[prev in list] [next in list] [prev in thread] [next in thread]
List: scap-security-guide
Subject: Re: oscap & jboss on Fedora
From: Ivan Saez Scheihing <saezscheihing () gmail ! com>
Date: 2014-04-29 11:45:08
Message-ID: CABD7AfYVWM2VsphkzDBSZe1H0ONy-Fo_Y5tTMKKt+DbyD_oLTg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Martin,
Thank you for your answer. See attachment for xccdf result file.
If you look at the rule
Result for Disable Hot Deployment in production
you will see it passes. But if I check manually I can see that the file
JBOSS_HOME/server/[PROFILE]/deploy/hdscanner-jboss-beans.xml
hasn't been deleted. So my conclusion is that the rule should have failed.
And I'm not sure what you mean with "oval results". if you tell how to
generate it I will post it.
regards,
Ivan
On Tue, Apr 29, 2014 at 1:29 PM, Martin Preisler <mpreisle@redhat.com>wrote:
> ----- Original Message -----
> > From: "Ivan Saez Scheihing" <saezscheihing@gmail.com>
> > To: "SCAP Security Guide" <scap-security-guide@lists.fedorahosted.org>
> > Sent: Tuesday, April 22, 2014 8:00:39 PM
> > Subject: Re: oscap & jboss on Fedora
> >
> > Martin,
> >
> > I was able to run xccdf and oscan after editing the eap5-xccdf.xml file.
> I
> > did comment out all '<platform idref="cpe:/a:redhat..' lines (5 lines in
> > total).
> >
> > java -jar xccdfexec.jar -result bla.xml --report bla.html --profile
> > eap5_full -c eap5-cpe-oval.xml -C eap5-cpe-dictionary.xl -P eap5_full
>
> No idea what xccdfexec.jar is. Is it a wrapper around oscap? The arguments
> look familiar.
>
> >
> > Did run and asked me a lot's of questions. The same questions as can be
> > found in the JBossEAP5_Guide.html document. Based on my answers it
> > generated a few xml files. But am I mistaken or doesn't xccdfexec cheeck
> > anything?
> >
> > Oscap did check some things by it self (by inspecting jboss xml files I
> > supose). I run it with the following options:
> >
> > oscap xccdf eval --results bla.xml --report bla.html --profile eap5-full
> > -cpe eap5-cpe-dictionary.xml eap5-xccdf.xml
> >
> >
> > It generated the bla.html file and most of the checks were done.
> Previously
> > I did check the Jboss by hand and I think oscap is not very meticulous.
> > Some checks did get the passed status and I'm sure it should have failed.
> > Any comments on this/
>
> We need more specifics, else I can't comment. Give us a particular rule
> that passed and shouldn't have. Post your xccdf result file, post your oval
> results.
>
> --
> Martin Preisler
> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
>
[Attachment #5 (text/html)]
<div dir="ltr"><div><div>Martin,<br><br></div>Thank you for your answer. See \
attachment for xccdf result file.<br></div>If you look at the rule<br><h3>Result for \
Disable Hot Deployment in production</h3><p>you will see it passes. But if I check \
manually I can see that the file</p> \
<p>JBOSS_HOME/server/[PROFILE]/deploy/hdscanner-jboss-beans.xml</p><p><br></p><p>hasn't \
been deleted. So my conclusion is that the rule should have failed.</p><p>And I'm \
not sure what you mean with "oval results". if you tell how to generate it \
I will post it.</p> <p><br></p><p>regards,</p><p><br></p><p>Ivan<br></p><p><br></p>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 29, 2014 \
at 1:29 PM, Martin Preisler <span dir="ltr"><<a href="mailto:mpreisle@redhat.com" \
target="_blank">mpreisle@redhat.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div class="">----- Original Message -----<br> > From: \
"Ivan Saez Scheihing" <<a \
href="mailto:saezscheihing@gmail.com">saezscheihing@gmail.com</a>><br> </div><div \
class="">> To: "SCAP Security Guide" <<a \
href="mailto:scap-security-guide@lists.fedorahosted.org">scap-security-guide@lists.fedorahosted.org</a>><br>
> Sent: Tuesday, April 22, 2014 8:00:39 PM<br>
> Subject: Re: oscap & jboss on Fedora<br>
><br>
> Martin,<br>
><br>
> I was able to run xccdf and oscan after editing the eap5-xccdf.xml file. I<br>
> did comment out all '<platform idref="cpe:/a:redhat..' lines (5 \
lines in<br> > total).<br>
><br>
> java -jar xccdfexec.jar -result bla.xml --report bla.html --profile<br>
> eap5_full -c eap5-cpe-oval.xml -C eap5-cpe-dictionary.xl -P eap5_full<br>
<br>
</div>No idea what xccdfexec.jar is. Is it a wrapper around oscap? The arguments look \
familiar.<br> <div class=""><br>
><br>
> Did run and asked me a lot's of questions. The same questions as can be<br>
> found in the JBossEAP5_Guide.html document. Based on my answers it<br>
> generated a few xml files. But am I mistaken or doesn't xccdfexec \
cheeck<br> > anything?<br>
><br>
> Oscap did check some things by it self (by inspecting jboss xml files I<br>
> supose). I run it with the following options:<br>
><br>
> oscap xccdf eval --results bla.xml --report bla.html --profile eap5-full<br>
> -cpe eap5-cpe-dictionary.xml eap5-xccdf.xml<br>
><br>
><br>
> It generated the bla.html file and most of the checks were done. Previously<br>
> I did check the Jboss by hand and I think oscap is not very meticulous.<br>
> Some checks did get the passed status and I'm sure it should have \
failed.<br> > Any comments on this/<br>
<br>
</div>We need more specifics, else I can't comment. Give us a particular rule \
that passed and shouldn't have. Post your xccdf result file, post your oval \
results.<br> <div class="HOEnZb"><div class="h5"><br>
--<br>
Martin Preisler<br>
_______________________________________________<br>
scap-security-guide mailing list<br>
<a href="mailto:scap-security-guide@lists.fedorahosted.org">scap-security-guide@lists.fedorahosted.org</a><br>
<a href="https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide" \
target="_blank">https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide</a><br>
</div></div></blockquote></div><br></div>
--001a11c30018c9036f04f82cf678--
["Jboss_prd.html" (text/html)]
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" \
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html \
xmlns="http://www.w3.org/1999/xhtml" xmlns:xlink="http://www.w3.org/1999/xlink" \
xmlns:svg="http://www.w3.org/2000/svg"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Scan Report</title>
<meta name="generator" content="" />
<meta name="Content-Type" content="text/html;charset=utf-8" />
<style type="text/css" media="all">
html, body { background-color: black; font-family:sans-serif; margin:0; \
padding:0; } abbr { text-transform:none; border:none; font-variant:normal; }
div.score-outer { height: .8em; width:100%; min-width:100px; background-color: \
red; } div.score-inner { height: 100%; background-color: green; }
.score-max, .score-val, .score-percent { text-align:right; }
.score-percent { font-weight: bold; }
th, td { padding-left:.5em; padding-right:.5em; }
.rule-selected, .result-pass strong, .result-fixed strong { color:green; }
.rule-inactive, .unknown, .result-notselected strong, .result-notchecked strong, \
.result-notapplicable strong, .result-informational strong, .result-unknown strong { \
color:#555; }
.rule-notselected, .result-error strong, .result-fail strong { color:red; }
table { border-collapse: collapse; border: 1px black solid; width:100%; }
table th, thead tr { background-color:black; color:white; }
table td { border-right: 1px black solid; }
table td.result, table td.link { text-align:center; }
table td.num { text-align:right; }
div#rule-results-summary { margin-bottom: 1em; }
table tr.result-legend td { width: 10%; }
div#content p { text-align:justify; }
div.result-detail { border: 1px solid black; margin: 2em 0; padding: 0 1em; }
div#content h2 { border-bottom:2px dashed; margin-top:1em; margin-bottom:0.5em; \
text-align:center; } div#content h2#summary { margin-top:0; }
h1 { margin:1em 0; }
div.raw table, div.raw table td { border:none; width:auto; padding:0; }
div.raw table { margin-left: 2em; }
div.raw table td { padding: .1em .7em; }
table tr { border-bottom: 1px dotted #000; }
dir.raw table tr { border-bottom: 0 !important; }
pre.code { background: #ccc; padding:.2em; }
ul.toc-struct li { list-style-type: none; }
div.xccdf-rule { margin-left: 10%; }
div#footer, p.remark, .link { font-size:.8em; }
thead tr td { font-weight:bold; text-align:center; }
.hidden { display:none; }
td.score-bar { text-align:center; }
td.score-bar span.media { width:100%; min-width:7em; height:.8em; display:block; \
margin:0; padding:0; }
.oval-results { font-size:.8em; overflow:auto; }
div#guide-top-table table { width: 100%; }
td#common-info { min-width: 25.0em; border-right: 1px solid #000; }
td#versions-revisions { width: 25.0em; }
</style>
<style type="text/css" media="screen">
div#content, div#header, div#footer { margin-left:1em; margin-right:1em; }
div#content { background-color: white; padding:2em; }
div#footer, div#header { color:white; text-align:center; }
a, a:visited { color:blue; text-decoration:underline; }
div#content p.link { text-align:right; font-size:.8em; }
div#footer a { color:white; }
div.xccdf-group, div.xccdf-rule { border-left: 3px solid white; \
padding-left:.3em; } div.xccdf-group:target, div.xccdf-rule:target { \
border-left-color:#ccc; }
.toc-struct li:target { background:#ddd; }
abbr { border-bottom: 1px black dotted; }
abbr.date { border-bottom:none; }
pre.code { overflow:auto; }
table tbody tr:hover { background: #ccc; }
div.raw table tbody tr:hover { background: transparent !important; }
</style>
<style type="text/css" media="print">
@page { margin:3cm; }
html, body { background-color:white; font-family:serif; }
.link { display:none; }
a, a:visited { color:black; text-decoration:none; }
div#header, div#footer { text-align:center; }
div#header { padding-top:36%; }
h1 { vertical-align:center; }
h2 { page-break-before:always; }
h3, h4, h5 { page-break-after:avoid; }
pre.code { background: #ccc; }
div#footer { margin-top:auto; }
.toc-struct { page-break-after:always; }
</style>
</head>
<body>
<div id="xccdf_org.open-scap_testresult_eap5_full">
<div id="header">
<h1>Scan Report</h1>
</div>
<div id="content">
<div id="intro">
<h2>Introduction</h2>
<div>
<h3>Test Result</h3>
<div id="test-result-summary">
<table>
<thead>
<tr>
<td>Result ID</td>
<td>Profile</td>
<td>Start time</td>
<td>End time</td>
<td>Benchmark</td>
<td>Benchmark version</td>
</tr>
</thead>
<tbody>
<tr>
<td align="center">xccdf_org.open-scap_testresult_eap5_full</td>
<td align="center">eap5_full</td>
<td align="center">
<abbr title="2014-04-23T02:56:12" class="date">2014-04-23 \
02:56</abbr> </td>
<td align="center">
<abbr title="2014-04-23T02:56:12" class="date">2014-04-23 \
02:56</abbr> </td>
<td align="center">
<span>embedded</span>
</td>
<td align="center">v1.0</td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<h3>Target info</h3>
<div class="raw">
<table>
<tbody>
<tr>
<td valign="top">
<h4>Targets</h4>
<ul class="itemizedlist">
<li>localhost.localdomain</li>
</ul>
</td>
<td valign="top">
<h4>Addresses</h4>
<ul class="itemizedlist">
<li>127.0.0.1</li>
<li>10.0.2.15</li>
<li>0:0:0:0:0:0:0:1</li>
<li>fe80:0:0:0:a00:27ff:feb7:8903</li>
</ul>
</td>
<td></td>
<td valign="top"></td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<h3>Score</h3>
<div>
<table>
<thead>
<tr>
<td>system</td>
<td>score</td>
<td>max</td>
<td>%</td>
<td>bar</td>
</tr>
</thead>
<tbody>
<tr id="score-urn-xccdf-scoring-default">
<td class="score-sys">urn:xccdf:scoring:default</td>
<td class="score-val">35.71</td>
<td class="score-max">100.00</td>
<td class="score-percent">35.71%</td>
<td class="score-bar">
<span class="media">
<svg xmlns="http://www.w3.org/2000/svg" \
xmlns:ovalres="http://oval.mitre.org/XMLSchema/oval-results-5" \
xmlns:sceres="http://open-scap.org/page/SCE_result_file" width="100%" height="100%" \
version="1.1">
<rect width="100%" height="100%" fill="red"></rect>
<rect height="100%" width="35.71%" fill="green"></rect>
<rect height="100%" x="35.71%" width="2" \
fill="black"></rect> </svg>
</span>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div id="results-overview">
<h2>Results overview</h2>
<div id="rule-results-summary">
<h4>Rule Results Summary</h4>
<table>
<thead>
<tr>
<td>pass</td>
<td>fixed</td>
<td>fail</td>
<td>error</td>
<td>not selected</td>
<td>not checked</td>
<td>not applicable</td>
<td>informational</td>
<td>unknown</td>
<td>total</td>
</tr>
</thead>
<tbody>
<tr class="result-legend">
<td align="center" class="result-pass">
<strong class="strong">7</strong>
</td>
<td align="center" class="result-fixed">
<strong class="strong">0</strong>
</td>
<td align="center" class="result-fail">
<strong class="strong">13</strong>
</td>
<td align="center" class="result-error">
<strong class="strong">0</strong>
</td>
<td align="center" class="result-notselected">
<strong class="strong">2</strong>
</td>
<td align="center" class="result-notchecked">
<strong class="strong">92</strong>
</td>
<td align="center" class="result-notapplicable">
<strong class="strong">0</strong>
</td>
<td align="center" class="result-informational">
<strong class="strong">0</strong>
</td>
<td align="center" class="result-unknown">
<strong class="strong">0</strong>
</td>
<td align="center">
<strong class="strong">114</strong>
</td>
</tr>
</tbody>
</table>
</div>
<div>
<h4 class="hidden">Rule results summary</h4>
<table>
<thead>
<tr>
<td>Title</td>
<td>Result</td>
</tr>
</thead>
<tbody>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51852928">JBoss Enterprise Application \
Platform should be a vendor supported version</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51856944">Ensure Java Runtime Environment \
in use is a supported version</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51861008">Ensure all configurations are \
made to the appropriate server profile</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp51865072">Ensure Technology Preview \
components are disabled in production environments</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp51868400">Disable Hot Deployment in \
production</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51871728">Production applications should \
not implement the default SRPVerifierStore interface for the Secure Remote Password \
(SRP) protocol</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51875664">Declare an EJB authorization \
policy for deployed applications</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51879488">Ensure appropriate permissions \
have been granted to Java Database Connectivity (JDBC) driver</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51883504">Ensure appropriate DefaultDS is \
enabled</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51887568">Deployed applications must not \
write data to DefaultDS</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp51891632">Ensure default HSQLDB is \
disabled</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp51894960">Ensure HSQLDB Security Domain \
is removed</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51898288">Ensure the appropriate Java \
Messaging Service (JMS) persistence configuration file is in use</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51902352">Ensure Oracle Database \
persistence plugin is set correctly</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51906416">Ensure IBM JRE 1.6 is \
configured correctly</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51910480">Configured security domains are \
recommended to secure production applications</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp51914544">The allRolesMode must be \
configured to "strict"</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51917872">Define <security-role> \
elements</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51921936">Remove, rename, or comment out \
the default user accounts from production servers</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51926000">Remove, rename, or comment out \
the default roles from production servers</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51930064">Security constraint elements \
should exist for all URLs in production environment</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp51934128">DefaultCacheTimeout must be \
configured properly for active security domains</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp51937456">snmp-adaptor.sar must not be \
deployed</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51940784">Harden Tomcat Connectors: limit \
maxPostSize</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51944848">Harden Tomcat Connectors: limit \
maxSavePostSize</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51948912">Harden Tomcat Connectors: set \
server header tags</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51952976">Harden Tomcat Connectors: \
ciphers attribute</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51957040">Harden Tomcat Connectors: limit \
connectionTimeout</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp51961104">Configure Java Security Manager \
to use an environment specific policy</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51964432">Ensure proper permissions are \
configured for interactions with JBoss JMX Kernel MBean</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51968496">Ensure proper permissions are \
configured for deployed applications: java.io.FilePermission</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51972560">Ensure proper permissions are \
configured for deployed applications: java.net.NetPermission</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51976624">Ensure proper permissions are \
configured for deployed applications: java.lang.RuntimePermission</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51980688">Ensure proper permissions are \
configured for deployed applications: java.net.SocketPermission</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51984752">Ensure proper permissions are \
configured for deployed applications: java.security.AllPermission</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51988816">Ensure default system Java \
Authentication and Authorization Service configuration is in use for JBoss Seam</a> \
</td> <td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51992880">Validate keystore and \
keystorePasswordURL properties are defined and loaded by Java Security Manager</a> \
</td> <td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp51996944">Validate a keystore file for \
JBoss exists and is accessible to JBoss</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52001008">Validate a password file for \
the Java keystore exists and is accessible to JBoss</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52005072">Validate JBoss keystore is \
password protected</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52009136">Ensure jboss alias is trusted \
within the JBoss keystore</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52013216">Ensure applications deployed by \
JBoss present valid DoD certificates where applicable</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52017280">Ensure X.509 keystore utilized \
by JBoss for certificate trusts contains DoD approved Certificate Authorities</a> \
</td> <td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52021344">Ensure deployed applications \
requiring authentication utilizes DoD PKI Class 3 or Class 4 certificate and hardware \
security token or NSA-certified product</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52025408">Enable Federal Information and \
Processing Systems 140-2 (FIPS) compliant cryptographic modules for use by JBoss Java \
environment</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52029472">Eliminate clear-text passwords: \
data sources</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52033536">Eliminate clear-text passwords: \
Tomcat Connectors</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52037600">Eliminate clear-text passwords: \
XML configuration files</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52041664">Change default password: JBoss \
Messaging MessageSucker</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52045728">Change default password: Java \
cacerts keystore</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp52049792">Ensure Security Audit Appender \
is enabled</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp52053120">Ensure Security Audit Provider \
is enabled</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp52056448">Ensure Configure \
