description><VulnDiscussion>Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk.
-
-Application servers utilize a web management interface and scripted commands when allowing remote access. Web access requires the use of TLS, and scripted access requires using ssh or some other form of approved cryptography. Application servers must have a capability to enable a secure remote admin capability.
-
-FIPS 140-2 approved TLS versions include TLS V1.0 or greater.
-
-FIPS 140-2 approved TLS versions must be enabled, and non-FIPS-approved SSL versions must be disabled.
-
-NIST SP 800-52 specifies the preferred configurations for government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001453</ident><fixtext fixref="F-68135r1_fix">Follow procedure "4.4. Configure the JBoss Web Server to use HTTPS." The detailed procedure is found in the JBoss EAP 6.3 Security Guide available at the vendor's site, RedHat.com. An overview of steps is provided here.
-
-1. Obtain or generate DoD-approved SSL certificates.
-2. Configure the SSL certificate using your certificate values.
-3. Set the SSL protocol to TLS V1.1 or V1.2.</fixtext><fix id="F-68135r1_fix" /><check system="C-63019r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Review the web subsystem and ensure that HTTPS is enabled.
-Run the command:
-
-For a managed domain:
-"ls /profile=<PROFILE_NAME>/subsystem=web/connector="
-
-For a standalone system:
-"ls /subsystem=web/connector="
-
-If "https" is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-62217"><title>SRG-APP-000033-AS-000024</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76707r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000025</version><title>Java permissions must be set for hosted applications.</title><description><VulnDiscussion>The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM.
-
-The JVM requires a security policy in order to restrict application access. A properly configured security policy will define what rights the application has to the underlying system. For example, rights to make changes to files on the host system or to initiate network sockets in order to connect to another system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68137r1_fix">Configure the Java security manager to enforce access restrictions to the host system resources in accordance with application design and resource requirements.</fixtext><fix id="F-68137r1_fix" /><check system="C-63021r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Obtain documentation from the admin that identifies the applications hosted on the JBoss server as well as the corresponding rights the application requires. For example, if the application requires network socket permissions and file write permissions, those requirements should be documented.
-
-1. Identify the JBoss installation as either domain or standalone and review the relevant configuration file.
-For domain installs: JBOSS_HOME/bin/domain.conf
-For standalone installs: JBOSS_HOME/bin/standalone.conf
-
-2. Identify the location and name of the security policy by reading the JAVA_OPTS flag -Djava.security.policy=<file name> where <file name> will indicate name and location of security policy. If the application uses a policy URL, obtain URL and policy file from system admin.
-
-3. Review security policy and ensure hosted applications have the appropriate restrictions placed on them as per documented application functionality requirements.
-
-If the security policy does not restrict application access to host resources as per documented requirements, this is a finding.</check-content></check></Rule></Group><Group id="V-62219"><title>SRG-APP-000033-AS-000024</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76709r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000040</version><title>Users in JBoss Management Security Realms must be in the appropriate role.</title><description><VulnDiscussion>Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they are "management realm" and "application realm".
-
-Management realm stores authentication information for the management API, which provides functionality for the web-based management console and the management command line interface (CLI).
-
-mgmt-groups.properties stores user to group mapping for the ManagementRealm but only when role-based access controls (RBAC) is enabled.
-
-If management users are not in the appropriate role, unauthorized access to JBoss resources can occur.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68139r1_fix">Document approved management users and their roles. Configure the application server to use RBAC and ensure users are placed into the appropriate roles.</fixtext><fix id="F-68139r1_fix" /><check system="C-63023r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Review the mgmt-users.properties file. Also review the <management /> section in the standalone.xml or domain.xml configuration files. The relevant xml file will depend on if the JBoss server is configured in standalone or domain mode.
-
-Ensure all users listed in these files are approved for management access to the JBoss server and are in the appropriate role.
-
-For domain configurations:
-<JBOSS_HOME>/domain/configuration/mgmt-users.properties.
-<JBOSS_HOME>/domain/configuration/domain.xml
-
-For standalone configurations:
-<JBOSS_HOME>/standalone/configuration/mgmt-users.properties.
-<JBOSS_HOME>/standalone/configuration/standalone.xml
-
-If the users listed are not in the appropriate role, this is a finding.</check-content></check></Rule></Group><Group id="V-62221"><title>SRG-APP-000033-AS-000024</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76711r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000045</version><title>Silent Authentication must be removed from the Default Application Security Realm.</title><description><VulnDiscussion>Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis. By default $localuser is a Superuser. This introduces an integrity and availability vulnerability and violates best practice requirements regarding accountability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68141r1_fix">Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Remove the local element from the Application Realm.
-For standalone servers, run the following command:
-/core-service=management/securityrealm=
-ApplicationRealm/authentication=local:remove
-
-For managed domain installations, run the following command:
-/host=HOST_NAME/core-service=management/securityrealm=
-ApplicationRealm/authentication=local:remove</fixtext><fix id="F-68141r1_fix" /><check system="C-63025r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Verify that Silent Authentication has been removed from the default Application security realm.
-Run the following command.
-
-For standalone servers, run the following command:
-"ls /core-service=management/securityrealm=ApplicationRealm/authentication"
-
-For managed domain installations, run the following command:
-"ls /host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication"
-
-If "local" is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-62223"><title>SRG-APP-000033-AS-000024</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76713r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000050</version><title>Silent Authentication must be removed from the Default Management Security Realm.</title><description><VulnDiscussion>Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis. By default $localuser is a Superuser. This introduces an integrity and availability vulnerability and violates best practice requirements regarding accountability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68143r1_fix">Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Remove the local element from the Management Realm.
-For standalone servers run the following command:
-/core-service=management/securityrealm=
-ManagementRealm/authentication=local:remove
-
-For managed domain installations run the following command:
-/host=HOST_NAME/core-service=management/securityrealm=
-ManagementRealm/authentication=local:remove</fixtext><fix id="F-68143r1_fix" /><check system="C-63027r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Verify that Silent Authentication has been removed from the default Management security realm.
-Run the following command.
-
-For standalone servers run the following command:
-"ls /core-service=management/securityrealm=ManagementRealm/authentication"
-
-For managed domain installations run the following command:
-"ls /host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication"
-
-If "local" is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-62225"><title>SRG-APP-000033-AS-000024</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76715r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000030</version><title>The Java Security Manager must be enabled for the JBoss application server.</title><description><VulnDiscussion>The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM.
-
-The Java Security Manager uses a security policy to determine whether a given action will be
-permitted or denied.
-
-To protect the host system, the JBoss application server must be run within the Java Security Manager.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68145r1_fix">For a domain installation:
-Enable the respective JAVA_OPTS flag in both the domain.conf and the domain.conf.bat files.
-
-For a standalone installation:
-Enable the respective JAVA_OPTS flag in both the standalone.conf and the standalone.conf.bat files.</fixtext><fix id="F-68145r1_fix" /><check system="C-63029r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>To determine if the Java Security Manager is enabled for JBoss, you must examine the startup commands. JBoss can be configured to run in either "domain" or a "standalone" mode. JBOSS_HOME is the variable home directory for the JBoss installation. Use relevant OS commands to navigate the file system.
-
-A. For a managed domain installation, review the domain.conf and domain.conf.bat files:
-
-JBOSS_HOME/bin/domain.conf
-JBOSS_HOME/bin/domain.conf.bat
-
-In domain.conf file, ensure there is a JAVA_OPTS flag that loads the Java Security Manager as well as a relevant Java Security policy. The following is an example:
-
-JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true"
-
-In domain.conf.bat file, ensure JAVA_OPTS flag is set. The following is an example:
-
-set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true"
-
-B. For a standalone installation, review the standalone.conf and standalone.conf.bat files:
-
-JBOSS_HOME/bin/standalone.conf
-JBOSS_HOME/bin/standalone.conf.bat
-
-In the standalone.conf file, ensure the JAVA_OPTS flag is set. The following is an example:
-
-JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=$JBOSS_HOME -Djboss.modules.policy-permissions=true"
-
-In the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. The following is an example:
-
-set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME% -Djboss.modules.policy-permissions=true"
-
-If the security manager is not enabled and a security policy not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-62227"><title>SRG-APP-000033-AS-000024</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76717r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000035</version><title>The JBoss server must be configured with Role Based Access Controls.</title><description><VulnDiscussion>By default, the JBoss server is not configured to utilize role based access controls (RBAC). RBAC provides the capability to restrict user access to their designated management role, thereby limiting access to only the JBoss functionality that they are supposed to have. Without RBAC, the JBoss server is not able to enforce authorized access according to role.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68147r1_fix">Run the following command.
-<JBOSS_HOME>/bin/jboss-cli.sh -c -> connect -> cd /core-service=management/access-authorization :write-attribute(name=provider, value=rbac)
-
-Restart JBoss.
-
-Map users to roles by running the following command. Upper-case words are variables.