SecurityInterceptor logging level is set correctly</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp52059776">Ensure logging is enabled for \
Microcontainer bootstrap operations</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52063104">Ensure logging is enabled for \
web-based requests if required by deployed applications</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp52067168">Ensure all required information \
is displayed in <layout></a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp52070496">Production applications should \
not log output to the JBoss console</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52073824">Ensure JBoss process owner is \
executing with least privilege</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52077888">Deny the JBoss process owner \
console access</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52081952">Set JBoss file ownership</a>
</td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52086016">Set JBoss file permissions</a>
</td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp52090080">Ensure JMX Console is either \
secured or removed</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp52093408">Ensure Web Console is either \
secured or removed</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-pass">
<td class="id">
<a href="#ruleresult-idp52096736">Ensure Administration Console \
is either secured or removed</a> </td>
<td class="result">
<strong class="strong">pass</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp52100064">The JMXInvokerServlet servlet \
must be secured against web attacks</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp52103392">The JMXInvokerServlet servlet \
must be configured to prevent unprivileged access using authentication</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-fail">
<td class="id">
<a href="#ruleresult-idp52106720">The JMXInvokerServlet servlet \
must be configured to prevent unprivileged access using authorization</a> </td>
<td class="result">
<strong class="strong">fail</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52116704">Password hashing must be \
enabled within the appropriate login module</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52120768">A password hashing algorithm \
must be defined within the appropriate login module</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52124832">Enterprise JavaBeans \
Specification v2.1 must be strictly followed</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52128896">Ensure adequate physical \
protections are in place</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52132960">Assign a JBoss \
administrator</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52137024">Document incident response \
procedures</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52141088">Perform periodic incident \
response exercises</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52145152">Document disaster recovery \
procedures</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52149248">Perform periodic disaster \
recovery exercises</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52153312">Identify and document \
application data flows</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52157376">Java permissions for deployed \
applications should be documented and reviewed prior to deployment</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52161440">Regular backups should be \
performed</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52165504">Auditing policy should \
exist</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52169568">Access control policy and \
procedures</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52173632">Define an appropriate minimum \
and maximum password length requirement</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52177696">Define an appropriate minimum \
password complexity requirement</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52181760">Define an appropriate minimum \
password expiration interval</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52185824">Production JBoss EAP \
installations should reside on a dedicated platform</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52189888">Avoid multiple JBoss instances \
per server</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52193952">Bind multiple JBoss instances \
per server to different IPs</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52198016">Packet filtering should be \
emplaced around JBoss Enterprise Application Platform</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52202080">Do not transmit sensitive \
information over unsecured HTTP connections</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52206144">Use a version control \
repository</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52210208">Automate JBoss Deployments</a>
</td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52214272">Application performance \
testing</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52218336">Monitor JBoss servers</a>
</td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52222400">Ensure all downloaded software \
is authentic</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52226464">Ensure JBoss is configured in \
accordance with Common Criteria configuration guides</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52230528">Unused features should be \
disabled or deleted: Java Universal Description, Discovery, Integration (JUDDI)</a> \
</td> <td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52234592">Unused features should be \
disabled or deleted: Enterprise Java Beans (EJB) Services</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52238656">Unused features should be \
disabled or deleted: Universal Unique Identifier (UUID) Generator</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52242720">Unused features should be \
disabled or deleted: Java Message Service (JMS)</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52246784">Unused features should be \
disabled or deleted: JBoss Mail</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52250848">Unused features should be \
disabled or deleted: JBoss Scheduling</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52254912">Unused features should be \
disabled or deleted: Hypersonic SQL Database (HSQLDB)</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52258976">Unused features should be \
disabled or deleted: BeanShell (BSH) Deployer</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52263040">Unused features should be \
disabled or deleted: JBossWS</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52267104">Unused features should be \
disabled or deleted: Seam</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52271168">Unused features should be \
disabled or deleted: JBoss Internet Inter-ORB Protocol (IIOP)</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52275232">Unused features should be \
disabled or deleted: Miscellaneous</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52279296">Unused features should be \
disabled or deleted: HTTP Invokers</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52283376">Unused features should be \
disabled or deleted: Java Management Extensions (JMX) Invoker</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52287440">Unused features should be \
disabled or deleted: Pooled Invoker</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52291504">Unused features should be \
disabled or deleted: Java Remote Method Protocol (JRMP) Invoker</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
<tr class="result-notchecked">
<td class="id">
<a href="#ruleresult-idp52295568">Unused features should be \
disabled or deleted: Clustering</a> </td>
<td class="result">
<strong class="strong">notchecked</strong>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div id="results-details">
<h2>Results details</h2>
<div class="result-detail" id="ruleresult-idp51852928">
<h3>Result for JBoss Enterprise Application Platform should be a vendor \
supported version</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2001</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Evaluated JBoss installation \
must be a vendor supported version of JBoss Enterprise Application Platform 5. Red \
Hat typically offers full and production support for the first 7 years following a \
release. Extended support options can be negotiated with the vendor directly through \
a separate subscription. Organizations using JBoss EAP must use a vendor supported \
version with an active support contract.</p> <p>Failure to utilize a supported \
version of JBoss in a production environment can lead to outages, unresolvable \
problems, no access to security or functional updates, etc.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p></p>
<p>Other environments should install a vendor supported version of Red \
Hat JBoss Enterprise Application Platform and maintain an active subscription. \
Contact Red Hat directly to subscribe to the JBoss software channel \
(http://www.redhat.com).</p> <p>Ensure downloaded software is checked against vendor \
supplied hashes to ensure the software has not been modified in transit. Tools such \
as sha1sum or md5sum (Linux) or File Checksum Integrity Verifier (FCIV) for Windows \
can be used to generate hash checksums for downloaded files.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51856944">
<h3>Result for Ensure Java Runtime Environment in use is a supported \
version</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2002</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Evaluated JBoss installation \
must use a vendor supported Java virtual machine - i.e., one that has not reached \
end-of-life. Migration strategies should be developed when end-of-life is \
impending.</p> <p>Java installations should be a vendor supported version. If the \
Java virtual machine in use by JBoss is not supported by the vendor, this may result \
in outages, unresolvable problems, no access to security or functional updates, \
etc.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Organizations should install a vendor supported Java Runtime \
Environment.</p> <p>Ensure downloaded software is checked against vendor supplied \
hashes to ensure the software has not been modified in transit. Tools such as \
sha1sum or md5sum (Linux) or File Checksum Integrity Verifier (FCIV) for Windows can \
be used to generate hash checksums for downloaded files.</p>
<p>Finally, organizations must develop migration plans for Java Runtime \
Environments that reach end-of-life within the next year.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51861008">
<h3>Result for Ensure all configurations are made to the appropriate \
server profile</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2005</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Production environments should \
utilize the production server profile. Development and test environments should \
choose the profile that best fits their needs.</p> <p>The JBoss server profiles are \
preconfigured with various deployed applications. Using a more restrictive profile \
ensures that less applications are deployed, minimizing the attack surface of the \
JBoss server and decreasing the amount of trimming that must be performed.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>JBoss administrators should use the profiles as defined in the \
validation text.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51865072">
<h3>Result for Ensure Technology Preview components are disabled in \
production environments</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2018</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Remove the PicketLink \
technology preview folder. By default, this folder is included at the same level as \
the JBoss-as folder. If you leave the picketlink folder as originally shipped in the \
EAP binary, PicketLink is unable to be launched, and subsequently interact with the \
certified configuration. </p> <p>Technology Preview components are not \
production-ready, vendor supported JBoss components. They may be incomplete, contain \
bugs, insecure features or architecture, etc.</p> <p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51868400">
<h3>Result for Disable Hot Deployment in production</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1130</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Hot deployment should be \
disabled on production servers. Hot Deployment allows for automatic deployment of \
Java applications by simply placing Java applications into the deploy directory.</p> \
<p>Hot deployments are not a recommended best practice for production environments. \
By requiring the additional step of restarting the JBoss server, application \
deployments become more deliberate and purposeful. Additionally, the JBoss Hot \
Deployment feature has been known to become unstable over time - consuming additional \
memory and resources.</p> <p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51871728">
<h3>Result for Production applications should not implement the default \
SRPVerifierStore interface for the Secure Remote Password (SRP) \
protocol</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1101</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The SRP protocol is a public \
key exchange protocol similar to Diffie-Hellman. The default implementation of the \
SRPVerifierStore interface is not recommended for a production security environment \
because it requires all password hash information to be available as a file of \
serialized objects.</p> <p>Serializing objects is not a recommended practice for \
Java applications. Object serialization shows poor performance and is not typically \
scalable for production. Additionally, object serialization creates dependency \
concerns within the object hierarchy.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Application developers should not use the default implementation for \
SRPVerifierStore, and should extend it to avoid the use of serialized password \
objects.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51875664">
<h3>Result for Declare an EJB authorization policy for deployed \
applications</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2039</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>When configuring your \
application specific security policy, you must declare one (or more) of the following \
authorization modules in the security domain <policy-module> element. </p>
<ul class="itemizedlist">
<li>
<p>org.JBoss.security.authorization.modules.DelegatingAuthorizationModule</p>
</li>
<li>
<p>org.JBoss.security.authorization.modules.JACCAuthorizationModule</p>
</li>
</ul>
<p>A security domain does not explicitly require an authorization policy. \
If an authorization policy is not specified, the default jboss-web-policy and \
jboss-ejb-policy authorization configured in \
jboss-as/server/$PROFILE/deploy/security/security-policies-jboss-beans.xml is used. \
If you do choose to specify an authorization policy, or create a custom deployment \
descriptor file with a valid authorization policy, these settings override the \
default settings in security-policies-jboss-beans.xml.</p> <p>Explicitly referencing \
one of the identified authorization modules ensures that applications extend the \
security policies defined in security-policies-jboss-beans.xml. This allows JBoss \
administrators to set a secure baseline that can be tuned on a per-application \
basis.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Applications deploying their own security policies must specify one \
of the following <policy-module> within their 'code' attributes:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>org.JBoss.security.authorization.modules.DelegatingAuthorizationModule</p>
</li>
<li>
<p>org.JBoss.security.authorization.modules.JACCAuthorizationModule</p>
</li>
</ul>
<p>Example:</p>
<p>
<pre class="code">
<code><application-policy name="demo">
<authorization>
<policy-module code="org.JBoss.security.authorization.modules.JACCAuthorizationModule"></policy-module>
</authorization>
</application-policy></code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51879488">
<h3>Result for Ensure appropriate permissions have been granted to Java \
Database Connectivity (JDBC) driver</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2042</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The security manager policy \
file may require permissions to be set for database drivers. The JBoss administrator \
can assign permissions to the database drivers that are needed by deployed \
applications. It is recommended that the most restrictive permissions are added. With \
some installations, permissions must be granted to database drivers that are not \
available to deployed applications; such as \
java.net.SocketPermission.</p>
<p>Deployed applications requiring access to data sources should have \
limited permissions to interact with the database drivers.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>The JBoss administrator must assign the most restrictive permissions \
possible (in accordance with the least privilege principle) to applications accessing \
defined data sources. This should be done in cooperation with application developers \
or application documentation. Substitute the directory name of the JDBC driver where \
[JDBC.DRIVER] is specified in the code sample.</p> <p>
<pre class="code">
<code>// granting permissions to JDBC driver
grant codeBase "file:${JBoss.server.home.dir}/lib/[JDBC.DRIVER]" {
//JDBC specific permissions to be granted go here
};</code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51883504">
<h3>Result for Ensure appropriate DefaultDS is enabled</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2044</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Create a default data store \
file for the desired database. Templates are located in \
JBOSS_HOME/docs/examples/jca.<br />The DefaultDS must not be a HSQLDB.</p> <p>To \
help ensure robust server operations, a DefaultDS that does not use HSQLDB should be \
specified. DefaultDS is used by some JBoss components by default.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Create a default DS file for the desired database at \
JBOSS_HOME/server/[PROFILE]/deploy/DefaultDS.xml. Examples of this file are located \
in JBOSS_HOME/docs/examples/jca. The DefaultDS must not be a HSQLDB.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51887568">
<h3>Result for Deployed applications must not write data to \
DefaultDS</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2157</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Deployed applications (other \
than JBoss default applications) must not write information to the database defined \
by the DefaultDS data source. These applications must use a database specific to the \
application.</p> <p>Sharing databases between applications is a poor security \
practice that can create injection and leakage vulnerabilities that cross application \
boundaries.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Create and deploy a data source in addition to the DefaultDS to \
store application data. This new data source must not point to the same database as \
the DefaultDS data source.</p>
<p>Data source templates can be found in the \
JBOSS_HOME/docs/examples/jca/ directory.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51891632">
<h3>Result for Ensure default HSQLDB is disabled</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2045</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>The default development HSQL database included with JBoss should be \
removed.</p> <p>HSQL is not meant for production environments - it is there to speed \
development and enable faster application prototyping. Thus, it is not a \
full-featured data source intended for production use.</p> <p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51894960">
<h3>Result for Ensure HSQLDB Security Domain is removed</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2046</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>The security domain for HsqlDbRealm should be removed from the \
JBOSS_HOME/server/[PROFILE]/conf/login-config.xml file.<br /></p> <p>HSQL is not \
meant for production environments - it is there to speed development and enable \
faster application prototyping. Thus, it is not a full-featured data source intended \
for production use.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Remove the security domain for HsqlDbRealm in the \
JBOSS_HOME/server/[PROFILE]/conf/login-config.xml file as shown.</p> <p>
<pre class="code">
<code><!-- Security domains for testing new jca framework
<application-policy name = "HsqlDbRealm">
<authentication>
<login-module code = "org.JBoss.resource.security.ConfiguredIdentityLoginModule" \
flag = "required"> <module-option name = \
"principal">sa</module-option> <module-option name = \
"userName">cctest</module-option> <module-option name = \
"password">cc1248</module-option> <module-option name = \
"managedConnectionFactoryName">JBoss.jca:service=LocalTxCM,name=DefaultDS</module-option>
</login-module>
</authentication>
</application-policy>
--></code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51898288">
<h3>Result for Ensure the appropriate Java Messaging Service (JMS) \
persistence configuration file is in use</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2047</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The \
[database]-persistence-service.xml file contains the persistence service definition \
for Java Messaging Service, for the database specified by the [database] in the \
filename. The database must not be HSQLDB.</p> <p>In order to function properly, JMS \
should be configured to use the appropriate datastore. Production environments \
require a persistence service definition for JMS that does not use HSQLDB.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Copy the [database]-persistence-service.xml file that corresponds to \
the database you are using from the JBOSS_HOME/docs/examples/jms directory to \
JBOSS_HOME/server/[PROFILE]/deploy. Make any required content changes to fit the \
persistence service to the environment.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51902352">
<h3>Result for Ensure Oracle Database persistence plugin is set \
correctly</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2050</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>When using the Oracle Database \
as the DefaultDS, the database persistence plugin definition must be updated in \
JBOSS_HOME/server/[PROFILE]/deploy/ejb2-timer-service.xml.</p>
<p>This is a performance optimization when using Oracle Database as the \
DefaultDS.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>When using the Oracle Database as the DefaultDS, the database \
persistence plugin definition must be updated in \
JBOSS_HOME/server/[PROFILE]/deploy/ejb2-timer-service.xml to:</p> <p>
<pre class="code">
<code><attribute name="DatabasePersistencePlugin">
org.JBoss.ejb.txtimer.OracleDatabasePersistencePlugin
</attribute></code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51906416">
<h3>Result for Ensure IBM JRE 1.6 is configured correctly</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2065</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>When IBM JRE 1.6 is configured \
as the Java Runtime Environment, the following configuration changes must be made to \
ensure compatibility between JBoss EAP and IBM JRE.</p> <p>IBM JRE 1.6 uses a \
default policy provider which does not work correctly with the JBoss Enterprise \
Application Platform security policy. The IBM JRE must be reconfigured to use the \
standard policy provider.</p> <p>The IBM JRE 1.6 default policy provider does not \
work correctly with the JBoss EAP security policy. Failure to assign the correct \
policy can lead to system instability.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>When IBM JRE 1.6 is configured as the Java Runtime Environment, the \
following configuration changes must be made for compatibility:</p>
<p>Edit the file JAVA_HOME/jre/lib/security/java.security and set the \
value of policy.provider to sun.security.provider.PolicyFile</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51910480">
<h3>Result for Configured security domains are recommended to secure \
production applications</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1100</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>SecurityDomain is an extension \
of the AuthenticationManager, RealmMapping, and SubjectSecurityManager interfaces. A \
java.security.KeyStore, and the Java Secure Socket Extension (JSSE) \
com.sun.net.ssl.KeyManagerFactory and com.sun.net.ssl.TrustManagerFactory interfaces \
are included in the class.</p> <p>SecurityDomain is the recommended way to implement \
security in components, because of the advantages the JAAS Subject offers, and the \
increased support offered to ASP-style application and resource deployments.</p> \
<div class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Configure and apply SecurityDomains where appropriate for production \
applications.</p> <p>For example, an <application-policy> (SecurityDomain) can \
be defined in the server profile conf directory, in an application deployment \
descriptor, or directly deployed as an MBean.</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/conf/login-config.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/META-INF/*-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/WEB-INF/*-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/*-jboss-beans.xml</p>
</li>
</ul>
<p>To determine which <application-policy> are in use by deployed \
applications, search for <security-domain> elements within the following \
deployment descriptors:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/WEB-INF/jboss-web.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/WEB-INF/jboss.xml \
</p> </li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51914544">
<h3>Result for The allRolesMode must be configured to "strict"</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2038</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The allRolesMode within \
JBOSS_HOME/server/[PROFILE]/deploy/jbossweb.sar/server.xml must be set to strict for \
production environments. This requires the authenticated user to be assigned to one \
of the web-app/security-role/role-name roles in order to be authorized. </p> <p>This \
rule enforces strict authorization, requiring authenticated users to be members of \
defined roles. This allows JBoss administrators to create a simpler, tighter security \
policy.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Update allRolesAttribute for the <Realm> element with \
className="org.jboss.web.tomcat.security.JBossWebRealm" in \
JBOSS_HOME/server/[PROFILE]/deploy/jbossweb.sar/server.xml. Set the attribute value \
to "strict". By default, the allRolesAttribute is set to "authOnly". For example:</p> \
<p> <pre class="code">
<code><Realm \
className="org.jboss.web.tomcat.security.JBossWebRealm" \
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" \
allRolesMode="strict" /></code> </pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51917872">
<h3>Result for Define <security-role> elements</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1092</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Enable authorization and define <security-role> elements to \
control access to deployed applications.</p> <p>The specification of \
<security-role> elements is a recommended practice to ensure portability across \
application servers and for deployment descriptor maintenance.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Working with application developers (or available documentation), \
determine the desired roles for controlling access to the deployed applications.</p> \
<p>Next, create the roles within web.xml.</p> <p>
<pre class="code">
<code><web-app>
<security-role>
<description>The role required to access restricted content \
</description> <role-name>AuthorizedUser</role-name>
</security-role>
</web-app></code>
</pre>
</p>
<p>Finally, require the roles within the application's deployment \
descriptor, web.xml:</p> <p>
<pre class="code">
<code><web-app>
<security-constraint>
<auth-constraint>
<role-name>AuthorizedUser</role-name>
</auth-constraint>
</security-constraint>
</web-app></code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51921936">
<h3>Result for Remove, rename, or comment out the default user accounts \
from production servers</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_3001</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Remove, rename, or comment out the default user accounts defined in \
.properties files and login-config.xml.</p> <p>Default configurations are commonly \
leveraged by attackers to gain entry into closed systems. Removing, renaming, or \
commenting out default user accounts makes malicious exploitation more complex.</p> \
<div class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p></p>
<p>Remove, rename, or comment out the default user accounts in the \
default <application-policy> elements located within the configuration file: \
JBOSS_HOME/server/[PROFILE]/conf/login-config.xml. <pre class="code"><code>
<module-option name="principal">sa</module-option>
<module-option name="userName">sa</module-option>
<module-option name="password"></module-option>
<module-option name="principal">guest</module-option>
<module-option name="userName">guest</module-option>
<module-option name="password">guest</module-option>
</code></pre><p>Remove, rename, or comment out the default user accounts in \
properties files: JBOSS_HOME/server/[PROFILE]/conf/props/</p><ul \
class="itemizedlist"><li><p>jbossws-users.properties</p></li><li><p>jmx-console-users.properties</p></li><li><p>messaging-users.properties</p></li></ul><p>The \
default user accounts include:</p><ul \
class="itemizedlist"><li><p>admin</p></li><li><p>kermit</p></li><li><p>guest</p></li></ul>
NOTE: If access is required to the services protected by the \
<application-policy>, be sure that valid accounts and roles exist!</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51926000">
<h3>Result for Remove, rename, or comment out the default roles from \
production servers</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_3002</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Remove, rename, or comment out the default role definitions in the \
default <application-policy> elements.</p>
<p>Additionally, remove, rename, or comment out the default role \
assignments in various properties files from \
JBOSS_HOME/server/[PROFILE]/conf/props/</p> <p>Default configurations are commonly \
leveraged by attackers to gain entry into closed systems. Renaming, removing, or \
commenting out default roles can make exploitation more complex. These steps can also \
prevent inadvertent assignment of permissions.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p></p>
<p>
<p>Ensure the default role assignments have been removed, renamed, or \
commented out from the default properties files located in \
JBOSS_HOME/server/[PROFILE]/conf/props/ <ul \
class="itemizedlist"><li><p>jbossws-roles.properties</p></li><li><p>jmx-console-roles.properties</p></li><li><p>messaging-roles.properties</p></li></ul><p>The \
default role assignments are JBossAdmin, HttpInvoker, friend, and \
guest.</p><p>Finally, ensure the default role assignments within application specific \
deployment descriptors have been removed, renamed, or commented out:</p><ul \
class="itemizedlist"><li><p>JBOSS_HOME/server/[PROFILE]/deploy/jmx-console.war/WEB-INF \
/web.xml</p></li><li><p>JBOSS_HOME/server/[PROFILE]/deploy/admin-console.war/WEB-INF/w \
eb.xml</p></li><li><p>JBOSS_HOME/server/[PROFILE]/deploy/management/console-mgr.sar/web-console.war/WEB-INF/web.xml</p></li></ul><p>These \
role assignments will fall within <auth-constraint> elements and will look \
similar to the following:</p><pre class="code"><code><security-constraint> \
<web-resource-collection> \
<web-resource-name>HtmlAdaptor</web-resource-name> <description>An \
example security config that only allows users with the role JBossAdmin to access the \
HTML JMX console web application</description> \
<url-pattern>/*</url-pattern> </web-resource-collection>
<auth-constraint>
<role-name>JBossAdmin</role-name>
</auth-constraint>
</security-constraint></code></pre></p>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51930064">
<h3>Result for Security constraint elements should exist for all URLs in \
production environment</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1093</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The content to be secured is \
declared using one or more <web-resource-collection> elements. Each \
<web-resource-collection> element contains an optional series of \
<url-pattern> elements followed by an optional series of <http-method> \
elements. The <url-pattern> element value specifies a URL pattern against which \
a request URL must match for the request to correspond to an attempt to access \
secured content. The <http-method> element value specifies a type of HTTP \
request to allow.</p> <p>Whitelisting allowed HTTP methods against all URL's is a \
recommended security practice to minimize the attack surface of deployed \
applications. This must be done carefully to ensure that security loopholes are not \
created, as JBoss allows all HTTP methods by default..</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Implement a whitelist for HTTP methods accepted by each deployed \
application. This will generally take the form of two separate security \
constraints.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51934128">
<h3>Result for DefaultCacheTimeout must be configured properly for active \
security domains</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1096</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Security domains in use must use DefaultCacheTimeout less than or \
equal to 1800 seconds. If you want to disable caching of security credentials, set \
this to 0 to force authentication to occur every time. This has no affect if the \
AuthenticationCacheJndiName has been changed from the default value. </p> \
<p>Production applications should be carefully evaluated to determine the appropriate \
level of cache credential timeouts. Overuse of cached credentials can leave \
applications vulnerable to stale authentication stores.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Open the JaasSecurityManagerService Mbean configuration file located \
at JBOSS_HOME/server/[PROFILE]/conf/jboss-service.xml</p>
<p>Find the element <mbean \
code="org.jboss.security.plugins.JaasSecurityManagerService" \
name="jboss.security:service=JaasSecurityManager"></p>
<p>Change the <DefaultCacheTimeout> to 1800 or less.</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51937456">
<h3>Result for snmp-adaptor.sar must not be deployed</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2009</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The file \
JBOSS_HOME/server/[PROFILE]/deploy/snmp-adaptor.sar should not exist. \
snmp-adaptor.sar is the default deployment package for JBoss SNMP. The manager \
implements SNMP using joeSNMP, supporting only SNMP versions 1 and 2.</p> <p>The \
default SNMP package (snmp-adaptor.sar) implements joeSNMP, which itself implements \
SNMP versions 1 and 2. Both versions of the SNMP protocol have many flaws and known \
vulnerabilities that can leveraged by attackers. Often these are simple remote \
exploitations that can be easily used by attackers to penetrate a network.</p> <p \
class="link"> <a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51940784">
<h3>Result for Harden Tomcat Connectors: limit maxPostSize</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4011</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The Tomcat container is \
commonly used to broker connections for JBoss. Several steps to harden the connectors \
can be taken quickly and easily. maxPostSize is the maximum size (in bytes) that the \
FORM URL parser can handle. Environments that pass large amounts of data through \
forms (such as file uploads), may need to increase this setting.</p> <p>An overly \
high setting can create a denial of service vulnerability in which an attacker \
simultaneously performs several large POSTS - tying up server resources and network \
bandwidth.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Ensure that all <Connector> elements within \
JBOSS_HOME/server/[PROFILE]/deploy/jbossweb.sar/server.xml have appropriately \
configured maxPostSize attributes (104857600 or less).</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51944848">
<h3>Result for Harden Tomcat Connectors: limit maxSavePostSize</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4012</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The Tomcat container is \
commonly used to broker connections for JBoss. Several steps to harden the defined \
connectors can be taken quickly and easily. maxSavePostSize is the maximum size (in \
bytes) that is buffered during CLIENT-CERT and FORM authentication. The default \
setting of 4096 (4 KB) is sufficient for most environments.</p> <p>An overly high \
setting can inadvertently create a denial of service vulnerability in which many \
users are authenticated and tying up server resources.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Ensure that all <Connector> elements within \
JBOSS_HOME/server/[PROFILE]/deploy/jbossweb.sar/server.xml have appropriately \
configured maxSavePostSize attributes (12288 or less).</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51948912">
<h3>Result for Harden Tomcat Connectors: set server header tags</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4013</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The Tomcat container is \
commonly used to broker connections for JBoss. Several steps to harden the defined \
connectors can be taken quickly and easily. The server attribute controls the Server \
Header tag sent with each HTTP response. The default setting causes the server to \
return Apache-Coyote/1.1 with each HTTP response.</p> <p>Failure to set the server \
attribute aids malicious users in fingerprinting a web server. However, the server \
attribute is also used legitimately by some applications for identification.</p> \
<div class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Ensure that all HTTP <Connector> elements within \
JBOSS_HOME/server/[PROFILE]/deploy/jbossweb.sar/server.xml have appropriately \
configured server attributes (set to something other than Apache-Coyote/1.1).</p> \
</div> <p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51952976">
<h3>Result for Harden Tomcat Connectors: ciphers attribute</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4014</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The Tomcat container is \
commonly used to broker connections for JBoss. Several steps to harden the defined \
connectors can be taken quickly and easily. The ciphers attribute controls the what \
ciphers are used to negotiate secure connections. The default setting causes the \
server to use the ciphers allowed by the running Java Virtual Machine.</p> <p>In an \
environment where FIPS mode has been enabled for the JVM, overriding those settings \
can lead to system instability or the use of non-FIPS algorithms.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Ensure that all secure <Connector> elements within \
JBOSS_HOME/server/[PROFILE]/deploy/jbossweb.sar/server.xml have not defined cipher \
attributes.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51957040">
<h3>Result for Harden Tomcat Connectors: limit connectionTimeout</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4015</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The Tomcat container is \
commonly used to broker connections for JBoss. Several steps to harden the defined \
connectors can be taken quickly and easily. connectionTimeout is the time (in \
milliseconds) that the container will wait for URI content after receiving a \
connection. The default setting is 60000.</p>
<p>An overly high setting can be easily exploited to create a denial of \
service condition by tying up server resources.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Ensure that all HTTP <Connector> elements within \