-
-role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)</fixtext><fix id="F-68147r1_fix" /><check system="C-63031r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Run the following command:
-
-For standalone servers:
-"ls /core-service=management/access=authorization/"
-
-For managed domain installations:
-"ls /host=master/core-service=management/access=authorization/"
-
-If the "provider" attribute is not set to "rbac", this is a finding.</check-content></check></Rule></Group><Group id="V-62229"><title>SRG-APP-000033-AS-000024</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76719r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000075</version><title>JBoss management interfaces must be secured.</title><description><VulnDiscussion>JBoss utilizes the concept of security realms to secure the management interfaces used for JBoss server administration. If the security realm attribute is omitted or removed from the management interface definition, access to that interface is no longer secure. The JBoss management interfaces must be secured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68149r1_fix">Identify the security realm used for management of the system. By default, this is called "Management Realm".
-
-If a management security realm is not already available, reference the Jboss EAP 6.3 system administration guide for instructions on how to create a security realm for management purposes. Create the management realm, and assign authentication and authorization access restrictions to the management realm.
-
-Assign the management interfaces to the management realm.</fixtext><fix id="F-68149r1_fix" /><check system="C-63033r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Identify the management interfaces. To identity the management interfaces, run the following command:
-
-For standalone servers:
-"ls /core-service=management/management-interface="
-
-For managed domain installations:
-"ls /host=HOST_NAME/core-service=management/management-interface="
-
-By default, JBoss provides two management interfaces; they are named "NATIVE-INTERFACE" and "HTTP-INTERFACE". The system may or may not have both interfaces enabled. For each management interface listed as a result of the previous command, append the name of the management interface to the end of the following command.
-
-For a standalone system:
-
-"ls /core-service=management/management-interface=<MANAGEMENT INTERFACE NAME>"
-
-For a managed domain:
-
-"ls /host=HOST_NAME/core-service=management/management-interface=<MANAGEMENT INTERFACE NAME>"
-
-If the "security-realm=" attribute is not associated with a management realm, this is a finding.</check-content></check></Rule></Group><Group id="V-62231"><title>SRG-APP-000089-AS-000050</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76721r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000080</version><title>The JBoss server must generate log records for access and authentication events to the management interface.</title><description><VulnDiscussion>Log records can be generated from various components within the JBoss application server. The minimum list of logged events should be those pertaining to access and authentication events to the management interface as well as system startup and shutdown events.
-
-By default, JBoss does not log management interface access but does provide a default file handler. This handler needs to be enabled. Configuring this setting meets several STIG auditing requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000169</ident><fixtext fixref="F-68151r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68151r1_fix" /><check system="C-63035r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62233"><title>SRG-APP-000090-AS-000051</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76723r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000085</version><title>JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.</title><description><VulnDiscussion>The JBoss server must be configured to select which personnel are assigned the role of selecting which loggable events are to be logged.
-In JBoss, the role designated for selecting auditable events is the "Auditor" role.
-The personnel or roles that can select loggable events are only the ISSM (or individuals or roles appointed by the ISSM).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000171</ident><fixtext fixref="F-68153r1_fix">Obtain documented approvals from ISSM, and assign the appropriate personnel into the "Auditor" role.</fixtext><fix id="F-68153r1_fix" /><check system="C-63037r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=authorization/role-mapping=Auditor/include="
-
-For a Standalone configuration:
-"ls /core-service=management/access=authorization/role-mapping=Auditor/include="
-
-If the list of users in the Auditors group is not approved by the ISSM, this is a finding.</check-content></check></Rule></Group><Group id="V-62235"><title>SRG-APP-000092-AS-000053</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76725r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000095</version><title>JBoss must be configured to initiate session logging upon startup.</title><description><VulnDiscussion>Session logging activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001464</ident><fixtext fixref="F-68155r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68155r1_fix" /><check system="C-63039r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62237"><title>SRG-APP-000095-AS-000056</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76727r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000105</version><title>JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.</title><description><VulnDiscussion>Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible.
-
-Log record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
-
-Application servers must log all relevant log data that pertains to the application server. Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD/Web server activity, and application server-related system process activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><fixtext fixref="F-68157r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68157r1_fix" /><check system="C-63041r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62239"><title>SRG-APP-000095-AS-000056</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76729r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000110</version><title>JBoss must be configured to produce log records containing information to establish what type of events occurred.</title><description><VulnDiscussion>Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible.
-
-Log record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
-
-Application servers must log all relevant log data that pertains to the application server. Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD/Web server activity, and application server-related system process activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><fixtext fixref="F-68159r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68159r1_fix" /><check system="C-63043r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62241"><title>SRG-APP-000096-AS-000059</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76731r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000115</version><title>JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.</title><description><VulnDiscussion>Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
-
-Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety.
-
-Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control, or flow control rules invoked.
-
-In addition to logging event information, application servers must also log the corresponding dates and times of these events. Examples of event data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity, and application server-related system process activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000131</ident><fixtext fixref="F-68161r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68161r1_fix" /><check system="C-63045r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62243"><title>SRG-APP-000097-AS-000060</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76733r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000120</version><title>JBoss must be configured to produce log records that establish which hosted application triggered the events.</title><description><VulnDiscussion>Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
-
-By default, no web logging is enabled in JBoss. Logging can be configured per web application or by virtual server. If web application logging is not set up, application activity will not be logged.
-
-Ascertaining the correct location or process within the application server where the events occurred is important during forensic analysis. To determine where an event occurred, the log data must contain data containing the application identity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000132</ident><fixtext fixref="F-68163r1_fix">Configure log formatter to audit application activity so individual application activity can be identified.</fixtext><fix id="F-68163r1_fix" /><check system="C-63047r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Application logs are a configurable variable. Interview the system admin, and have them identify the applications that are running on the application server. Have the system admin identify the log files/location where application activity is stored.
-
-Review the log files to ensure each application is uniquely identified within the logs or each application has its own unique log file.
-
-Generate application activity by either authenticating to the application or generating an auditable event, and ensure the application activity is recorded in the log file. Recently time stamped application events are suitable evidence of compliance.
-
-If the log records do not indicate which application hosted on the application server generated the event, or if no events are recorded related to application activity, this is a finding.</check-content></check></Rule></Group><Group id="V-62245"><title>SRG-APP-000098-AS-000061</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76735r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000125</version><title>JBoss must be configured to record the IP address and port information used by management interface network traffic.</title><description><VulnDiscussion>Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
-
-Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the loggable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise.
-
-Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control, or flow control rules invoked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000133</ident><fixtext fixref="F-68165r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68165r1_fix" /><check system="C-63049r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62247"><title>SRG-APP-000099-AS-000062</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76737r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000130</version><title>The application server must produce log records that contain sufficient information to establish the outcome of events.</title><description><VulnDiscussion>Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control or flow control rules invoked.
-
-Success and failure indicators ascertain the outcome of a particular application server event or function. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Event outcome may also include event-specific results (e.g., the security state of the information system after the event occurred).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000134</ident><fixtext fixref="F-68167r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68167r1_fix" /><check system="C-63051r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62249"><title>SRG-APP-000100-AS-000063</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76739r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000135</version><title>JBoss ROOT logger must be configured to utilize the appropriate logging level.</title><description><VulnDiscussion>Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
-
-See Chapter 14, Section 14.1.9, Table 14.4 of the Red Hat JBoss EAP Administration and Configuration Guide version 6.3 for specific details on log levels and log level values.
-
-The JBOSS application server ROOT logger captures all messages not captured by a log category and sends them to a log handler (FILE, CONSOLE, SYSLOG, ETC.). By default, the ROOT logger level is set to INFO, which is a value of 800. This will capture most events adequately. Any level numerically higher than INFO (> 800) records less data and may result in an insufficient amount of information being logged by the ROOT logger. This can result in failed forensic investigations. The ROOT logger level must be INFO level or lower to provide adequate log information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001487</ident><fixtext fixref="F-68169r1_fix">Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-
-The PROFILE NAMEs included with a Managed Domain JBoss configuration are:
-"default", "full", "full-ha" or "ha"
-For a Managed Domain configuration, you must check each profile name:
-
-For each PROFILE NAME, run the command:
-"/profile=<PROFILE NAME>/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)"
-
-For a Standalone configuration:
-"/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)"</fixtext><fix id="F-68169r1_fix" /><check system="C-63053r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-
-The PROFILE NAMEs included with a Managed Domain JBoss configuration are:
-"default", "full", "full-ha" or "ha"
-For a Managed Domain configuration, you must check each profile name:
-
-For each PROFILE NAME, run the command:
-"ls /profile=<PROFILE NAME>/subsystem=logging/root-logger=ROOT"
-
-If ROOT logger "level" is not set to INFO, DEBUG or TRACE
-This is a finding for each <PROFILE NAME> (default, full, full-ha and ha)
-
-For a Standalone configuration:
-"ls /subsystem=logging/root-logger=ROOT"
-
-If "level" not = INFO, DEBUG or TRACE, this is a finding.</check-content></check></Rule></Group><Group id="V-62251"><title>SRG-APP-000118-AS-000078</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76741r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000165</version><title>File permissions must be configured to protect log information from any type of unauthorized read access.</title><description><VulnDiscussion>If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve.
-
-When not configured to use a centralized logging solution like a syslog server, the JBoss EAP application server writes log data to log files that are stored on the OS; appropriate file permissions must be used to restrict access.