JBOSS_HOME/server/[PROFILE]/deploy/jbossweb.sar/server.xml have appropriately \
configured connectionTimeout attributes (20000 or less).</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51961104">
<h3>Result for Configure Java Security Manager to use an environment \
specific policy</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2043</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The Java Security Manager is a \
crucial piece of the Java security infrastructure. JBoss Enterprise Application \
Platform should be configured to load a Java security policy that has been vetted for \
use in the environment. This precludes the use of the simple default policy that \
ships with JBoss, but does not preclude the use of preconfigured policy files like \
the security policy designed for use in a Common Criteria environment (See JBoss \
Common Criteria Configuration Guide for details).</p> <p>A weak, default, or \
incomplete Java Security Manager policy file can completely compromise the security \
of a Java installation by granting excessive permissions to applications running \
within the sandbox. These permissions can be leveraged (maliciously or not) to run \
code against the operating system.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>To load an environment specific security policy, simply append the \
following line to JBOSS_HOME/bin/run.conf or JBOSS_HOME/bin/run.conf.bat as \
appropriate (depending on the host operating system).</p> <p>
<pre class="code">
<code>JAVA_OPTS="$JAVA_OPTS -Djava.security.manager \
-Djava.security.policy==[PATH TO POLICY FILE]"</code> </pre>
</p>
<p>NOTE: Using a prepackaged policy file is acceptable, as long as the \
policy file has been reviewed for compatibility and security within the current \
environment.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51964432">
<h3>Result for Ensure proper permissions are configured for interactions \
with JBoss JMX Kernel MBean</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2051</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Java permissions for MBeans \
should be carefully restricted to enforce the least privilege principle. These \
permissions are enforced by the Java Security Manager and the policies it loads at \
startup. These permissions can be assigned or restricted in an application-specific, \
granular manner.</p> <p>Java permissions for MBeans should be carefully restricted \
to enforce the least privilege principle. A JMX MBean server might have access to \
sensitive information and might be able to perform sensitive operations. JMX provides \
necessary access control that identifies which clients can access that information \
and who can perform those operations through the use of the Java Security Manager \
(JSM). An MBean has a management interface consisting of Named and typed attributes \
that can be read and written, Named and typed operations that can be invoked and \
Typed notifications that can be emitted by the MBean.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>The JBoss administrator must assign the most restrictive permissions \
possible (in accordance with the least privilege principle) for MBeans. This should \
be done in cooperation with system administrators, application developers and/or \
application documentation.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51968496">
<h3>Result for Ensure proper permissions are configured for deployed \
applications: java.io.FilePermission</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2052</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Deployed applications must not \
be granted file permissions - except to those that are dedicated to the application \
only. These permissions are enforced by the Java Security Manager and the policies it \
loads at startup. These permissions can be assigned or restricted in an \
application-specific, granular manner.</p> <p>Java permissions for deployed \
applications should be carefully restricted to enforce the least privilege principle. \
Granting unrestricted access to the host operating system creates a large attack \
vector for malicious users that have penetrated the JBoss server.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>The JBoss administrator must assign the most restrictive permissions \
possible (in accordance with the least privilege principle) for applications. This \
should be done in cooperation with application developers or application \
documentation.</p> <p>Application access granted to files by java.io.FilePermission \
must be located within the deployed application's directory path and be dedicated for \
use by the deployed application. Grant statements in conflict with this guidance \
should be modified or removed.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51972560">
<h3>Result for Ensure proper permissions are configured for deployed \
applications: java.net.NetPermission</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2053</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Deployed applications must not \
be granted network permissions. These permissions are enforced by the Java Security \
Manager and the policies it loads at startup. These permissions can be assigned or \
restricted in an application-specific, granular manner.</p>
<p>Java permissions for deployed applications should be carefully \
restricted to enforce the least privilege principle.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>The JBoss administrator must assign the most restrictive permissions \
possible (in accordance with the least privilege principle) for applications. This \
should be done in cooperation with application developers or application \
documentation.</p>
<p>Permissions granted to applications via java.net.NetPermission \
should be removed.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51976624">
<h3>Result for Ensure proper permissions are configured for deployed \
applications: java.lang.RuntimePermission</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2054</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Deployed applications must not \
be granted runtime permissions. These permissions are enforced by the Java Security \
Manager and the policies it loads at startup. These permissions can be assigned or \
restricted in an application-specific, granular manner.</p> <p>Java permissions for \
deployed applications should be carefully restricted to enforce the least privilege \
principle. Granting RuntimePermission to applications allows these applications to \
modify classloaders or modify the running security manager. Either of these actions \
can be used to elevate permissions and increase the number of potential damaging \
actions that can be taken.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>The JBoss administrator must assign the most restrictive permissions \
possible (in accordance with the least privilege principle) for applications. This \
should be done in cooperation with application developers or application \
documentation.</p>
<p>Permissions granted to applications via java.lang.RuntimePermission \
should be removed.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51980688">
<h3>Result for Ensure proper permissions are configured for deployed \
applications: java.net.SocketPermission</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2055</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Deployed applications must not \
be granted any socket permissions. These permissions are enforced by the Java \
Security Manager and the policies it loads at startup. These permissions can be \
assigned or restricted in an application-specific, granular manner.</p> <p>Java \
permissions for deployed applications should be carefully restricted to enforce the \
least privilege principle. Most well-designed applications will not need to directly \
manipulate sockets for network access (access to datasources should be handled \
through datasources, which can be assigned SocketPermission.).</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>The JBoss administrator must assign the most restrictive permissions \
possible (in accordance with the least privilege principle) for applications. This \
should be done in cooperation with application developers or application \
documentation.</p>
<p>Permissions granted to applications via java.net.SocketPermission \
should be removed.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51984752">
<h3>Result for Ensure proper permissions are configured for deployed \
applications: java.security.AllPermission</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2056</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Deployed applications must not \
be granted all permissions. These permissions are enforced by the Java Security \
Manager and the policies it loads at startup. These permissions can be assigned or \
restricted in an application-specific, granular manner.</p> <p>Java permissions for \
deployed applications should be carefully restricted to enforce the least privilege \
principle. Using AllPermissions is essentially disabling the Java security sandbox \
and is inadvisable in nearly every scenario.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>The JBoss administrator must assign the most restrictive permissions \
possible (in accordance with the least privilege principle) for applications. This \
should be done in cooperation with application developers or application \
documentation.</p>
<p>Permissions granted to applications via java.security.AllPermission \
should be removed.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51988816">
<h3>Result for Ensure default system Java Authentication and \
Authorization Service configuration is in use for JBoss Seam</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2028</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>For JBoss Seam, the simplified \
Java Authentication and Authorization Service configuration provided by the Seam \
Security API must not be used. The default system JAAS configuration should be used \
instead. Using the default system JAAS configuration ensures user identification and \
authentication are performed by the JBoss Enterprise Application Platform. JBoss Seam \
provides additional interfaces for implementing other security functions such as \
authorization (for example, entity bean permissions). This functionality is \
controlled by JBoss Seam, and is therefore outside the scope of the evaluated \
product.</p>
<p>Using an administrator specified JAAS configuration enables a more \
rigorous security posture.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Within components.xml, the security identity should specify a JAAS \
security domain to override the default Seam configuration. See the example \
below:</p> <p>
<pre class="code">
<code><security:identity jaas-config-name="[security \
domain]"/></code> </pre>
</p>
<p>Components.xml is typically located within the WEB-INF director of a \
deployed WAR. However, components.xml can also be located within the META-INF \
directory of a JAR or any JAR directory containing classes with a @Name \
annotation.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51992880">
<h3>Result for Validate keystore and keystorePasswordURL properties are \
defined and loaded by Java Security Manager</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2060</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Ensure keystore and keystorePasswordURL properties exist and are \
loaded by Java Security Manager.</p> <p>A keystore should be setup for production \
environments. Defining a keystore is a basic step towards implementing security and \
allowing for the use of public/private key cryptography for JBoss. The keystore \
should be password protected to protect the integrity of the keystore and prevent \
unauthorized modification.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Add the following lines to any loaded policy file:</p>
<p>
<pre class="code">
<code>keystore "file:[DESIRED PATH TO KEYSTORE]";
keystorePasswordURL "file:[DESIRED PATH TO PASSWORD FILE]";</code>
</pre>
</p>
<p>A typical configuration may look like the following:</p>
<p>
<pre class="code">
<code>keystore "file:${JBoss.server.home.dir}/cc.keystore";
keystorePasswordURL "file:${JBoss.server.home.dir}/cc.password";</code>
</pre>
</p>
<p>NOTE: The file names and paths may be different. Those shown are the \
defaults. If the keystore or password file are in different locations, the policy \
should reflect that.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp51996944">
<h3>Result for Validate a keystore file for JBoss exists and is \
accessible to JBoss</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2059</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Validate a keystore for JBoss exists and is accessible to JBoss.</p>
<p>A keystore should be setup for production environments. Defining a \
keystore is a basic step towards implementing security and allowing for the use of \
public/private key cryptography for JBoss. The keystore should be password protected \
to protect the integrity of the keystore and prevent unauthorized modification.</p> \
<div class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>To create a JBoss keystore, run the following command (you will be \
prompted to create a password):</p> <p>
<pre class="code">
<code>keytool -importcert -alias jboss -keystore [PATH TO KEYSTORE \
AS DEFINED IN POLICY FILE] -file [PATH TO TRUSTED CERTIFICATE TO IMPORT] -noprompt \
-trustcacerts</code> </pre>
</p>
<p>Setting permissions will vary by operating system, but typically \
commands like cacls, xacls, chmod, setfacl, etc can all be used to restrict \
permissions on the keystore. Only the JBoss process owner and JBoss administrators \
should have READ/WRITE access to the keystore.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52001008">
<h3>Result for Validate a password file for the Java keystore exists and \
is accessible to JBoss</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2160</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Validate a password file for the keystore defined in the properties \
file exists and is accessible to JBoss.</p> <p>A password-protected keystore should \
be setup for production environments. The password for the keystore should be stored \
in a password file to facilitate automated startup of JBoss Enterprise Application \
Platform.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>To add a password file for a JBoss keystore, simply add the \
plain-text password to a file and then specify that file in a loaded Java Security \
Manager policy.</p>
<p>First, ensure the password file location is identified in the policy \
file being loaded by the Java Security Manager:</p> <p>
<pre class="code">
<code>keystorePasswordURL "file:[DESIRED PATH TO KEYSTORE PASSWORD \
FILE]";</code> </pre>
</p>
<p>Next, add the plain-text password to file whose location you just \
defined.</p> <p>Finally, restrict permissions on the password file so that only the \
JBoss process owner account and JBoss administrators have READ/WRITE access. Setting \
permissions will vary by operating system, but typically commands like cacls, xacls, \
chmod, setfacl, etc can all be used to restrict permissions on the keystore. Only the \
JBoss process owner and JBoss administrators should have READ/WRITE access to the \
password file.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52005072">
<h3>Result for Validate JBoss keystore is password protected</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2158</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Validate the keystore loaded by \
the Java Security Manager is password protected. Password protecting the Java \
keystore used by JBoss issued to protect the integrity of the keystore. It does not \
prevent listing the content, but it does prevent modification of the keystore. \
Private keys within the keystore are still protected by their own passwords to \
prevent disclosure.</p> <p>Failure to protect the integrity of the keystore used by \
JBoss can result in authorized modification of the keystore and subsequent \
certificate trust compromises for JBoss.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Determine which keystore is being used by JBoss. In a default JBoss \
deployment the following policy file will be utilized by Java Security Manager: \
java.home/lib/security/java.security (Common Criteria installations are typically \
configured to use the JBOSS_HOME/bin/security_cc.policy file). Additional policy \
files can be specified either at runtime (through run.conf or run.conf.bat) or by \
chaining existing policy files (policy.url.x=file:/user/application/java.policy). \
Search for a property similar to the following:</p> <p>
<pre class="code">
<code>keystore "file:[PATH TO KEYSTORE]";</code>
</pre>
</p>
<p>Add a password to the keystore:</p>
<p>
<pre class="code">
<code>keytool -storepasswd -keystore [PATH TO KEYSTORE]</code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52009136">
<h3>Result for Ensure jboss alias is trusted within the JBoss \
keystore</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2061</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The jboss alias must be a \
trustedCertEntry with the JBoss Java keystore. This allows code signed by with the \
default JBoss certificate to run when using a restrictive policy file.</p> <p>A \
keystore should be setup for production environments with JBoss as a trustedCertEntry \
for proper functioning of the JBoss Enterprise Application Platform.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>To ensure the Jboss alias is a trustedCertEntry, the certificate \
must be imported to the keystore with the proper command:</p> <p>
<pre class="code">
<code>keytool -importcert -alias jboss -keystore [PATH TO KEYSTORE] \
-file JBOSS_HOME/bin/JBossPublicKey.RSA -noprompt -trustcacerts</code> </pre>
</p>
<p>You can check the result with the following keytool command:</p>
<p>
<pre class="code">
<code>keytool -list -keystore [PATH TO KEYSTORE]</code>
</pre>
</p>
<p>You should get similar results to those below:</p>
<p>
<pre class="code">
<code>Your keystore contains 1 entry
jboss, May 17, 2012, trustedCertEntry,
Certificate fingerprint (MD5): 93:F2:F1:8B:EF:8A:E0:E3:D0:E7:69:BC:69:96:29:C1</code>
</pre>
</p>
<p>Alternatively, the Jboss public key can be added to the Java \
keystore:</p> <p>
<pre class="code">
<code>keytool -importcert -alias jboss -keystore \
JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file \
JBOSS_HOME/bin/JBossPublicKey.RSA -noprompt -trustcacerts</code> </pre>
</p>
<p>If the system Java keystore is used, the password should be changed \
with the following command. This may affect the functioning of other applications \
using the system Java keystore.</p> <p>
<pre class="code">
<code>keytool -storepasswd -keystore \
JAVA_HOME/jre/lib/security/cacerts</code> </pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52013216">
<h3>Result for Ensure applications deployed by JBoss present valid DoD \
certificates where applicable</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4005</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>JBoss applications implementing encryption should present a valid DoD \
issued X.509 certificate for purposes of identifying the server.</p> <p>Establishing \
trust between clients and servers is an important part of information security. \
Presenting a valid X.509 certificate leverages the mutually-trusted DoD Public Key \
Infrastructure. Failure to present a valid DoD certificate undermines user \
confidence, presents an inconsistent user experience for security, and creates \
potential for abuse of trust by malicious entities.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>The JBoss administrator must work with the local security manager \
and certificate registrar to successfully request a certificate from a DoD \
Certificate Authority.</p> <p></p>
<p>Once a valid X.509 certificate has been obtained from a Certificate \
Authority within the DoD PKI, the certificate and associated private key can be \
installed in the JBoss keystore. The following example imports a PCKS12 \
public/private key pair into a Java Key Store.
<pre class="code"><code>keytool -importkeystore -v -srckeystore KEYSTORE.p12 \
-srcstoretype PKCS12 -keystore NEW_KEYSTORE.jks</code></pre></p>
<p>The final step is to enable TLS on whichever Tomcat connector is \
used by the deployed application.</p> <p>
<pre class="code">
<code>
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/NEW_KEYSTORE.jks"
keystorePass="KEYSTORE_PASSWORD" sslProtocol = "TLS" />
</code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52017280">
<h3>Result for Ensure X.509 keystore utilized by JBoss for certificate \
trusts contains DoD approved Certificate Authorities</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4006</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>JBoss applications implementing encryption should utilize the DoD \
Public Key Infrastructure.</p> <p>Establishing trust between clients and servers is \
an important part of information security. Validating client X.509 certificates \
against the DoD Public Key Infrastructure leverages the enterprise trust system. \
Failure to validate client certificates undermines the enterprise trust \
infrastructure and makes the JBoss server vulnerable to trust abuse exploits.</p> \
<div class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Download and install the DoD CA certificates. Currently, the CA \
certificates can be retrieved from https://crl.gds.disa.mil/.</p>
<p>The keys can be added to the keystore with a command similar to the \
following:</p> <p>
<pre class="code">
<code>keytool -importcert -keystore [PATH TO KEYSTORE] -storepass \
[KEYSTORE PASSWORD] -file [PATH TO CERTIFICATE] -noprompt -trustcacerts</code> \
</pre> </p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52021344">
<h3>Result for Ensure deployed applications requiring authentication \
utilizes DoD PKI Class 3 or Class 4 certificate and hardware security token or \
NSA-certified product</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4007</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>JBoss applications implementing \
authentication should utilize the DoD Public Key Infrastructure. The DoD Public Key \
Infrastructure is designed to use hardware tokens such as the Common Access Card in \
conjunction with issued X.509 certificates. These tokens are typically protected \
with a PIN that unlocks access to the private certificate stored on the token.</p> \
<p>Leveraging the DoD Public Key Infrastructure increases the security of an \
application because the DoD PKI raises the bar for exploitation of user identities. \
Applications that require authentication and do not utilize PKI must then rely on a \
less secure form of authentication, such as username and password. Additionally, \
current DoD guidance requires the use of DoD PKI over username and password.</p> \
<div class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>First, setup an <application-policy> that enforces \
certificate-based authentication. This can be accomplished in the following \
files:</p> <p></p>
<p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/conf/login-config.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/META-INF/*-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/WEB-INF/*-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/*-jboss-beans.xml</p>
</li>
</ul>
</p>
<p>The <application-policy> should resemble the example \
below:</p> <p>
<pre class="code">
<code><application-policy name="JBossTestRealm">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" \
flag="required"> <module-option \
name="usersProperties">testUsers.properties</module-option> \
<module-option name="rolesProperties">testRoles.properties</module-option>
</login-module>
</authentication>
</application-policy></code>
</pre>
</p>
<p>Next, add the <application-policy> to the deployment \
descriptors and setup the <security-constraint>.</p>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/WEB-INF/jboss-web.xml</p>
<p></p>
<p>
<pre class="code">
<code><security-domain>java:/jaas/JBossTestRealm</security-domain></code>
</pre>
</p>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/WEB-INF/web.xml</p>
<p></p>
<p>
<pre class="code">
<code><security-constraint>
<web-resource-collection>
<web-resource-name>TestResource</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>JBossTestRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Test realm</realm-name>
</login-config>
<security-role>
<role-name>JBossTestRole</role-name>
</security-role></code>
</pre>
</p>
<p>Define a keystore to be used via the JaasSecurityDomain MBean:</p>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/jboss-service.xml:</p>
<p>
<pre class="code">
<code><mbean \
code="org.jboss.security.plugins.JaasSecurityDomain" \
name="jboss.ch8:service=SecurityDomain"> <constructor>
<arg type="java.lang.String" value="JBossTestRealm"/>
</constructor>
<attribute name="KeyStoreURL">resource:test.keystore</attribute>
<attribute name="KeyStorePass">cleartext-password-that-should-be-masked</attribute>
</mbean></code>
</pre>
</p>
<p>Finally, import the client certificates into the keystore using the \
keytool command. For example:</p> <p>
<pre class="code">
<code>keytool -importcert -alias "DN ON THE CERTIFICATE" -keystore \
JBOSS_HOME/server/[PROFILE]/conf/test.keystore -file [PATH TO CERTIFICATE]</code> \
</pre> </p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52025408">
<h3>Result for Enable Federal Information and Processing Systems 140-2 \
(FIPS) compliant cryptographic modules for use by JBoss Java \
environment</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4008</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>While JBoss itself has no need \
to load FIPS compliant modules, the underlying technologies such as Java and the \
Apache Tomcat webcontainer do. Utilizing only FIPS compliant modules decreases \
compatibility with applications that are not FIPS enabled.</p> <p>Enabling FIPS \
compliant algorithms ensures that the underlying technologies that JBoss works \
through are using cryptographic modules that have been vetted by NIST for security, \
stability, and strength. Failure to utilize FIPS certified modules may cause the \
underlying technologies used by JBoss to utilize older, less secure algorithms. \
Failure to enable only FIPS compliant modules may also have regulatory consequences, \
as FIPS 140-2 requires the use of FIPS compliant modules by all federal agencies.</p> \
<div class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>As this check is not specific to JBoss, validation steps will vary \
dependent on the Java vendor in use.</p> <p>For IBM JRE/JDK 6.x:</p>
<p>Add the following provider to the \
JAVA_HOME/jre/lib/security/java.security file:</p> <p></p>
<p>
<ul class="itemizedlist">
<li>
<p>security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS</p>
</li>
</ul>
</p>
<p>NOTE: There will be a list of several providers already in place, \
numbered 1 to X. The FIPS compliant providers MUST go at the top of the list as #1 \
and #2. The other providers must be re-numbered.</p>
<p>Ensure the following line exists in the System.Defaults properties \
file:</p> <p></p>
<p>
<ul class="itemizedlist">
<li>
<p>com.ibm.jsse2.usefipsprovider=true</p>
</li>
</ul>
</p>
<p>Finally, ensure the following two properties are defined in \
JAVA_HOME/jre/lib/security/java.security:</p> <p></p>
<p>
<ul class="itemizedlist">
<li>
<p>ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl</p>
</li>
<li>
<p>ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl</p>
</li>
</ul>
</p>
<p>For Sun JRE/JDK 6.x:</p>
<p>Add the following provider to the \
JAVA_HOME/jre/lib/security/java.security file:</p> <p></p>
<p>
<ul class="itemizedlist">
<li>
<p>security.provider.1=com.sun.net.ssl.internal.ssl.Provider \
SunPKCS11-NSS</p> </li>
</ul>
</p>
<p>NOTE: There will be a list of several providers already in place, \
numbered 1 to X. The FIPS compliant provider MUST go at the top of the list as #1. \
The other providers must be re-numbered.</p> <p>Now the deployed applications must \
be written to take advantage of the FIPS enabled providers. The Sun SunJSSE provider \
must be initialized at run-time with the FIPS boolean value as true.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52029472">
<h3>Result for Eliminate clear-text passwords: data sources</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1136</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Eliminate clear-text passwords \
in data source configuration files. The class \
org.jboss.resource.security.SecureIdentityLoginModule can be used to both encrypt \
database passwords and to provide a decrypted version of the password when the data \
source configuration is required by the server. The SecureIdentityLoginModule uses a \
hard-coded password to encrypt/decrypt the data source password.</p> <p>Clear-text \
passwords are an unnecessary security vulnerability. While risk of exposure can be \
mitigated through configured permissions and file ownership, these methods do not \
completely remediate the risk.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Following the extensive instructions located within Chapter 17, \
"Encrypting Data Source Passwords" of the JBoss Enterprise Application Platform 5 \
Security Guide, 2011. While too lengthy to contain here, the summarized steps \
include:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>Encrypt the data source password.</p>
</li>
<li>
<p>Create an application authentication policy with the encrypted \
password.</p> </li>
<li>
<p>Configure the data source to use the application authentication \
policy.</p> </li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52033536">
<h3>Result for Eliminate clear-text passwords: Tomcat Connectors</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1163</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Eliminate clear-text passwords \
in: Tomcat Connectors.</p> <p>Clear-text passwords are an unnecessary security \
vulnerability. While risk of exposure can be mitigated through configured permissions \
and file ownership, these methods do not completely remediate the risk.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Following the extensive instructions located within Chapter 18, \
"Encrypting the Keystore Password in a Tomcat Connector" of the JBoss Enterprise \
Application Platform 5 Security Guide, 2011. While too lengthy to contain here, the \
summarized steps include:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>Configure JaasSecurityDomain MBean</p>
</li>
<li>
<p>Generate encrypted password</p>
</li>
<li>
<p>Update the Tomcat service MBean</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52037600">
<h3>Result for Eliminate clear-text passwords: XML configuration \
files</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1165</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Using password masking, eliminate clear-text passwords in XML \
configuration files.</p> <p>Clear-text passwords are an unnecessary security \
vulnerability. While risk of exposure can be mitigated through configured permissions \
and file ownership, these methods do not completely remediate the risk.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Follow the extensive instructions located within Chapter 16, \
"Masking Passwords in XML Configuration" of the JBoss Enterprise Application Platform \
5 Security Guide, 2011. These instructions are too lengthy to summarize here.</p> \
</div> <p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52041664">
<h3>Result for Change default password: JBoss Messaging \
MessageSucker</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4002</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>JBoss Messaging ships with a \
default MessageSucker password located within the Messaging ServerPeer configuration. \
This password is used by JBoss to create connections and pass messages between \
nodes.</p> <p>The SuckerPassword ships with a default clear-text password that can \
be used by attackers to pass messages to default installations of Jboss. The exact \
content and ramifications of these messages will depend on the listening applications \
(application logic, input validations, etc.). Failure to change this password can \
allow an attacker to create connections and pass messages to nodes.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Open the Jboss Messaging configuration file for the Messaging \
ServerPeer located here:</p> <p>
JBOSS_HOME/server[PROFILE]/deploy/messaging/messaging-jboss-beans.xml
</p>
<p>Locate the element <property name="suckerPassword" > and \
change the contents to a new password generated in accordance with your \
organization's password security requirements, restricting the use of predefined XML \
entities such as <'>@" or escaping them if you do. For \
example:</p>
<p><property name="suckerPassword" \
>Lmf3SdntiDFF6(D5</property></p> <p>The encrypted version of this password \
can be added to JBOSS_HOME/server[PROFILE]/deploy/messaging/messaging-service.xml by \
following the directions located in Follow the extensive instructions located within \
Chapter 16, "Masking Passwords in XML Configuration" of the JBoss Enterprise \
Application Platform 5 Security Guide, 2011.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52045728">
<h3>Result for Change default password: Java cacerts keystore</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4003</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The Java cacerts keystore is \
installed by default with most versions of Java. It contains X.509 public \
certificates for a set of default commercial Certificate Authorities.</p> <p>To \
prevent compromise of the server's X.509 trust chains, the well-known default \
password on the cacerts keystore should be changed. Failure to change this password \
could lead to the malicious modification of trusted X.509 CA's.</p> <p>This would \
allow attackers to create connections as trusted entities, sign malicious could as a \
trusted entity, or create any other number of X.509 certificate abuses.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Add a password to the default Java cacerts keystore:</p>
<p>
<pre class="code">
<code>keytool -storepasswd -keystore [PATH TO KEYSTORE]</code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52049792">
<h3>Result for Ensure Security Audit Appender is enabled</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2019</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The Security Audit Appender \
must be enabled. The Security Audit Appender and the Security Audit Provider category \
together set up the audit infrastructure that allows deployed applications to easily \
audit authentication and authorization events. </p>
<p>Enabling the Security Audit Appender is a necessary component of \
comprehensive auditing in a secure production environment.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Ensure the Security Audit Appender is defined within \
JBOSS_HOME/server/[PROFILE]/conf/jboss-log4j.xml. By default, the Security Audit \
Appender exists and just needs to be uncommented.</p> <p>
<pre class="code">
<code><!-- Security AUDIT Appender -->
<appender name="AUDIT" \
class="org.jboss.logging.appender.DailyRollingFileAppender"> <errorHandler \
class="org.jboss.logging.util.OnlyOnceErrorHandler"/> <param name="File" \
value="${JBoss.server.log.dir}/audit.log"/> <param name="Append" \
value="true"/> <param name="DatePattern" value="'.'yyyy-MM-dd"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%c] (%t:%x) %m%n"/>
</layout>
</appender></code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52053120">
<h3>Result for Ensure Security Audit Provider is enabled</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2020</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The Security Audit Provider \
category must be enabled for production environments. The Security Audit Appender and \
the Security Audit Provider category together set up the audit infrastructure that \
allows deployed applications to easily audit authentication and authorization events. \
</p>
<p>Enabling the Security Audit Provider category is a necessary component \
of comprehensive auditing in a secure production environment.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Ensure the Security Audit Provider category is defined within \
JBOSS_HOME/server/[PROFILE]/conf/jboss-log4j.xml. By default, the Security Audit \
Provider category exists and just needs to be uncommented.</p> <p>
<pre class="code">
<code><!-- Category specifically for Security Audit Provider \
--> <category name="org.jboss.security.audit.providers.LogAuditProvider" \
additivity="false"> <priority value="TRACE"/>
<appender-ref ref="AUDIT"/>
</category></code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52056448">
<h3>Result for Ensure Configure SecurityInterceptor logging level is set \
correctly</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2021</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Production environments of JBoss require enhanced auditing on the \
SecurityInterceptor class. </p> <p>Enabling TRACE priority logging on the \
SecurityInterceptor class is a necessary component of comprehensive auditing in a \
secure production environment.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Ensure a category is defined for SecurityInterceptor class with a \
priority of TRACE within JBOSS_HOME/server/[PROFILE]/conf/jboss-log4j.xml.</p> <p>
<pre class="code">
<code><category \
name="org.jboss.ejb.plugins.SecurityInterceptor"> <priority value="TRACE" \
/> <appender-ref ref="AUDIT" />
</category></code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52059776">
<h3>Result for Ensure logging is enabled for Microcontainer bootstrap \
operations</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2022</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Production environments of JBoss require auditing for Microcontainer \
bootstrap operations. </p>
<p>Logging Microcontainer bootstrap operations is a necessary component \
of comprehensive auditing in a secure production environment.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Set the priority and appender-ref levels for the Microcontainer \
bootstrap by adding the <category> block as specified to \
JBOSS_HOME/server/[PROFILE]/conf/jboss-log4j.xml.</p> <p>
<pre class="code">
<code><category name="org.jboss.bootstrap.microcontainer">
<priority value="INFO"/>
<appender-ref ref="AUDIT"/>
</category></code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52063104">
<h3>Result for Ensure logging is enabled for web-based requests if \