-
-Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000162</ident><fixtext fixref="F-68171r1_fix">Configure the OS file permissions on the application server to protect log information from unauthorized read access.</fixtext><fix id="F-68171r1_fix" /><check system="C-63055r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Examine the log file locations and inspect the file permissions. Interview the system admin to determine log file locations. The default location for the log files is:
-
-Standalone configuration:
-<JBOSS_HOME>/standalone/log/
-
-Managed Domain configuration:
-<JBOSS_HOME>/domain/servers/<servername>/log/
-<JBOSS_HOME>/domain/log/
-
-Review the file permissions for the log file directories. The method used for identifying file permissions will be based upon the OS the EAP server is installed on.
-
-Identify all users with file permissions that allow them to read log files.
-
-Request documentation from system admin that identifies the users who are authorized to read log files.
-
-If unauthorized users are allowed to read log files, or if documentation that identifies the users who are authorized to read log files is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-62253"><title>SRG-APP-000119-AS-000079</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76743r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000170</version><title>File permissions must be configured to protect log information from unauthorized modification.</title><description><VulnDiscussion>If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve.
-
-When not configured to use a centralized logging solution like a syslog server, the JBoss EAP application server writes log data to log files that are stored on the OS; appropriate file permissions must be used to restrict modification.
-
-Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized modification.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000163</ident><fixtext fixref="F-68173r1_fix">Configure the OS file permissions on the application server to protect log information from unauthorized modification.</fixtext><fix id="F-68173r1_fix" /><check system="C-63057r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Examine the log file locations and inspect the file permissions. Interview the system admin to determine log file locations. The default location for the log files is:
-
-Standalone configuration:
-<JBOSS_HOME>/standalone/log/
-
-Managed Domain configuration:
-<JBOSS_HOME>/domain/servers/<servername>/log/
-<JBOSS_HOME>/domain/log/
-
-Review the file permissions for the log file directories. The method used for identifying file permissions will be based upon the OS the EAP server is installed on.
-
-Identify all users with file permissions that allow them to modify log files.
-
-Request documentation from system admin that identifies the users who are authorized to modify log files.
-
-If unauthorized users are allowed to modify log files, or if documentation that identifies the users who are authorized to modify log files is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-62255"><title>SRG-APP-000120-AS-000080</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76745r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000175</version><title>File permissions must be configured to protect log information from unauthorized deletion.</title><description><VulnDiscussion>If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve.
-
-When not configured to use a centralized logging solution like a syslog server, the JBoss EAP application server writes log data to log files that are stored on the OS, appropriate file permissions must be used to restrict deletion.
-
-Logon formation includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized deletion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000164</ident><fixtext fixref="F-68175r1_fix">Configure the OS file permissions on the application server to protect log information from unauthorized deletion.</fixtext><fix id="F-68175r1_fix" /><check system="C-63059r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Examine the log file locations and inspect the file permissions. Interview the system admin to determine log file locations. The default location for the log files is:
-
-Standalone configuration:
-<JBOSS_HOME>/standalone/log/
-
-Managed Domain configuration:
-<JBOSS_HOME>/domain/servers/<servername>/log/
-<JBOSS_HOME>/domain/log/
-
-Review the file permissions for the log file directories. The method used for identifying file permissions will be based upon the OS the EAP server is installed on.
-
-Identify all users with file permissions that allow them to delete log files.
-
-Request documentation from system admin that identifies the users who are authorized to delete log files.
-
-If unauthorized users are allowed to delete log files, or if documentation that identifies the users who are authorized to delete log files is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-62257"><title>SRG-APP-000125-AS-000084</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76747r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000195</version><title>JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.</title><description><VulnDiscussion>JBoss logs by default are written to the local file system. A centralized logging solution like syslog should be used whenever possible; however, any log data stored to the file system needs to be off-loaded. JBoss EAP does not provide an automated backup capability. Instead, reliance is placed on OS or third-party tools to back up or off-load the log files.
-
-Protection of log data includes assuring log data is not accidentally lost or deleted. Off-loading log records to a different system or onto separate media from the system the application server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001348</ident><fixtext fixref="F-68177r1_fix">Configure the application server to off-load log records every seven days onto a different system or media from the system being logged.</fixtext><fix id="F-68177r1_fix" /><check system="C-63061r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Interview the system admin and obtain details on how the log files are being off-loaded to a different system or media.
-
-If the log files are not off-loaded a minimum of every 7 days, this is a finding.</check-content></check></Rule></Group><Group id="V-62259"><title>SRG-APP-000133-AS-000092</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76749r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000210</version><title>mgmt-users.properties file permissions must be set to allow access to authorized users only.</title><description><VulnDiscussion>The mgmt-users.properties file contains the password hashes of all users who are in a management role and must be protected. Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001499</ident><fixtext fixref="F-68179r1_fix">Configure the file permissions to allow access to authorized users only.
-Owner can be full access.
-Group can be full access.
-All others must have execute permissions only.</fixtext><fix id="F-68179r1_fix" /><check system="C-63063r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>The mgmt-users.properties files are located in the standalone or domain configuration folder.
-
-<JBOSS_HOME>/domain/configuration/mgmt-users.properties.
-<JBOSS_HOME>/standalone/configuration/mgmt-users.properties.
-
-Identify users who have access to the files using relevant OS commands.
-
-Obtain documentation from system admin identifying authorized users.
-
-Owner can be full access.
-Group can be full access.
-All others must have execute permissions only.
-
-If the file permissions are not configured so as to restrict access to only authorized users, or if documentation that identifies authorized users is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-62261"><title>SRG-APP-000141-AS-000095</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76751r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000220</version><title>JBoss process owner interactive access must be restricted.</title><description><VulnDiscussion>JBoss does not require admin rights to operate and should be run as a regular user. In addition, if the user account was to be compromised and the account was allowed interactive logon rights, this would increase the risk and attack surface against the JBoss system. The right to interactively log on to the system using the JBoss account should be limited according to the OS capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68181r1_fix">Use the relevant OS commands to restrict JBoss user account from interactively logging on to the console of the JBoss system.
-
-For Windows systems, use GPO.
-
-For UNIX like systems using ssh DenyUsers <account id> or follow established procedure for restricting access.</fixtext><fix id="F-68181r1_fix" /><check system="C-63065r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Identify the user account used to run the JBoss server. Use relevant OS commands to determine logon rights to the system. This account should not have full shell/interactive access to the system.
-
-If the user account used to operate JBoss can log on interactively, this is a finding.</check-content></check></Rule></Group><Group id="V-62263"><title>SRG-APP-000141-AS-000095</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76753r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000225</version><title>Google Analytics must be disabled in EAP Console.</title><description><VulnDiscussion>The Google Analytics feature aims to help Red Hat EAP team understand how customers are using the console and which parts of the console matter the most to the customers. This information will, in turn, help the team to adapt the console design, features, and content to the immediate needs of the customers.
-
-Sending analytical data to the vendor introduces risk of unauthorized data exfiltration. This capability must be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68183r1_fix">Using the EAP web console, log on using admin credentials.
-On the bottom right-hand side of the screen, select "Settings",
-uncheck the "Enable Data Usage Collection" box, and save the configuration.</fixtext><fix id="F-68183r1_fix" /><check system="C-63067r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Open the EAP web console by pointing a web browser to HTTPS://<SERVERNAME>:9443 or HTTP://<SERVERNAME>:9990
-
-Log on to the admin console using admin credentials.
-On the bottom right-hand side of the screen, select "Settings".
-
-If the "Enable Data Usage Collection" box is checked, this is a finding.</check-content></check></Rule></Group><Group id="V-62265"><title>SRG-APP-000141-AS-000095</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76755r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000230</version><title>JBoss process owner execution permissions must be limited.</title><description><VulnDiscussion>JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate. If the server is compromised, the attacker will have the same rights as the application server, which in that case would be admin rights. The JBoss EAP server must not be run as the admin user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68185r1_fix">Run the JBoss server with non-admin rights.</fixtext><fix id="F-68185r1_fix" /><check system="C-63069r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>The script that is used to start JBoss determines the mode in which JBoss will operate, which will be in either in standalone mode or domain mode. Both scripts are installed by default in the <JBOSS_HOME>/bin/ folder.
-
-In addition to running the JBoss server as an interactive script launched from the command line, JBoss can also be started as a service.
-
-The scripts used to start JBoss are:
-Red Hat:
-standalone.sh
-domain.sh
-
-Windows:
-standalone.bat
-domain.bat
-
-Use the relevant OS commands to determine JBoss ownership.
-
-When running as a process:
-Red Hat: "ps -ef|grep -i jboss".
-Windows: "services.msc".
-
-Search for the JBoss process, which by default is named "JBOSSEAP6".