required by deployed applications</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2023</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>In the event that application requirements dictate additional logging \
for web-based requests, the AccessLogValve should be enabled.</p>
<p>If application owners determine that additional logging of web-based \
requests is desired, it should be enabled.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Ensure the following <Valve> exists within: \
JBOSS_HOME/server/[PROFILE]/deploy/jbossweb.sar/server.xml. By default, this \
<Valve> simply needs to be uncommented.</p> <p>
<pre class="code">
<code><Valve \
className="org.apache.catalina.valves.AccessLogValve" prefix="localhost_access_log." \
suffix=".log" pattern="common" directory="${JBoss.server.home.dir}/log" \
resolveHosts="false" /></code> </pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52067168">
<h3>Result for Ensure all required information is displayed in \
<layout></h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2024</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>The Security Audit Appender must log all identified information. </p>
<p>Logging full event information to the Security Audit Appender is a \
necessary component of comprehensive auditing in a secure production environment.</p> \
<div class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Enable server startup and shutdown events by making the following \
change to JBOSS_HOME/server/[PROFILE]/conf/jboss-log4j.xml. Update the \
ConversionPattern parameter in the Security Audit Appender to show thread information \
by replacing the default ConversionPattern with the pattern below:</p> <p>
<pre class="code">
<code><!--The full pattern: Date MS Priority [Category] \
(Thread:NDC) Message --> <layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5r %-5p [%c] (%t:%x) %m%n"/>
</layout></code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52070496">
<h3>Result for Production applications should not log output to the JBoss \
console</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1103</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Turn off console logging in production. Console logging in a \
production environment is a needless drain on system resources. </p> <p>Logging to \
console is a potentially resource intensive activity that should be disabled in \
production environments. Additionally, disabling console logging removes a potential \
source of information leakage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to prevent JBoss from logging to console, open the \
JBOSS_HOME/server/[PROFILE]/conf/jboss-log4j.xml file. Next, remove or comment out \
the <appender-ref> element with a ref attribute value of 'CONSOLE'. This \
<appender-ref> element will be a child of the <root> element, typically \
located near the end of the document.</p> <p>
<pre class="code">
<code><root>
<!--Set the root logger priority via a system property. Note this is parsed by \
log4j, so the full JBoss system property format is not supported; e.g.
setting a default via ${jboss.server.log.threshold:WARN} will not work.-->
<priority value="${jboss.server.log.threshold}"/>
<!-- appender-ref ref="CONSOLE"/ -->
<appender-ref ref="ASYNC"/>
</root></code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52073824">
<h3>Result for Ensure JBoss process owner is executing with least \
privilege</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4004</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Operating environment permissions assigned to the JBoss process owner \
should be in compliance with the principle of least privilege.</p> <p>In order to \
reduce the potential impact of exploitation against the JBoss application server (and \
the rest of the operating environment), the JBoss process owner should execute with \
as few permissions as possible in the environment (if the account is not local to the \
operating system or is distributed across multiple operating systems). Failure to \
limit permissions can dramatically increase the severity of exploits against the \
JBoss server, such as the execution of arbitrary code.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Steps for implementing this configuration will vary dependent upon \
operating system. On Red Hat or Linux systems, use /etc/group and /etc/passwd to \
assign the JBoss process owner a unique local account and group (and limit its group \
membership). Windows systems can create local accounts through the Computer \
Management console (compmgmt.msc) and User Rights Assignments managed through the \
Local Security Policy console (secpol.msc)..</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52077888">
<h3>Result for Deny the JBoss process owner console access</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1099</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>The JBoss Application Server process owner should not have interactive \
console login access.</p> <p>In order to limit access in the event of an \
exploitation of the Jboss or one of its deployed applications, the account owning the \
Jboss process should be limited in its ability to interact with the supporting \
operating system where possible. Thus, the JBoss process owner account should not \
have interactive console access. </p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Steps for implementing this configuration will vary, dependent upon \
operating system:</p> <p>Red Hat Enterprise Linux: To prevent users from gaining \
interactive access to the system console, simply ensure that they are assigned no \
shell interpreter via the /etc/passwd file. For instance, a properly configured \
passwd entry for the JBoss account owner may resemble this:</p> <p>
<pre class="code">
<code>jboss:x:494:494:JBossAS:/var/lib/jbossas:/sbin/nologin</code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52081952">
<h3>Result for Set JBoss file ownership</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1162</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>All JBoss Enterprise Application Platform files within JBOSS_HOME \
should be owned by the JBoss process owner account.</p> <p>To prevent unauthorized \
modification or disclosure of JBoss configuration settings, all files within \
JBOSS_HOME should be owned by the JBoss process owner account.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Steps for implementing this configuration will vary, dependent upon \
operating system. </p> <p>On Red Hat and Linux, use chown to ensure the JBoss \
process owner owns all JBoss configuration files (JBOSS_HOME and subdirectories); \
JBoss administrators may be the group owners.</p> <p>Windows environments can use \
the explorer GUI or cacls/xcacls to ensure the JBoss process owner owns all JBoss \
configuration files (JBOSS_HOME and subdirectories).</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52086016">
<h3>Result for Set JBoss file permissions</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1098</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>All JBoss Enterprise \
Application Platform files within JBOSS_HOME should be readable by the JBoss \
Application Server process owner and JBoss administrators only.</p> <p>To prevent \
unauthorized modification or disclosure of JBoss configuration settings, access to \
all JBoss related files within JBOSS_HOME should be restricted to the JBoss process \
owner and JBoss administrators.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Steps for implementing this configuration will vary, dependent upon \
operating system. </p>
<p>Red Hat Enterprise Linux: Use chmod to restrict permissions on files \
to at least 660 for all files in JBOSS_HOME and subdirectories.</p>
<p>Windows environments can use the explorer GUI or cacls/xcacls to \
restrict permissions for all files in JBOSS_HOME and subdirectories.</p> <p>File \
permissions should be restricted to READ/WRITE for JBoss process owner and JBoss \
administrators. Other accounts that may require READ access include version control \
accounts or process owners for backup software.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52090080">
<h3>Result for Ensure JMX Console is either secured or removed</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2006</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The JMX Console application \
must be secured so it is accessible by trusted administrators only. If this condition \
is not met, the application must be removed (deleted) from deployment.</p> <p>The \
JMX Console should require authentication or be removed. Failure to require \
authentication may allow unauthenticated users to invoke commands or gather \
information on the JBoss server. This access can be leveraged to do many things, \
including loading additional code from a malicious source.</p> <p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52093408">
<h3>Result for Ensure Web Console is either secured or removed</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2007</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The Web Console application \
must be secured so it is accessible by trusted administrators only. If this condition \
is not met, the application must be removed (deleted) from deployment.</p> \
<p>Failure to secure the default consoles against unauthorized access can quickly \
lead to system compromise. The default consoles included with JBoss are a well-known \
attack vector that can be leveraged to load malicious code to be executed on the \
server.</p> <p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52096736">
<h3>Result for Ensure Administration Console is either secured or \
removed</h3>
<p class="result-pass">Result: <strong class="strong">pass</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2008</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The Administration Console \
application must be secured so it is accessible by trusted administrators only. If \
this condition is not met, the application must be removed (deleted) from \
deployment.</p> <p>Failure to secure the default consoles against unauthorized \
access can quickly lead to system compromise. The default consoles included with \
JBoss are a well-known attack vector that can be leveraged to load malicious code to \
be executed on the server.</p> <p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52100064">
<h3>Result for The JMXInvokerServlet servlet must be secured against web \
attacks</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2029</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The httpha-invoker.sar found in \
the deploy directory is a service that provides RMI/HTTP access for EJBs and the JNDI \
Naming service. By default older JBoss versions ship with a default set of \
<http-method> that allow attackers to bypass the security policy for JMX \
Invoker.</p> <p>Removing the default <http-method> security constraints allows \
JBoss to apply configured security settings to all HTTP verbs instead of only those \
specified. This is a well-known attack vector and failing to remove these constraints \
may allow attackers to gain authenticated or unauthorized access to the \
JMXInvokerServlet.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Within the \
JBOSS_HOME/server/[PROFILE]/deploy/httpha-invoker.sar/invoker.war/WEB-INF/web.xml \
file, the following lines must be removed from the \
web-app/security-constraint/web-resource-collection node:</p> <p>
<pre class="code">
<code><http-method>GET</http-method>
<http-method>POST</http-method></code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52103392">
<h3>Result for The JMXInvokerServlet servlet must be configured to \
prevent unprivileged access using authentication</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2030</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The jmx-invoker-service.xml is \
a service that exposes the JMX MBeanServer interface via an RMI compatible interface \
using the RMI/JRMP detached invoker service. This interface must be made unavailable \
to unprivileged users which can be done by using the \
org.jboss.jmx.connector.invoker.AuthenticationInterceptor interceptor for performing \
identification and authentication using JAAS. </p> <p>The JMXInvokerServlet should \
require authentication. Failure to require authentication may allow unauthenticated \
users to invoke commands on the JBoss server. This access can be leveraged to do \
many things, including loading additional code from a malicious source.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Open JBOSS_HOME/server/[PROFILE]/deploy/jmx-invoker-service.xml, and \
ensure the <operation> element with child element \
<name>invoke</name> also contains the following <interceptor>:</p> \
<p> <pre class="code">
<code><interceptors>
<interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" \
securityDomain="java:/jaas/jmx-console"/> </interceptors></code>
</pre>
</p>
<p>Next, ensure a valid authentication module is enabled for the \
security domain. For example, the following elements exist within logon-config.xml \
and implement authentication using the UsersRolesLoginModule:</p> <p>
<pre class="code">
<code><application-policy name="jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" \
flag="required"> <module-option \
name="usersProperties">props/jmx-console-users.properties</module-option> \
<module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy></code>
</pre>
</p>
<p>NOTE: By default, this forces the invoker to authenticate against \
the jmx-console-users.properties file, located here: \
JBOSS_HOME/server/PROFILE/conf/prop/
<br />NOTE: The securityDomain does not have to be called jmx-console.</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52106720">
<h3>Result for The JMXInvokerServlet servlet must be configured to \
prevent unprivileged access using authorization</h3>
<p class="result-fail">Result: <strong class="strong">fail</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2031</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The jmx-invoker-service.xml is \
a service that exposes the JMX MBeanServer interface via an RMI compatible interface \
using the RMI/JRMP detached invoker service. Access control for authenticated users \
must be configured using the interceptors of either \
org.jboss.jmx.connector.invoker.RolesAuthorization or \
org.jboss.jmx.connector.invoker.ExternalizableRolesAuthorization. </p> <p>The \
JMXInvokerServlet should require authorization. Failure to require authorization may \
allow unauthenticated users to invoke commands on the JBoss server. This access can \
be leveraged to do many things, including loading additional code from a malicious \
source.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Open JBOSS_HOME/server/[PROFILE]/deploy/jmx-invoker-service.xml, and \
ensure the <operation> element with child element \
<name>invoke</name> also contains the following <interceptor>:</p> \
<p> <pre class="code">
<code><interceptors>
<interceptor code="org.jboss.jmx.connector.invoker.AuthorizationInterceptor" \
authorizingClass="org.jboss.jmx.connector.invoker.RolesAuthorization"/> \
</interceptors></code> </pre>
</p>
<p>Next, ensure a valid authorization module is enabled for the \
security domain. For example, the following elements exist within logon-config.xml \
and implement authorization using the UsersRolesLoginModule:</p> <p>
<pre class="code">
<code><application-policy name="jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" \
flag="required"> <module-option \
name="usersProperties">props/jmx-console-users.properties</module-option> \
<module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy></code>
</pre>
</p>
<p>NOTE: By default, this forces the invoker to authenticate against \
the jmx-console-users.properties file, located here: \
JBOSS_HOME/server/PROFILE/conf/prop/<br />NOTE: The securityDomain does not have to \
be called jmx-console. </p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52116704">
<h3>Result for Password hashing must be enabled within the appropriate \
login module</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2015</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>A Security Domain is a set of \
authentication, authorization, and mapping policies defined in XML and are available \
to applications at runtime using Java Naming and Directory Interface \
(JNDI).</p>
<p>Failure to enable password hashing within a login module can result in \
plain-text exposure client passwords used for authentication.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Add the following child element to any \
<application-policy><login-module> in use:</p> <p>
<pre class="code">
<code><module-option \
name="hashUserPassword">true</module-option></code> </pre>
</p>
<p>An <application-policy> can be defined in the server profile \
conf directory, in an application deployment descriptor, or directly deployed as an \
MBean.</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/conf/login-config.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/META-INF/*-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/WEB-INF/*-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/*-jboss-beans.xml</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52120768">
<h3>Result for A password hashing algorithm must be defined within the \
appropriate login module</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2017</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>A Security Domain is a set of \
authentication, authorization, and mapping policies defined in XML and are available \
to applications at runtime using Java Naming and Directory Interface (JNDI). An \
<application-policy> can be defined in the server profile or in an application \
deployment descriptor.</p> <p>By default, a hashing algorithm is not identified for \
hashing clear-text passwords. DoD organizations should use the SHA algorithm or \
higher whenever possible to prevent collision attacks against captured password \
hashes.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Add the following child element to any \
<application-policy><login-module> in use:</p> <p>
<pre class="code">
<code><module-option \
name="hashAlgorithm">SHA</module-option></code> </pre>
</p>
<p>An <application-policy> can be defined in the server profile \
conf directory, in an application deployment descriptor, or directly deployed as an \
MBean.</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/conf/login-config.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/META-INF/*-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/[APPLICATION]/WEB-INF/*-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/*-jboss-beans.xml</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52124832">