-
-If the user account used to launch the JBoss script or start the JBoss process has admin rights on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-62267"><title>SRG-APP-000141-AS-000095</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76757r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000235</version><title>JBoss QuickStarts must be removed.</title><description><VulnDiscussion>JBoss QuickStarts are demo applications that can be deployed quickly. Demo applications are not written with security in mind and often open new attack vectors. QuickStarts must be removed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68187r1_fix">Delete the QuickStarts folder.</fixtext><fix id="F-68187r1_fix" /><check system="C-63071r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Examine the <JBOSS_HOME> folder. If a jboss-eap-6.3.0-GA-quickstarts folder exits, this is a finding.</check-content></check></Rule></Group><Group id="V-62269"><title>SRG-APP-000141-AS-000095</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76759r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000240</version><title>Remote access to JMX subsystem must be disabled.</title><description><VulnDiscussion>The JMX subsystem allows you to trigger JDK and application management operations remotely. In a managed domain configuration, the JMX subsystem is removed by default. For a standalone configuration, it is enabled by default and must be removed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68189r1_fix">Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-
-For a Managed Domain configuration you must check each profile name:
-
-For each PROFILE NAME, run the command:
-"/profile=<PROFILE NAME>/subsystem=jmx/remoting-connector=jmx:remove"
-
-For a Standalone configuration:
-"/subsystem=jmx/remoting-connector=jmx:remove"</fixtext><fix id="F-68189r1_fix" /><check system="C-63073r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-
-For a Managed Domain configuration, you must check each profile name:
-
-For each PROFILE NAME, run the command:
-"ls /profile=<PROFILE NAME>/subsystem=jmx/remoting-connector"
-
-For a Standalone configuration:
-"ls /subsystem=jmx/remoting-connector"
-
-If "jmx" is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-62271"><title>SRG-APP-000141-AS-000095</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76761r1_rule" severity="low" weight="10.0"><version>JBOS-AS-000245</version><title>Welcome Web Application must be disabled.</title><description><VulnDiscussion>The Welcome to JBoss web page provides a redirect to the JBoss admin console, which, by default, runs on TCP 9990 as well as redirects to the Online User Guide and Online User Groups hosted at locations on the Internet. The welcome page is unnecessary and should be disabled or replaced with a valid web page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68191r1_fix">Use the Management CLI script JBOSS_HOME/bin/jboss-cli.sh to run the following command. You may need to change the profile to modify a different managed domain profile, or remove the "/profile=default" portion of the command for a standalone server.
-
-"/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value=false)"
-
-To configure your web application to use the root context (/) as its URL address, modify the applications jboss-web.xml, which is located in the applications META-INF/ or WEB-INF/ directory. Replace its <context-root> directive with one that looks like the following:
-
-<jboss-web>
- <context-root>/</context-root>
-</jboss-web></fixtext><fix id="F-68191r1_fix" /><check system="C-63075r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Use a web browser and browse to HTTP://JBOSS SERVER IP ADDRESS:8080
-
-If the JBoss Welcome page is displayed, this is a finding.</check-content></check></Rule></Group><Group id="V-62273"><title>SRG-APP-000141-AS-000095</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76763r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000250</version><title>Any unapproved applications must be removed.</title><description><VulnDiscussion>Extraneous services and applications running on an application server expands the attack surface and increases risk to the application server. Securing any server involves identifying and removing any unnecessary services and, in the case of an application server, unnecessary and/or unapproved applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68193r1_fix">Identify, authorize, and document all applications that are deployed to the application server. Remove unauthorized applications.</fixtext><fix id="F-68193r1_fix" /><check system="C-63077r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-Run the command:
-
-ls /deployment
-
-The list of deployed applications is displayed. Have the system admin identify the applications listed and confirm they are approved applications.
-
-If the system admin cannot provide documentation proving their authorization for deployed applications, this is a finding.</check-content></check></Rule></Group><Group id="V-62275"><title>SRG-APP-000142-AS-000014</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76765r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000255</version><title>JBoss application and management ports must be approved by the PPSM CAL.</title><description><VulnDiscussion>Some networking protocols may not meet organizational security requirements to protect data and components.
-
-Application servers natively host a number of various features, such as management interfaces, httpd servers and message queues. These features all run on TCPIP ports. This creates the potential that the vendor may choose to utilize port numbers or network services that have been deemed unusable by the organization. The application server must have the capability to both reconfigure and disable the assigned ports without adversely impacting application server operation capabilities. For a list of approved ports and protocols, reference the DoD ports and protocols website at https://powhatan.iiie.disa.mil/ports/cal.html.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000382</ident><fixtext fixref="F-68195r1_fix">Open the EAP web console by pointing a web browser to HTTPS://<Servername>:9990
-
-Log on to the admin console using admin credentials
-Select the "Configuration" tab
-Expand the "General Configuration" sub system by clicking on the +
-Select "Socket Binding"
-Select the "View" option next to "standard-sockets"
-Select "Inbound"
-
-Select the port that needs to be reconfigured and select "Edit".</fixtext><fix id="F-68195r1_fix" /><check system="C-63079r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Open the EAP web console by pointing a web browser to HTTPS://<Servername>:9443 or HTTP://<Servername>:9990
-
-Log on to the admin console using admin credentials
-Select the "Configuration" tab
-Expand the "General Configuration" sub system by clicking on the +
-Select "Socket Binding"
-Select the "View" option next to "standard-sockets"
-Select "Inbound"
-
-Review the configured ports and determine if they are all approved by the PPSM CAL.
-
-If all the ports are not approved by the PPSM CAL, this is a finding.</check-content></check></Rule></Group><Group id="V-62277"><title>SRG-APP-000148-AS-000101</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76767r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000260</version><title>The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.</title><description><VulnDiscussion>To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated. This is typically accomplished via the use of a user store that is either local (OS-based) or centralized (Active Directory/LDAP) in nature. It should be noted that JBoss does not specifically mention Active Directory since AD is LDAP aware.
-
-To ensure accountability and prevent unauthorized access, the JBoss Server must be configured to utilize a centralized authentication mechanism.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000764</ident><fixtext fixref="F-68197r1_fix">Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.
-
-1. Create an outbound connection to the LDAP server.
-2. Create an LDAP-enabled security realm.
-3. Reference the new security domain in the Management Interface.</fixtext><fix id="F-68197r1_fix" /><check system="C-63081r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-To obtain the list of security realms run the command:
-"ls /core-service=management/security-realm="
-
-Review each security realm using the command:
-"ls /core-service=management/security-realm=<SECURITY_REALM_NAME>/authentication"
-
-If this command does not return a security realm that uses LDAP for authentication, this is a finding.</check-content></check></Rule></Group><Group id="V-62279"><title>SRG-APP-000149-AS-000102</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76769r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000265</version><title>The JBoss Server must be configured to use certificates to authenticate admins.</title><description><VulnDiscussion>Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Unlike a simple username/password scenario where the attacker could gain access by knowing both the username and password without the user knowing his account was compromised, multifactor authentication adds the requirement that the attacker must have something from the user, such as a token, or to biometrically be the user.
-
-Multifactor authentication is defined as: using two or more factors to achieve authentication.
-
-Factors include:
-(i) something a user knows (e.g., password/PIN);
-(ii) something a user has (e.g., cryptographic identification device, token); or
-(iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token meets this definition.
-
-A privileged account is defined as an information system account with authorizations of a privileged user. These accounts would be capable of accessing the web management interface.
-
-When accessing the application server via a network connection, administrative access to the application server must be PKI Hardware Token enabled or a DoD-approved soft certificate.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000765</ident><fixtext fixref="F-68199r1_fix">Configure the application server to authenticate privileged users via multifactor/certificate-based authentication mechanisms when using network access to the management interface.</fixtext><fix id="F-68199r1_fix" /><check system="C-63083r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Follow these steps:
-1. Identify the security realm assigned to the management interfaces by using the following command:
-
-For standalone systems:
-"ls /core-service=management/management-interface=<INTERFACE-NAME>"
-
-For managed domain systems:
-"ls /host=master/core-service=management/management-interface=<INTERFACE-NAME>"
-
-Document the name of the security-realm associated with each management interface.
-
-2. Review the security realm using the command:
-
-For standalone systems:
-"ls /core-service=management/security-realm=<SECURITY_REALM_NAME>/authentication"
-
-For managed domains:
-"ls /host=master/core-service=management/security-realm=<SECURITY_REALM_NAME>/authentication"
-
-If the command in step 2 does not return a security realm that uses certificates for authentication, this is a finding.</check-content></check></Rule></Group><Group id="V-62281"><title>SRG-APP-000153-AS-000104</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76771r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000275</version><title>The JBoss server must be configured to use individual accounts and not generic or shared accounts.</title><description><VulnDiscussion>To assure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application server users) must be individually identified and authenticated.
-
-A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users.
-
-Application servers must ensure that individual users are authenticated prior to authenticating via role or group authentication. This is to ensure that there is non-repudiation for actions taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000770</ident><fixtext fixref="F-68201r1_fix">Configure the application server so required users are individually authenticated by creating individual user accounts. Utilize an LDAP server that is configured according to DOD policy.</fixtext><fix id="F-68201r1_fix" /><check system="C-63085r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>If the application server management interface is configured to use LDAP authentication this requirement is NA.
-
-Determine the mode in which the JBoss server is operating by authenticating to the OS, changing to the <JBOSS_HOME>/bin/ folder and executing the jboss-cli script.
-Connect to the server and authenticate.
-Run the command: "ls" and examine the "launch-type" setting.
-
-User account information is stored in the following files for a JBoss server configured in standalone mode. The command line flags passed to the "standalone" startup script determine the standalone operating mode:
-<JBOSS_HOME>/standalone/configuration/standalone.xml
-<JBOSS_HOME>/standalone/configuration/standalone-full.xml
-<JBOSS_HOME>/standalone/configuration/standalone.-full-ha.xml
-<JBOSS_HOME>/standalone/configuration/standalone.ha.xml
-
-For a Managed Domain:
-<JBOSS_HOME>/domain/configuration/domain.xml.
-
-Review both files for generic or shared user accounts.
-
-Open each xml file with a text editor and locate the <management-interfaces> section.
-Review the <user name = "xxxxx"> sub-section where "xxxxx" will be a user name.
-
-Have the system administrator identify the user of each user account.
-
-If user accounts are not assigned to individual users, this is a finding.</check-content></check></Rule></Group><Group id="V-62283"><title>SRG-APP-000158-AS-000108</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76773r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000285</version><title>The JBoss server must be configured to bind the management interfaces to only management networks.</title><description><VulnDiscussion> JBoss provides multiple interfaces for accessing the system. By default, these are called "public" and "management". Allowing non-management traffic to access the JBoss management interface increases the chances of a security compromise. The JBoss server must be configured to bind the management interface to a network that controls access. This is usually a network that has been designated as a management network and has restricted access. Similarly, the public interface must be bound to a network that is not on the same segment as the management interface.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000778</ident><fixtext fixref="F-68203r1_fix">Refer to Section 4.9 of the JBoss EAP 6.3 Installation guide for detailed instructions on how to start JBoss as a service.
-
-Use the following command line parameters to assign the management interface to a specific management network.
-
-These command line flags must be added both when starting JBoss as a service and when starting from the command line.
-
-Substitute your actual network address for the 10.x.x.x addresses provided as an example below.
-
-For a standalone configuration:
-JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1
-
-JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1
-
-If a management network is not available, you may substitute localhost/127.0.0.1 for management address. This will force you to manage the JBoss server from the local host.</fixtext><fix id="F-68203r1_fix" /><check system="C-63087r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Obtain documentation and network drawings from system admin that shows the network interfaces on the JBoss server and the networks they are configured for.
-
-If a management network is not used, you may substitute localhost/127.0.0.1 for management address. If localhost/127.0.0.1 is used for management interface, this is not a finding.
-
-From the JBoss server open the web-based admin console by pointing a browser to HTTP://127.0.0.1:9990.
-Log on to the management console with admin credentials.
-Select "RUNTIME".
-Expand STATUS by clicking on +.
-Expand PLATFORM by clicking on +.
-In the "Environment" tab, click the > arrow until you see the "jboss.bind.properties" and the "jboss.bind.properties.management" values.
-
-If the jboss.bind.properties and the jboss.bind.properties.management do not have different IP network addresses assigned, this is a finding.
-
-Review the network documentation. If access to the management IP address is not restricted, this is a finding.</check-content></check></Rule></Group><Group id="V-62285"><title>SRG-APP-000163-AS-000111</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76775r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000290</version><title>JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.</title><description><VulnDiscussion>JBoss EAP provides a security realm called ManagementRealm. By default, this realm uses the mgmt-users.properties file for authentication. Using file-based authentication does not allow the JBoss server to be in compliance with a wide range of user management requirements such as automatic disabling of inactive accounts as per DoD policy. To address this issue, the management interfaces used to manage the JBoss server must be associated with a security realm that provides centralized authentication management. Examples are AD or LDAP.
-
-Management of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user account is the name of an information system account associated with an individual.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000795</ident><fixtext fixref="F-68205r1_fix">Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.
-
-1. Create an outbound connection to the LDAP server.
-2. Create an LDAP-enabled security realm.
-3. Reference the new security domain in the Management Interface.</fixtext><fix id="F-68205r1_fix" /><check system="C-63089r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Obtain the list of management interfaces by running the command:
-"ls /core-service=management/management-interface"
-
-Identify the security realm used by each management interface configuration by running the command:
-"ls /core-service=management/management-interface=<MANAGEMENT-INTERFACE-NAME>"
-
-Determine if the security realm assigned to the management interface uses LDAP for authentication by running the command:
-"ls /core-service=management/security-realm=<SECURITY_REALM_NAME>/authentication"
-
-If the security realm assigned to the management interface does not utilize LDAP for authentication, this is a finding.</check-content></check></Rule></Group><Group id="V-62287"><title>SRG-APP-000171-AS-000119</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76777r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000295</version><title>The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.</title><description><VulnDiscussion>JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an encrypted keystore, and decrypt them for applications and verification systems. Plain-text configuration files, such as XML deployment descriptors, need to specify passwords and other sensitive information. Use the JBoss EAP Password Vault to securely store sensitive strings in plain-text files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000196</ident><fixtext fixref="F-68207r1_fix">Configure the application server to use the java keystore and JBoss vault as per section 11.13.1 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.
-
-1. Create a java keystore.
-2. Mask the keystore password and initialize the password vault.
-3. Configure JBoss to use the password vault.</fixtext><fix id="F-68207r1_fix" /><check system="C-63091r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-Run the command:
-
-"ls /core-service=vault"
-
-If "code=undefined" and "module=undefined",
-this is a finding.</check-content></check></Rule></Group><Group id="V-62289"><title>SRG-APP-000171-AS-000119</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76779r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000300</version><title>JBoss KeyStore and Truststore passwords must not be stored in clear text.</title><description><VulnDiscussion>Access to the JBoss Password Vault must be secured, and the password used to access must be encrypted. There is a specific process used to generate the encrypted password hash. This process must be followed in order to store the password in an encrypted format.
-
-The admin must utilize this process in order to ensure the Keystore password is encrypted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000196</ident><fixtext fixref="F-68209r1_fix">Configure the application server to mask the java keystore password as per the procedure described in section 11.13.3 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.</fixtext><fix id="F-68209r1_fix" /><check system="C-63093r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>The default location for the keystore used by the JBoss vault is the <JBOSS_HOME>/vault/ folder.
-
-If a vault keystore has been created, by default it will be in the file: <JBOSS_HOME>/vault/vault.keystore. The file stores a single key, with the default alias vault, which will be used to store encrypted strings, such as passwords, for JBoss EAP.
-
-Have the system admin provide the procedure used to encrypt the keystore password that unlocks the keystore.
-
-If the system administrator is unable to demonstrate or provide written process documentation on how to encrypt the keystore password, this is a finding.</check-content></check></Rule></Group><Group id="V-62291"><title>SRG-APP-000172-AS-000120</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76781r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000305</version><title>LDAP enabled security realm value allow-empty-passwords must be set to false.</title><description><VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
-
-Application servers have the capability to utilize either certificates (tokens) or user IDs and passwords in order to authenticate. When the application server transmits or receives passwords, the passwords must be encrypted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000197</ident><fixtext fixref="F-68211r1_fix">Configure the LDAP Security Realm using default settings that sets "allow-empty-values" to false. LDAP Security Realm creation is described in section 11.9 -Add an LDAP Security Realm in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.</fixtext><fix id="F-68211r1_fix" /><check system="C-63095r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-Run the command:
-
-"ls /core-service=management/security-realm=ldap_security_realm/authentication=ldap"
-
-If "allow-empty-passwords=true", this is a finding.</check-content></check></Rule></Group><Group id="V-62293"><title>SRG-APP-000172-AS-000121</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76783r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000310</version><title>JBoss must utilize encryption when using LDAP for authentication.</title><description><VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.
-
-Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server utilizes LDAP, the LDAP traffic must be encrypted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000197</ident><fixtext fixref="F-68213r1_fix">Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.
-
-1. Create an outbound connection to the LDAP server.
-2. Create an LDAP-enabled security realm.
-3. Reference the new security domain in the Management Interface.</fixtext><fix id="F-68213r1_fix" /><check system="C-63097r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Run the following command:
-
-For standalone servers:
-"ls /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=ldap_connection"
-
-For managed domain installations:
-"ls /socket-binding-group=<PROFILE>/remote-destination-outbound-socket-binding="
-
-The default port for secure LDAP is 636.
-
-If 636 or secure LDAP protocol is not utilized, this is a finding.</check-content></check></Rule></Group><Group id="V-62295"><title>SRG-APP-000176-AS-000125</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76785r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000320</version><title>The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.</title><description><VulnDiscussion>The cornerstone of the PKI is the private key used to encrypt or digitally sign information.
-
-If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can pretend to be the authorized user.
-
-Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. Java-based application servers utilize the Java keystore, which provides storage for cryptographic keys and certificates. The keystore is usually maintained in a file stored on the file system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000186</ident><fixtext fixref="F-68215r1_fix">Configure the application server OS file permissions on the corresponding private key to restrict access to authorized accounts or roles.</fixtext><fix id="F-68215r1_fix" /><check system="C-63099r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>The default location for the keystore used by the JBoss vault is the <JBOSS_HOME>/vault/ folder.
-
-If a vault keystore has been created, by default it will be in the file: <JBOSS_HOME>/vault/vault.keystore. The file stores a single key, with the default alias vault, which will be used to store encrypted strings, such as passwords, for JBoss EAP.
-
-Browse to the JBoss vault folder using the relevant OS commands.
-Review the file permissions and ensure only system administrators and JBoss users are allowed access.
-
-Owner can be full access
-Group can be full access
-All others must be restricted to execute access or no permission.