<h3>Result for Enterprise JavaBeans Specification v2.1 must be strictly \
followed</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2068</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The programming restrictions \
mandated by the Enterprise JavaBeans Specification v2.1 must be strictly followed. \
For more information, refer to JSR-000153 Enterprise JavaBeans 2.1 specification. \
(Section 25.2, pages 562-564).</p> <p>Deployed applications should follow identified \
standards, procedures, and best practices. Compliance has many benefits, including \
helping applications stay interoperable with other programs and containers, \
implementing strong security and code standards, and improving performance and \
efficiency.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Developers must follow Enterprise JavaBeans Specification v2.1.</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52128896">
<h3>Result for Ensure adequate physical protections are in place</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2062</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>The hardware and software \
executing JBoss Enterprise Application Platform, as well as the software critical to \
security policy enforcement must be protected from unauthorized modification \
including unauthorized modifications by potentially hostile outsiders. Reasonable \
physical security measures to ensure that unauthorized personnel do not have physical \
access to the hardware running the JBoss Enterprise Application Platform software \
must be implemented.</p>
<p>Many software security precautions can easily be bypassed by personnel \
with physical access to hardware storing data or executing an application.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Implement reasonable physical access controls to protect the \
hardware running and storing information for JBoss Enterprise Application Platform. \
Typically, these sorts of protections will include locked doors, locked server \
cabinets, security alarms, cameras, door guards, etc. What is considered 'reasonable' \
will scale with the importance of the JBoss server and the sensitivity of the \
information it processes.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52132960">
<h3>Result for Assign a JBoss administrator</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2063</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>There must be one or more \
competent individuals who are assigned to manage JBoss Enterprise Application \
Platform, its environment and the security of the information it contains.</p> \
<p>Incompetent, careless, or negligent JBoss administrators can completely invalidate \
a secure JBoss configuration and create numberless problems for JBoss.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Ensure a minimum level of competency / expertise has been \
established for JBoss administrators before granting them access to production \
systems.</p>
<p>Ensure documentation and procedures exist (and are followed) for \
routine administrative tasks.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52137024">
<h3>Result for Document incident response procedures</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1129</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Ensure well developed \
procedures exist for incident handling. Incidents include any events that are \
anomalous to the environment, which typically include: </p>
<ul class="itemizedlist">
<li>
<p>Intrusions (possibly including attempts)</p>
</li>
<li>
<p>Application failures</p>
</li>
<li>
<p>Unexpected platform activity such as restarts or configuration \
changes</p> </li>
<li>
<p>Unusual network traffic to or from the server</p>
</li>
</ul>
<p>Planning for incidents prior to real-life scenarios increases incident \
response time and mitigates damages. Failure to adequately prepare, plan, and \
exercise for these scenarios can result in extensive losses.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Draft formal incident response policies and procedures. Utilize \
national and international standards such as ISO/IEC TR 18044 or NIST Special \
Publication 800-61.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52141088">
<h3>Result for Perform periodic incident response exercises</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1133</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Production environments should \
exercise incident response procedures at least annually. Environments requiring \
higher assurances of security should test incident response procedures more often, \
possibly quarterly or even monthly. Incident response procedures should cover all \
anomalous events.</p> <p>Planning for incidents and practicing procedures to be \
followed prior to real-life scenario improves response time and mitigates \
damages/losses that occur with incidents.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Draft a schedule to ensure that documented procedures are exercised \
at least annually. More frequent exercises may be needed for some environments.</p> \
</div> <p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52145152">
<h3>Result for Document disaster recovery procedures</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1132</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Robust disaster recovery \
documentation and procedures should exist. This documentation should include \
provisions for the JBoss platform, deployed applications, required source code, and \
supporting applications (such as authentication stores or database servers).</p> \
<p>Planning for disasters and extended outages prior to a real-life scenario helps \
mitigate losses associated with identified disasters. Failure to adequately prepare, \
plan, and exercise for these scenarios can result in extensive losses.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Draft formal disaster response policies and procedures. Utilize \
national and international standards such as ISO 17799 or NIST Special Publication \
800-34.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52149248">
<h3>Result for Perform periodic disaster recovery exercises</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1134</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Production environments should \
exercise disaster recovery procedures that include provisions for the JBoss platform, \
deployed applications, and any required source code at least annually. Environments \
requiring higher assurances of disaster recovery ability should test procedures more \
often, possibly quarterly or even monthly.</p> <p>Planning for disasters and \
extended outages prior to a real-life scenario helps mitigate losses associated with \
identified disasters. Failure to adequately prepare, plan, and exercise for these \
scenarios can result in extensive losses. </p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Draft a schedule to ensure that documented procedures are exercised \
at least annually. More frequent exercises may be needed for some environments.</p> \
</div> <p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52153312">
<h3>Result for Identify and document application data flows</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1135</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>It is recommended to identify \
and document application data flows. This will allow insight into what paths \
sensitive information takes through the application environment and what data source \
connections need to be encrypted.</p> <p>Failure to document an application's data \
flows reduces security, increases the chance for architectural and configuration \
errors, and can impede performance. Many applications use network services that are \
not immediately apparent. </p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Work with JBoss administrators and application developers to \
document data flows for deployed applications. Information documented should \
include:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>Relevant protocol information (for instance, TCP traffic should \
record port information)</p> </li>
<li>
<p>Traffic destination</p>
</li>
<li>
<p>Purpose</p>
</li>
<li>
<p>Sensitivity of traffic</p>
</li>
<li>
<p>Applicable security information, such as encryption types, \
specific vulnerabilities in transport or application protocols, etc.</p> </li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52157376">
<h3>Result for Java permissions for deployed applications should be \
documented and reviewed prior to deployment</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1159</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Java permissions for \
applications should be documented and carefully reviewed prior to deployment. \
Developers and administrators should strive to balance application permissions and \
application functionality.</p> <p>Java permissions for deployed applications should \
be carefully restricted to enforce the least privilege principle. Careful \
documentation, along with a thorough review will help prevent needlessly insecure \
permission assignments for applications. An overabundance of Java permissions can \
allow applications to circumvent one of Java's strongest security features - the Java \
Security Manager sandbox.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>The JBoss administrator must assign the most restrictive permissions \
possible (in accordance with the least privilege principle) for applications. This \
should be done in cooperation with application developers or application \
documentation.</p>
<p>Further, documentation should exist for all applications that have \
been granted specific permissions.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52161440">
<h3>Result for Regular backups should be performed</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1146</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>JBoss applications and configuration files should be backed up at \
least weekly, possibly more if needed by the environment.</p> <p>Failure to \
regularly backup JBoss configuration files and deployed applications can result in \
extensive downtime or information losses in the event of a disaster or other system \
outage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Ensure backups are conducted regularly (at least once a week) in \
accordance with the organization backup-policy. All JBoss configuration files and \
deployed applications should be backed up.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52165504">
<h3>Result for Auditing policy should exist</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1153</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>In order to effectively audit and review system logs, an audit policy \
should be written to identify data and trends of interest.</p> <p>Without a \
comprehensive audit policy and review procedures, organizations risk missing critical \
events or event trends within their environment. These missed events may indicate \
system anomalies ranging from malicious attacks, system instabilities, system misuse, \
etc.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>JBoss system administrators should work security team members to \
draft a comprehensive audit policy. Along with this auditing policy, a set of written \
procedures should be created that details what events or trends must be monitored, \
reactions, etc.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52169568">
<h3>Result for Access control policy and procedures</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1164</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>JBoss administrators must have access to guidance regarding account \
creation, permissions assignments, role assignments, etc.</p> <p>A consistent, \
cohesive access control policy is impossible to attain without a well-documented \
access control policy and related procedures. Failure to do so typically results in \
over-assignment of access permissions for users and applications, stale access for \
users and applications, and other access control misconfigurations that reduce the \
effectiveness of the security policy.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Draft an access control policy to address purpose, scope, roles, \
responsibilities, management commitment, coordination among organizational entities, \
and compliance. There should be an associated set of procedures with implementation \
details for specific tasks such as assigning user roles, creating user accounts, or \
assigning Java Security Manager permissions.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52173632">
<h3>Result for Define an appropriate minimum and maximum password length \
requirement</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_3003</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Organizations should create an \
authenticator management policy that defines minimum and maximum password sizes for \
user accounts accessing JBoss and its deployed applications.</p>
<p>In brute force scenarios, passwords of extended lengths increase \
password security and the length of time required to decrypt the password.</p> \
<p>However, there are risks associated with requiring passwords of great lengths, as \
users may take steps to circumvent policy; such as using repetitive passwords, \
writing password reminders, or writing down their passwords.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>JBoss system administrators should work security team members to \
draft a comprehensive password policy. Minimum and maximum password lengths should be \
defined. Further, accounts may be categorized in order to define varying length \
requirements for particular types of accounts.</p> <p>
For example:
</p>
<p></p>
<ul class="itemizedlist">
<li>
<p>User accounts shall require password lengths of between 8 and 24 \
characters</p> </li>
<li>
<p>Administrator shall require password lengths of 24 \
characters</p> </li>
<li>
<p>Web service accounts shall require password lengths of 24 \
characters</p> </li>
</ul>
<p>
Password storage software and password generation software are recommended for \
organizations to assist in managing a secure password policy.
NIST Special Publication 800-118 (Draft) and NIST Special Publication 800-53 \
both contain extensive guidance on creating a password policy document.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52177696">
<h3>Result for Define an appropriate minimum password complexity \
requirement</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_3004</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Organizations should create an \
authenticator management policy that defines a minimum level of complexity for user \
accounts accessing JBoss and its deployed applications. These requirements should \
also restrict passwords from containing dictionary words and reusing previous \
passwords.</p> <p>Complex passwords increase password security and the length of \
time required to decrypt the password. Additionally, complex passwords are less \
likely to be found in password dictionaries.</p> <p>However, there are risks \
associated with requiring overly complex passwords, as users may take steps to \
circumvent policy; such as using repetitive passwords, writing password reminders, or \
writing down their passwords.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>JBoss system administrators should work security team members to \
draft a comprehensive password policy. Password complexity requirements should be \
defined. The policy should not allow passwords to be reused or contain dictionary \
words. Further, accounts may be categorized in order to define varying complexity \
requirements for particular types of accounts.</p> <p>
For example:
</p>
<p></p>
<ul class="itemizedlist">
<li>
<p>User accounts shall require passwords containing at least 1 \
lowercase alphanumeric character, 1 uppercase alphanumeric character, and 1 \
number</p> </li>
<li>
<p>Administrator accounts shall require passwords containing at \
least 2 lowercase alphanumeric characters, 2 uppercase alphanumeric characters, 2 \
numbers, and 2 special characters. Special characters include: !@#$%^&*()</p> \
</li> <li>
<p>Web service accounts shall require passwords containing at least \
3 lowercase alphanumeric characters, 3 uppercase alphanumeric characters, 3 numbers, \
and 3 special characters. Special characters include: !@#$%^&*()</p> </li>
</ul>
<p>
Password storage software and password generation software are recommended for \
organizations to assist in managing a secure password policy.
NIST Special Publication 800-118 (Draft) and NIST Special Publication 800-53 \
both contain extensive guidance on creating a password policy document.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52181760">
<h3>Result for Define an appropriate minimum password expiration \
interval</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_3005</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Organizations should create an \
authenticator management policy that defines a maximum password age for user accounts \
accessing JBoss and its deployed applications.</p> <p>In combination with password \
length and complexity, regularly changing passwords can defeat many attacks. If a \
password or password hash is intercepted by a malicious party, changing the password \
can remove access or render invalid a cracking attempt on the hash.</p> <p>
However, there are risks associated with frequently changing passwords. Users may \
take steps to circumvent policy such as using repetitive passwords or using password \
derivatives. Additionally, changing passwords for system or application accounts \
introduces an element of configuration risk. Poorly coordinated or documented changes \
can result in system outages or create other problems.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>JBoss system administrators should work security team members to \
draft a comprehensive password policy. Password expiration requirements should be \
defined. Further, accounts may be categorized in order to define varying length \
requirements for particular types of accounts.</p> <p>
For example:
</p>
<p></p>
<ul class="itemizedlist">
<li>
<p>Passwords for user accounts must expire every 90 days</p>
</li>
<li>
<p>Passwords for administrator accounts must expire every 30 \
days</p> </li>
<li>
<p>Passwords for web service accounts must expire every 180 \
days</p> </li>
</ul>
<p>
Password storage software and password generation software are recommended for \
organizations to assist in managing a secure password policy.