-
-If non-system administrators are allowed to access the <JBOSS_HOME>/vault/
-folder, this is a finding.</check-content></check></Rule></Group><Group id="V-62297"><title>SRG-APP-000211-AS-000146</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76787r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000355</version><title>The JBoss server must separate hosted application functionality from application server management functionality.</title><description><VulnDiscussion>The application server consists of the management interface and hosted applications. By separating the management interface from hosted applications, the user must authenticate as a privileged user to the management interface before being presented with management functionality. This prevents non-privileged users from having visibility to functions not available to the user. By limiting visibility, a compromised non-privileged account does not offer information to the attacker or functionality and information needed to further the attack on the application server.
-
-JBoss is designed to operate with separate application and management interfaces.
-The JBoss server is started via a script. To start the JBoss server in domain mode, the admin will execute the <JBOSS_HOME>/bin/domain.sh or domain.bat script.
-
-To start the JBoss server in standalone mode, the admin will execute <JBOSS_HOME>/bin/standalone.bat or standalone.sh.
-
-Command line flags are used to specify which network address is used for management and which address is used for public/application access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001082</ident><fixtext fixref="F-68217r1_fix">Start the application server with a -bmanagement and a -b flag so that admin management functionality and hosted applications are separated.
-
-Refer to section 4.9 in the JBoss EAP 6.3 Installation Guide for specific instructions on how to start the JBoss server as a service.</fixtext><fix id="F-68217r1_fix" /><check system="C-63101r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>If JBoss is not started with separate management and public interfaces, this is a finding.
-
-Review the network design documents to identify the IP address space for the management network.
-
-Use relevant OS commands and administrative techniques to determine how the system administrator starts the JBoss server. This includes interviewing the system admin, using the "ps -ef|grep" command for UNIX like systems or checking command line flags and properties on batch scripts for Windows systems.
-
-Ensure the startup syntax used to start JBoss specifies a management network address and a public network address.
-
-The "-b" flag specifies the public address space.
-The "-bmanagement" flag specifies the management address space.
-
-Example:
-<JBOSS_HOME>/bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25
-
-If JBoss is not started with separate management and public interfaces, this is a finding.</check-content></check></Rule></Group><Group id="V-62299"><title>SRG-APP-000231-AS-000133</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76789r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000400</version><title>JBoss file permissions must be configured to protect the confidentiality and integrity of application files.</title><description><VulnDiscussion>The JBoss EAP Application Server is a Java-based AS. It is installed on the OS file system and depends upon file system access controls to protect application data at rest. The file permissions set on the JBoss EAP home folder must be configured so as to limit access to only authorized people and processes. The account used for operating the JBoss server and any designated administrative or operational accounts are the only accounts that should have access.
-
-When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise. Steps must be taken to ensure data stored on the device is protected.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001199</ident><fixtext fixref="F-68219r1_fix">Configure file permissions on the JBoss folder to protect from unauthorized access.</fixtext><fix id="F-68219r1_fix" /><check system="C-63103r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>By default, JBoss installs its files into a folder called "jboss-eap-6.3". This folder by default is stored within the home folder of the JBoss user account. The installation process, however, allows for the override of default values to obtain folder and user account information from the system admin.
-
-Log on with a user account with JBoss access and permissions.
-
-Navigate to the "Jboss-eap-6.3" folder using the relevant OS commands for either a UNIX-like OS or a Windows OS.
-
-Examine the permissions of the JBoss folder.
-
-Owner can be full access.
-Group can be full access.
-All others must be restricted to execute access or no permission.
-
-If the JBoss folder is world readable or world writeable, this is a finding.</check-content></check></Rule></Group><Group id="V-62301"><title>SRG-APP-000267-AS-000170</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76791r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000425</version><title>Access to JBoss log files must be restricted to authorized users.</title><description><VulnDiscussion>If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
-
-Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001314</ident><fixtext fixref="F-68221r1_fix">Configure file permissions on the JBoss log folder to protect from unauthorized access.</fixtext><fix id="F-68221r1_fix" /><check system="C-63105r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>If the JBoss log folder is installed in the default location and AS-000133-JBOSS-00079 is not a finding, the log folders are protected and this requirement is not a finding.
-
-By default, JBoss installs its log files into a sub-folder of the "jboss-eap-6.3" home folder.
-Using a UNIX like OS example, the default location for log files is:
-
-JBOSS_HOME/standalone/log
-JBOSS_HOME/domain/log
-
-For a standalone configuration:
-JBOSS_HOME/standalone/log/server.log" Contains all server log messages, including server startup messages.
-
-For a domain configuration:
-JBOSS_HOME/domain/log/hostcontroller.log
-Host Controller boot log. Contains log messages related to the startup of the host controller.
-
-JBOSS_HOME/domain/log/processcontroller.log
-Process controller boot log. Contains log messages related to the startup of the process controller.
-
-JBOSS_HOME/domain/servers/SERVERNAME/log/server.log
-The server log for the named server. Contains all log messages for that server, including server startup messages.
-
-Log on with an OS user account with JBoss access and permissions.
-
-Navigate to the "Jboss-eap-6.3" folder using the relevant OS commands for either a UNIX like OS or a Windows OS.
-
-Examine the permissions of the JBoss logs folders.
-
-Owner can be full access.
-Group can be full access.
-All others must be restricted.
-
-If the JBoss log folder is world readable or world writeable, this is a finding.</check-content></check></Rule></Group><Group id="V-62303"><title>SRG-APP-000316-AS-000199</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76793r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000470</version><title>Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller.</title><description><VulnDiscussion>When configuring JBoss application servers into a domain configuration, HTTP management capabilities are not required on domain member servers as management is done via the server that has been designated as the domain controller.
-
-Leaving HTTP management capabilities enabled on domain member servers increases the attack surfaces; therefore, management services on domain member servers must be disabled and management services performed via the domain controller.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002322</ident><fixtext fixref="F-68223r1_fix">Run the <JBOSS_HOME>/bin/jboss-cli command line interface utility.
-Connect to the JBoss server and run the following command.
-/core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value=false)
-
-Successful command execution returns
-{"outcome" => "success"}, and future attempts to access the management console via web browser at <SERVERNAME>:9990 will result in no access to the admin console.</fixtext><fix id="F-68223r1_fix" /><check system="C-63107r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to each of the JBoss domain member servers.
-
-Note: Sites that manage systems using the JBoss Operations Network client require HTTP interface access. It is acceptable that the management console alone be disabled rather than disabling the entire interface itself.
-
-Run the <JBOSS_HOME>/bin/jboss-cli command line interface utility and connect to the JBoss server.
-Run the following command:
-ls /core-service=management/management-interface=httpinterface/
-
-If "console-enabled=true", this is a finding.</check-content></check></Rule></Group><Group id="V-62305"><title>SRG-APP-000340-AS-000185</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76795r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000475</version><title>The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</title><description><VulnDiscussion>Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
-
-Restricting non-privileged users also prevents an attacker who has gained access to a non-privileged account, from elevating privileges, creating accounts, and performing system checks and maintenance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002235</ident><fixtext fixref="F-68225r1_fix">Run the following command.
-<JBOSS_HOME>/bin/jboss-cli.sh -c -> connect -> cd /core-service=management/access-authorization :write-attribute(name=provider, value=rbac)
-
-Restart JBoss.
-
-Map users to roles by running the following command. Upper-case words are variables.
-
-role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)</fixtext><fix id="F-68225r1_fix" /><check system="C-63109r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Run the following command:
-
-For standalone servers:
-"ls /core-service=management/access=authorization/"
-
-For managed domain installations:
-"ls /host=master/core-service=management/access=authorization/"
-
-If the "provider" attribute is not set to "rbac", this is a finding.</check-content></check></Rule></Group><Group id="V-62307"><title>SRG-APP-000343-AS-000030</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76797r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000480</version><title>The JBoss server must be configured to log all admin activity.</title><description><VulnDiscussion>In order to be able to provide a forensic history of activity, the application server must ensure users who are granted a privileged role or those who utilize a separate distinct account when accessing privileged functions or data have their actions logged.
-
-If privileged activity is not logged, no forensic logs can be used to establish accountability for privileged actions that occur on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002234</ident><fixtext fixref="F-68227r1_fix">Launch the jboss-cli management interface substituting standalone or domain for <CONFIG> based upon the server installation.
-
-<JBOSS_HOME>/<CONFIG>/bin/jboss-cli
-
-connect to the server and run the following command:
-
-/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</fixtext><fix id="F-68227r1_fix" /><check system="C-63111r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-Run the command:
-
-/core-service=management/access=audit:read-resource(recursive=true)
-
-Under the "logger" => {audit-log} section of the returned response:
-If "enabled" => false, this is a finding</check-content></check></Rule></Group><Group id="V-62309"><title>SRG-APP-000358-AS-000064</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76799r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000505</version><title>The JBoss server must be configured to utilize syslog logging.</title><description><VulnDiscussion>Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control or flow control rules invoked.
-
-Off-loading is a common process in information systems with limited log storage capacity.
-
-Centralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to off-load log records onto a different system or media than the system being logged.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-68229r1_fix">Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-Run the command:
-
-Standalone configuration:
-"ls /subsystem=logging/syslog-handler="
-
-Domain configuration:
-"ls /profile=default/subsystem=logging/syslog-handler="
-
-If no values are returned, this is a finding.</fixtext><fix id="F-68229r1_fix" /><check system="C-63113r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-Run the command:
-
-Standalone configuration:
-"ls /subsystem=logging/syslog-handler="
-
-Domain configuration:
-"ls /profile=<specify>/subsystem=logging/syslog-handler="
-Where <specify> = the selected application server profile of; default,full, full-ha or ha.
-
-If no values are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-62311"><title>SRG-APP-000380-AS-000088</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76801r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000545</version><title>Production JBoss servers must not allow automatic application deployment.</title><description><VulnDiscussion>When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant effects on the overall security of the system.
-
-Access restrictions for changes also include application software libraries.
-
-If the application server provides automatic code deployment capability, (where updates to applications hosted on the application server are automatically performed, usually by the developers' IDE tool), it must also provide a capability to restrict the use of automatic application deployment. Automatic code deployments are allowable in a development environment, but not in production.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001813</ident><fixtext fixref="F-68231r1_fix">Determine the JBoss server configuration as being either standalone or domain.
-
-Launch the relevant jboss-cli management interface substituting standalone or domain for <CONFIG>
-
-<JBOSS_HOME>/<CONFIG>/bin/jboss-cli
-
-connect to the server and run the command:
-
-/subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-enabled,value=false)</fixtext><fix id="F-68231r1_fix" /><check system="C-63115r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-Run the command:
-
-ls /subsystem=deployment-scanner/scanner=default
-
-If "scan-enabled"=true, this is a finding.</check-content></check></Rule></Group><Group id="V-62313"><title>SRG-APP-000381-AS-000089</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76803r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000550</version><title>Production JBoss servers must log when failed application deployments occur.</title><description><VulnDiscussion>Without logging the enforcement of access restrictions against changes to the application server configuration, it will be difficult to identify attempted attacks, and a log trail will not be available for forensic investigation for after-the-fact actions. Configuration changes may occur to any of the modules within the application server through the management interface, but logging of actions to the configuration of a module outside the application server is not logged.
-
-Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Log items may consist of lists of actions blocked by access restrictions or changes identified after the fact.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001814</ident><fixtext fixref="F-68233r1_fix">Launch the jboss-cli management interface substituting standalone or domain for <CONFIG> based upon the server installation.
-
-<JBOSS_HOME>/<CONFIG>/bin/jboss-cli
-
-connect to the server and run the following command:
-
-/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</fixtext><fix id="F-68233r1_fix" /><check system="C-63117r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-Run the command:
-
-ls /core-service=management/access=audit/logger=audit-log
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62315"><title>SRG-APP-000381-AS-000089</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76805r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000555</version><title>Production JBoss servers must log when successful application deployments occur.</title><description><VulnDiscussion>Without logging the enforcement of access restrictions against changes to the application server configuration, it will be difficult to identify attempted attacks, and a log trail will not be available for forensic investigation for after-the-fact actions. Configuration changes may occur to any of the modules within the application server through the management interface, but logging of actions to the configuration of a module outside the application server is not logged.
-
-Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Log items may consist of lists of actions blocked by access restrictions or changes identified after the fact.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001814</ident><fixtext fixref="F-68235r1_fix">Launch the jboss-cli management interface substituting standalone or domain for <CONFIG> based upon the server installation.
-
-<JBOSS_HOME>/<CONFIG>/bin/jboss-cli
-
-connect to the server and run the following command:
-
-/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</fixtext><fix id="F-68235r1_fix" /><check system="C-63119r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-Run the command:
-
-ls /core-service=management/access=audit/logger=audit-log
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62317"><title>SRG-APP-000427-AS-000264</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76807r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000625</version><title>JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.</title><description><VulnDiscussion>Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.
-
-The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. The application server must only allow the use of DoD PKI-established certificate authorities for verification.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002470</ident><fixtext fixref="F-68237r1_fix">Locate the cacerts file for the JVM. This can be done using the appropriate find command for the OS and change to the directory where the cacerts file is located.
-
-Remove the certificates that have a CA that is non-DoD approved, and import DoD CA-approved certificates.</fixtext><fix id="F-68237r1_fix" /><check system="C-63121r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Locate the cacerts file for the JVM. This can be done using the appropriate find command for the OS and change to the directory where the cacerts file is located.
-
-To view the certificates stored within this file, execute the java command "keytool -list -v -keystore ./cacerts".
-Verify that the Certificate Authority (CA) for each certificate is DoD-approved.
-
-If any certificates have a CA that are not DoD-approved, this is a finding.</check-content></check></Rule></Group><Group id="V-62319"><title>SRG-APP-000435-AS-000069</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76809r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000640</version><title>The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.</title><description><VulnDiscussion>A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provides high availability.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002385</ident><fixtext fixref="F-68239r1_fix">Configure the application server to provide LB or HA services for the hosted application.</fixtext><fix id="F-68239r1_fix" /><check system="C-63123r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Interview the system admin and determine if the applications hosted on the application server are mission critical and require load balancing (LB) or high availability (HA).
-
-If the applications do not require LB or HA, this requirement is NA.
-
-If the documentation shows the LB or HA services are being provided by another system other than the application server, this requirement is NA.
-
-If applications require LB or HA, request documentation from the system admin that identifies what type of LB or HA configuration has been implemented on the application server.
-
-Ask the system admin to identify the components that require protection. Some options are included here as an example. Bear in mind the examples provided are not complete and absolute and are only provided as examples. The components being made redundant or HA by the application server will vary based upon application availability requirements.
-
-Examples are:
-Instances of the Application Server
-Web Applications
-Stateful, stateless and entity Enterprise Java Beans (EJBs)
-Single Sign On (SSO) mechanisms
-Distributed Cache
-HTTP sessions
-JMS and Message Services.
-
-If the hosted application requirements specify LB or HA and the JBoss server has not been configured to offer HA or LB, this is a finding.</check-content></check></Rule></Group><Group id="V-62321"><title>SRG-APP-000439-AS-000155</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76811r2_rule" severity="medium" weight="10.0"><version>JBOS-AS-000650</version><title>JBoss must be configured to use an approved TLS version.</title><description><VulnDiscussion>Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission. This is usually achieved through the use of Transport Layer Security (TLS).
-
-JBoss relies on the underlying SSL implementation running on the OS. This can be either Java based or OpenSSL. The SSL protocol setting determines which SSL protocol is used. SSL has known security vulnerabilities, so TLS should be used instead.
-
-If data is transmitted unencrypted, the data then becomes vulnerable to disclosure. The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.
-
-FIPS 140-2 approved TLS versions include TLS V1.0 or greater.
-
-TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002418</ident><fixtext fixref="F-68241r1_fix">Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red Hat vendor's web site for step-by-step instructions on establishing SSL encryption on JBoss.
-
-The overall steps include:
-
-1. Add an HTTPS connector.
-2. Configure the SSL encryption certificate and keys.
-3. Set the protocol to TLS V1.1 or V1.2.</fixtext><fix id="F-68241r1_fix" /><check system="C-63125r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Validate that the TLS protocol is used for HTTPS connections.
-Run the command:
-
-"ls /subsystem=web/connector=https/ssl=configuration"
-
-If a TLS V1.1 or V1.2 protocol is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-62323"><title>SRG-APP-000440-AS-000167</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76813r2_rule" severity="medium" weight="10.0"><version>JBOS-AS-000655</version><title>JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.</title><description><VulnDiscussion>Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec tunnel.
-
-If data in transit is unencrypted, it is vulnerable to disclosure and modification. If approved cryptographic algorithms are not used, encryption strength cannot be assured.
-
-FIPS 140-2 approved TLS versions include TLS V1.0 or greater.
-
-TLS must be enabled, and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002421</ident><fixtext fixref="F-68243r1_fix">Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red Hat vendor's website for step-by-step instructions on establishing SSL encryption on JBoss.
-
-The overall steps include:
-
-1. Add an HTTPS connector.
-2. Configure the SSL encryption certificate and keys.
-3. Set the Cipher to an approved algorithm.</fixtext><fix id="F-68243r1_fix" /><check system="C-63127r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Validate that the TLS protocol is used for HTTPS connections.
-Run the command:
-
-"ls /subsystem=web/connector=https/ssl=configuration"
-
-Review the cipher suites. The following suites are acceptable as per NIST 800-52r1 section 3.3.1 - Cipher Suites. Refer to the NIST document for a complete list of acceptable cipher suites. The source NIST document and approved encryption algorithms/cipher suites are subject to change and should be referenced.
-
-AES_128_CBC
-AES_256_CBC
-AES_128_GCM
-AES_128_CCM
-AES_256_CCM
-
-If the cipher suites utilized by the TLS server are not approved by NIST as per 800-52r1, this is a finding.</check-content></check></Rule></Group><Group id="V-62325"><title>SRG-APP-000456-AS-000266</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76815r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000680</version><title>Production JBoss servers must be supported by the vendor.</title><description><VulnDiscussion>The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus on unpatched systems. It is critical that support be obtained and made available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002605</ident><fixtext fixref="F-68245r1_fix">Obtain vendor support from Red Hat.</fixtext><fix id="F-68245r1_fix" /><check system="C-63129r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Interview the system admin and have them either show documented proof of current support, or have them demonstrate their ability to access the Red Hat Enterprise Support portal.
-
-Verify Red Hat support includes coverage for the JBoss product.
-
-If there is no current and active support from the vendor, this is a finding.</check-content></check></Rule></Group><Group id="V-62327"><title>SRG-APP-000456-AS-000266</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76817r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000685</version><title>The JRE installed on the JBoss server must be kept up to date.</title><description><VulnDiscussion>The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product. It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus on unpatched systems. It is critical that support be obtained and made available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002605</ident><fixtext fixref="F-68247r1_fix">Configure the operating system and the application server to use a patch management system or process that ensures security-relevant updates are installed within the time period directed by the ISSM.</fixtext><fix id="F-68247r1_fix" /><check system="C-63131r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Interview the system admin and obtain details on their patch management processes as it relates to the OS and the Application Server.
-
-If there is no active, documented patch management process in use for these components, this is a finding.</check-content></check></Rule></Group><Group id="V-62329"><title>SRG-APP-000495-AS-000220</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76819r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000690</version><title>JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur.</title><description><VulnDiscussion>Changing privileges of a subject/object may cause a subject/object to gain or lose capabilities. When successful/unsuccessful changes are made, the event needs to be logged. By logging the event, the modification or attempted modification can be investigated to determine if it was performed inadvertently or maliciously.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68249r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68249r1_fix" /><check system="C-63133r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62331"><title>SRG-APP-000499-AS-000224</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76821r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000695</version><title>JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur.</title><description><VulnDiscussion>Deleting privileges of a subject/object may cause a subject/object to gain or lose capabilities. When successful and unsuccessful privilege deletions are made, the events need to be logged. By logging the event, the modification or attempted modification can be investigated to determine if it was performed inadvertently or maliciously.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68251r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68251r1_fix" /><check system="C-63135r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62333"><title>SRG-APP-000503-AS-000228</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76823r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000700</version><title>JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur.</title><description><VulnDiscussion>Logging the access to the application server allows the system administrators to monitor user accounts. By logging successful/unsuccessful logons, the system administrator can determine if an account is compromised (e.g., frequent logons) or is in the process of being compromised (e.g., frequent failed logons) and can take actions to thwart the attack.
-
-Logging successful logons can also be used to determine accounts that are no longer in use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68253r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68253r1_fix" /><check system="C-63137r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62335"><title>SRG-APP-000504-AS-000229</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76825r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000705</version><title>JBoss must be configured to generate log records for privileged activities.</title><description><VulnDiscussion>Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-
-Privileged activities would occur through the management interface. This interface can be web-based or can be command line utilities. Whichever method is utilized by the application server, these activities must be logged.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68255r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68255r1_fix" /><check system="C-63139r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62337"><title>SRG-APP-000505-AS-000230</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76827r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000710</version><title>JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface.</title><description><VulnDiscussion>Determining when a user has accessed the management interface is important to determine the timeline of events when a security incident occurs. Generating these events, especially if the management interface is accessed via a stateless protocol like HTTP, the log events will be generated when the user performs a logon (start) and when the user performs a logoff (end). Without these events, the user and later investigators cannot determine the sequence of events and therefore cannot determine what may have happened and by whom it may have been done.
-
-The generation of start and end times within log events allows the user to perform their due diligence in the event of a security breach.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68257r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68257r1_fix" /><check system="C-63141r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62339"><title>SRG-APP-000506-AS-000231</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76829r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000715</version><title>JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface.</title><description><VulnDiscussion>Concurrent logons from different systems could possibly indicate a compromised account. When concurrent logons are made from different workstations to the management interface, a log record needs to be generated. This configuration setting provides forensic evidence that allows the system administrator to investigate access to the system and determine if the duplicate access was authorized or not.
-
-JBoss provides a multitude of different log formats, and API calls that log access to the system. If the default format and location is not used, the system admin must provide the configuration documentation and settings that show that this requirement is being met.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68259r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68259r1_fix" /><check system="C-63143r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62341"><title>SRG-APP-000509-AS-000234</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76831r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000720</version><title>JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events.</title><description><VulnDiscussion>The maintenance of user accounts is a key activity within the system to determine access and privileges. Through changes to accounts, an attacker can create an account for persistent access, modify an account to elevate privileges, or terminate/disable an account(s) to cause a DoS for user(s). To be able to track and investigate these actions, log records must be generated for any account modification functions.
-
-Application servers either provide a local user store, or they can integrate with enterprise user stores like LDAP. As such, the application server must be able to generate log records on account creation, modification, disabling, and termination.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68261r1_fix">Launch the jboss-cli management interface.
-Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
-
-For a Managed Domain configuration:
-"host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68261r1_fix" /><check system="C-63145r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script to start the Command Line Interface (CLI).
-Connect to the server and authenticate.
-Run the command:
-
-For a Managed Domain configuration:
-"ls host=master/server/<SERVERNAME>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-For a Standalone configuration:
-"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
-
-If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62343"><title>SRG-APP-000514-AS-000137</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76833r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000730</version><title>The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.</title><description><VulnDiscussion>Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The application server must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002450</ident><fixtext fixref="F-68263r1_fix">Configure the application server to use DoD- or CNSS-approved Class 3 or Class 4 PKI certificates.</fixtext><fix id="F-68263r1_fix" /><check system="C-63147r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Interview the administrator to determine if JBoss is using certificates for PKI. If JBoss is not performing any PKI functions, this finding is NA.
-
-The CA certs are usually stored in a file called cacerts located in the directory $JAVA_HOME/lib/security. If the file is not in this location, use a search command to locate the file, or ask the administrator where the certificate store is located.
-
-Open a dos shell or terminal window and change to the location of the certificate store. To view the certificates within the certificate store, run the command (in this example, the keystore file is cacerts.): keytool -list -v -keystore ./cacerts
-
-Locate the "OU" field for each certificate within the keystore. The field should contain either "DoD" or "CNSS" as the Organizational Unit (OU).
-
-If the OU does not show that the certificates are DoD or CNSS supplied, this is a finding.</check-content></check></Rule></Group><Group id="V-62345"><title>SRG-APP-000515-AS-000203</title><description><GroupDescription></GroupDescription></description><Rule id="SV-76835r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000735</version><title>JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.</title><description><VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Protecting log data is important during a forensic investigation to ensure investigators can track and understand what may have occurred. Off-loading should be set up as a scheduled task but can be configured to be run manually, if other processes during the off-loading are manual.
-
-Off-loading is a common process in information systems with limited log storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-68265r1_fix">Open the web-based management interface by opening a browser and pointing it to HTTPS://<EAP_SERVER>:9990/
-
-Authenticate as a user with Admin rights.
-Navigate to the "Configuration" tab.
-Expand + Subsystems.
-Expand + Core.
-Select "Logging".
-Select the "Handler" tab.
-Select "Periodic".
-
-If a periodic file handler does not exist, reference JBoss admin guide for instructions on how to create a file handler that will rotate logs on a daily basis.
-Create scripts that package and off-load log data at least weekly.</fixtext><fix id="F-68265r1_fix" /><check system="C-63149r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>If the JBoss server is configured to use a Syslog Handler, this is not a finding.
-
-Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
-Run the jboss-cli script.
-Connect to the server and authenticate.
-
-Determine if there is a periodic rotating file handler.
-
-For a domain configuration run the following command; where <SERVERNAME> is a variable for all of the servers in the domain. Usually "server-one", "server-two", etc.:
-
-"ls /host=master/server=<SERVERNAME>/subsystem=logging/periodic-rotating-file-handler="
-
-For a standalone configuration run the command:
-"ls /subsystem=logging/periodic-rotating-file-handler="
-
-If the command does not return "FILE", this is a finding.
-
-Review the <JBOSS_HOME>/standalone/log folder for the existence of rotated logs, and ask the admin to demonstrate how rotated logs are packaged and transferred to another system on at least a weekly basis.</check-content></check></Rule></Group></Benchmark>
\ No newline at end of file
diff --git a/ssg/constants.py b/ssg/constants.py
index a585f32afc..0eca2f4f95 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -7,7 +7,6 @@
product_directories = [
'chromium',
'debian8', 'debian9', 'debian10',
- 'eap6',
'example',
'fedora',
'firefox',
@@ -145,7 +144,6 @@
"Debian 8": "debian8",
"Debian 9": "debian9",
"Debian 10": "debian10",
- "JBoss EAP 6": "eap6",
"Example": "example",
"Fedora": "fedora",
"Firefox": "firefox",
@@ -188,41 +186,6 @@
"debian10": [
"cpe:/o:debian:debian_linux:10",
],
- "eap6": [
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.0.1",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.1.0",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.1.1",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.2.0",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.2.1",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.2.2",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.2.3",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.2.4",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.3.0",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.3.1",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.3.2",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.3.3",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.0",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.1",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.2",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.3",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.4",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.5",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.6",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.7",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.8",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.9",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.10",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.11",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.12",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.13",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.14",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.15",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.16",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.17",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.18",
- "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.19",
- ],
"example": [
],
"fedora": [