NIST Special Publication 800-118 (Draft) and NIST Special Publication 800-53 \
both contain extensive guidance on creating a password policy document.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52185824">
<h3>Result for Production JBoss EAP installations should reside on a \
dedicated platform</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4001</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Production JBoss servers in \
production environments should be hosted on dedicated operating systems and not \
sharing a host operating system with other service applications.</p> <p>Co-locating \
JBoss EAP with other critical infrastructure components in an organization can have \
multiple negative impacts on an organization's security posture. Applications sharing \
host operating systems cumulatively increase the surface area of attack for the other \
(including indirectly), increase the likelihood of resource contention, and increase \
the severity of any problems that do occur on the platform at a business process \
level.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Installations of JBoss should reside on a dedicated operating \
system. If not, ensure the configuration, rationale, and risk assessment is well \
documented. </p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52189888">
<h3>Result for Avoid multiple JBoss instances per server</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1124</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Multiple instances of JBoss \
deployed onto a single server should be avoided whenever possible to reduce \
environmental complexity and administrative burdens. However, occasionally \
circumstances require that multiple JBoss instances are deployed to the same server. \
In this scenario, the configurations and justifications should be documented along \
with the rest of the system's documentation. </p> <p>Multiple JBoss instances on a \
single server may occasionally become necessary due to resource or design \
constraints. However, this practice increases the complexity and administrative \
burden for the application servers - potentially leading to unforeseen problems and \
increasing chance of misconfigurations.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Limit JBoss Enterprise Applications Platform instances to one per \
server if possible. If not, ensure the configuration, rationale, and risk assessment \
is well documented. </p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52193952">
<h3>Result for Bind multiple JBoss instances per server to different \
IPs</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1131</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>If multiple JBoss instances are \
installed, the servers should be set to bind to different IP addresses on the server \
rather than changing the default port configuration.</p> <p>Binding to different IP \
addresses eases administrative and maintenance burdens by reducing the number of \
variables between instances. In turn, this increases reliability and reduces the \
chances for configuration errors.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>If multiple JBoss Enterprise Application Platforms are deployed to a \
single server, the binding IP address can be specified at server startup using the -b \
argument to specify the binding IP. Example:</p> <p>
<pre class="code">
<code>run.sh -c public -b 10.10.10.75</code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52198016">
<h3>Result for Packet filtering should be emplaced around JBoss \
Enterprise Application Platform</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2064</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>JBoss Enterprise Application \
Platform must operate in a network segment that is logically separated from any other \
network segment using a packet filtering mechanism. This packet filter must only \
allow incoming communication that is TCP with destination ports of 8080 or 8443. This \
packet filter can be resident on the host operating system or a completely separate \
system entirely. When JBoss Enterprise Application Platforms are clustered, all \
outgoing communication from the JBoss Enterprise Application Platform instance must \
be allowed.</p>
<p>Packet filtering is a basic security technique for securing TCP/IP and \
UDP/IP communications.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Install and/or configure a TCP/IP and UDP/IP packet filtering device \
to logically separate the JBoss Enterprise Application Server from other networks. \
</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52202080">
<h3>Result for Do not transmit sensitive information over unsecured HTTP \
connections</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1094</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Sensitive information should \
not be transferred over insecure means. This includes plaintext credential \
information, application information deemed sensitive, or other information that may \
be valuable to a malicious entity. The <auth-method> child element specifies \
the authentication mechanism for the web application. Using the BASIC authentication \
method causes the exchange of credentials in clear-text.</p>
<p>Sensitive information being transmitted without strong encryption \
creates possible exposure for the deployed application and users connecting to it. \
Plain text transmission of authentication credentials over insecure channels (such as \
HTTP) exposes credential information to any entity capable of intercepting packets \
from the connection.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Applications passing sensitive data should use a secure channel such \
as SSL or TLS. There are several ways to secure traffic with SSL, the method below \
uses the underlying Apache Tomcat technology to handle the connection.</p> <p>To \
setup SSL or TLS, proceed as follows:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>Ensure a valid keystore is being loaded by JSM</p>
</li>
<li>
<p>Load the JBoss server's public/private key pair into the \
keystore</p> </li>
<li>
<p> Add a secure connector to \
JBOSS_HOME/server/[PROFILE]/deploy/jbossweb.sar/server.xml <pre \
class="code"><code><Service name="jboss.web"> <Connector \
protocol="HTTP/1.1" SSLEnabled="true" port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/bp.keystore"
keystorePass="KEYSTORE_PASSWORD" sslProtocol = "TLS" />
</Service></code></pre></p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52206144">
<h3>Result for Use a version control repository</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1104</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>All configuration files (such a \
data sources, custom connectors, etc) and any scripts used for modifications and \
deployments should be stored in the version control repository. Typical repositories \
include applications such as SVN or Git. Additionally, a hash-validated 'Gold' \
version of the JBoss installation package should also be stored in the version \
control system.</p> <p>Configuration management is an essential part long-term \
success for any software application - especially for complex software or \
collaborative environments. Using a versioning system allows for tighter control and \
accountability of application server changes.</p> <p>Maintaining a 'Gold' version of \
JBoss is useful for environments that may need to periodically or dynamically deploy \
JBoss instances. This can also be useful for static environments that simply desire \
to have a known baseline to deploy from.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Initiate a version control repository such as Git or SVN for JBoss \
maintenance and deployments. This will likely be a multi-stage process requiring \
planning and implementation.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52210208">
<h3>Result for Automate JBoss Deployments</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1125</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Scripts or other software tools should be used to automatically \
configure and deploy JBoss applications in environments.</p> <p>As much as possible \
new application deployments to JBoss should be scripted. This increases \
standardization in deployments and reduces the possibility of errors and \
misconfigurations. Smaller environments may see less benefit from implementing an \
automated process.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Utilize custom scripts and/or software to automate application \
deployments to JBoss. Popular applications in this field include Cargo, ANT, JBoss \
Tools, and Hudson. Software in this category is quickly evolving and adding new \
features. </p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52214272">
<h3>Result for Application performance testing</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1127</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Ensure routine performance testing is completed before applications \
are deployed to production. Establish and document performance \
profiles.</p>
<p>Without adequate performance testing, production applications may fail \
to perform to expectations - resulting in a denial of service.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>Ensure routine performance testing is completed before applications \
are deployed to production. Establish and document performance profiles. Attempt to \
test against anticipated peak demands as well as load averages. Individual tests will \
vary, but commonly consist of testing message throughputs (various message types), \
application inputs, connections open/closed/expired, data transactions completed, \
method calls, objects persisted, etc.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52218336">
<h3>Result for Monitor JBoss servers</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1128</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>JBoss Enterprise Application \
Platform servers in production environments should be monitored real-time. \
Information monitored and alarm thresholds will vary. Common monitoring tools \
include: </p>
<ul class="itemizedlist">
<li>
<p>JBoss Operations Network (JON)</p>
</li>
<li>
<p>Foglight</p>
</li>
<li>
<p>HP Openview</p>
</li>
<li>
<p>Nagios</p>
</li>
</ul>
<p>Production environments should be carefully monitored to ensure the \
any problems on the server are detected as quickly as possible. Identifying and \
isolating a problem when it is small may prevent downtime or other problems on the \
network.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>Research and implement an appropriate monitoring solution for the \
production environment. Different environments will have different requirements owing \
to sensitivity to downtime, regulatory requirements, service agreements, and other \
factors. Be careful when implementing a monitoring solution to minimize performance \
impact on the servers where possible. Common monitoring tools include:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBoss Operations Network (JON)</p>
</li>
<li>
<p>Foglight</p>
</li>
<li>
<p>HP Openview</p>
</li>
<li>
<p>Nagios</p>
</li>
</ul>
<p>Common metrics include:</p>
<p></p>
<ul class="itemizedlist">
<li>
<p>Active threads on the application server</p>
</li>
<li>
<p>Threads on the front-end http/ajp web connector</p>
</li>
<li>
<p>Database connection pools</p>
</li>
<li>
<p>JVM metrics such as memory usage and GCs</p>
</li>
<li>
<p>Typical host platform metrics such as available hard drive \
space, CPU usage, etc. </p> </li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52222400">
<h3>Result for Ensure all downloaded software is authentic</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_2057</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Software and packages should be downloaded from redhat.com, and hash \
validated.</p> <p>Without validating downloaded files are authentic, malicious users \
may compromise software before it has even been installed. Attackers may redirect \
traffic to alternate download locations and attempt to trick administrators into \
downloading modified software.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>When downloading software, first ensure it is coming from the site \
you expect it to. For instance, when downloading JBoss Enterprise Application \
Platform from Red Hat, JBoss administrators should review the X.509 certificate \
presented by the remote server to ensure the authenticity of the site.</p> <p>Next, \
JBoss administrators should hash validate files after completed downloads. Hash \
generation will vary depending on operating system. These hashes should be compared \
to one of the hashes available on the Red Hat website.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52226464">
<h3>Result for Ensure JBoss is configured in accordance with Common \
Criteria configuration guides</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_4010</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>JBoss deployments in government \
and DoD organizations require JBoss be deployed in a Common Criteria certified \
configuration. The Common Criteria configuration is a list of technical configuration \
items, policy requirements, and other configurations required to certify a JBoss \
installation at the EAL4+ protection level. Red Hat maintains configuration guidance \
available online to assist administrators during the installation and configuration \
of JBoss (http://docs.redhat.com/docs/en-US/index.html).</p> <p>By deviating from a \
Common Criteria configuration, JBoss will no longer be considered certified against \
any protection level - this may have legislative or regulatory consequences that must \
be identified and risk assessed dependent on your environment.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p></p>
<p>Configure JBoss in its Common Criteria certified configuration. The \
configuration guide can be found here on Red Hat's website.</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52230528">
<h3>Result for Unused features should be disabled or deleted: Java \
Universal Description, Discovery, Integration (JUDDI)</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1106</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Features and services not in \
use should be removed. JUDDI is an open source Java implementation of the Universal \
Description, Discovery, and Integration (UDDI v3) specification for (Web) \
Services.</p> <p>Removing unused features or services is a common security strategy \
that reduces the potential attack surface of an information system. Removing unused \
features or services also reduces resource usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable the this component, take the \
following actions: </p>
<p>Delete this directory:</p>
<p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/juddi-service.sar</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52234592">
<h3>Result for Unused features should be disabled or deleted: Enterprise \
Java Beans (EJB) Services</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1107</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Features and services not in \
use should be removed.</p> <p>Removing unused features or services is a common \
security strategy that reduces the potential attack surface of an information system. \
Removing unused features or services also reduces resource usage.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>In order to completely disable the this component, Delete the \
following files and directories:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/ejb3-connectors-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/ejb3-container-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/ejb3-interceptors-aop.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/ejb3-timerservice-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/profile-service-secured.jar</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/ejb2-container-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/ejb2-timer-service.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deployers/jboss-ejb3-endpoint-deployer.jar</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deployers/ejb3-deployers-jboss-beans.xml \
</p> </li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52238656">
<h3>Result for Unused features should be disabled or deleted: Universal \
Unique Identifier (UUID) Generator</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1108</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Features and services not in use should be removed. UUID Generator \
allows for the generation of unique identifiers for hosted Java applications.</p> \
<p>Removing unused features or services is a common security strategy that reduces \
the potential attack surface of an information system. Removing unused features or \
services also reduces resource usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable the this component, Delete this \
directory:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/uuid-key-generator.sar</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52242720">
<h3>Result for Unused features should be disabled or deleted: Java \
Message Service (JMS)</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1109</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Features and services not in \
use should be removed. Java Message Service is a component of Java Enterprise Edition \
that enables application to send and receive messages. It is a cornerstone service \
that many distributed applications are built on.</p> <p>Removing unused features or \
services is a common security strategy that reduces the potential attack surface of \
an information system. Removing unused features or services also reduces resource \
usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable this component, take the following \
actions:</p> <p>Delete these files and directories:</p>
<p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/conf/props/messaging-roles.properties</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/conf/props/messaging-users.properties</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/messaging</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/jms-ra.rar</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/quartz-ra.rar</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deployers/messaging-definitions-jboss-beans.xml</p>
</li>
</ul>
<p>Make the identified changes to the following files:</p>
<p></p>
<ul class="itemizedlist">
<li>
<p>Remove all elements with references to JMS from: \
JBOSS_HOME/server/[PROFILE]/conf/standardjboss.xml</p> </li>
<li>
<p>Remove the following <property> element from \
JBOSS_HOME/server/[PROFILE]/conf/jbossts-properties.xml
<pre class="code"><code><property \
name="com.arjuna.ats.jta.recovery.XAResourceRecovery.JBMESSAGING1" \
value="org.jboss.jms.server.recovery.MessagingXAResourceRecovery;java:/DefaultJMSProvider"/></code></pre></p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52246784">
<h3>Result for Unused features should be disabled or deleted: JBoss \
Mail</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1110</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Features and services not in \
use should be removed. JBoss Mail is a deployed package for Java Mail - a set of Java \
API's implementing an email server supporting the SMTP, POP3, and IMAP protocols.</p> \
<p>Removing unused features or services is a common security strategy that reduces \
the potential attack surface of an information system. Removing unused features or \
services also reduces resource usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable the this component, Delete the \
following files and directories:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/mail-ra.rar</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/mail-service.xml</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52250848">
<h3>Result for Unused features should be disabled or deleted: JBoss \
Scheduling</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1111</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Features and services not in \
use should be removed. JBoss Scheduling implements a JBoss service that supports \
scheduling and running jobs for deployed Java applications.</p> <p>Removing unused \
features or services is a common security strategy that reduces the potential attack \
surface of an information system. Removing unused features or services also reduces \
resource usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable the this component, Delete the \
following files:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/schedule-manager-service.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/scheduler-service.xml </p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52254912">
<h3>Result for Unused features should be disabled or deleted: Hypersonic \
SQL Database (HSQLDB)</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1112</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Features and services not in \
use should be removed. HSQLDB is the default datasource configured to run with JBoss \
Enterprise Application Platform out of the box. It is not recommended for production \
usage.</p> <p>Removing unused features or services is a common security strategy \
that reduces the potential attack surface of an information system. Removing unused \
features or services also reduces resource usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable the this component, Delete the \
following files and directories:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/hsqldb-ds.xml</p>
</li>
<li>
<p>JBOSS_HOME/common/lib/hsqldb.jar</p>
</li>
<li>
<p>JBOSS_HOME/common/lib/hsqldb-plugin.jar</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/messaging/hsqldb-persistence-service.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/data/hypersonic/</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52258976">
<h3>Result for Unused features should be disabled or deleted: BeanShell \
(BSH) Deployer</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1113</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Features and services not in use should be removed. The BSH Deployer \
allows for the hot deployment of one use execution scripts or services.</p> \
<p>Removing unused features or services is a common security strategy that reduces \
the potential attack surface of an information system. Removing unused features or \
services also reduces resource usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable the this component, Delete the \
following files and directories:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deployers/bsh.deployer</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52263040">
<h3>Result for Unused features should be disabled or deleted: \
JBossWS</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1114</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Features and services not in use should be removed. JBossWS is a web \
service framework for use with the JBoss Enterprise Application Platform.</p> \
<p>Removing unused features or services is a common security strategy that reduces \
the potential attack surface of an information system. Removing unused features or \
services also reduces resource usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable the this component, Delete the \
following files and directories:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/conf/jax-ws-catalog.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/conf/props/jbossws-roles.properties</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/conf/props/jbossws-users.properties</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/jbossws.sar</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/jbossws-console.war</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deployers/jbossws.deployer</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52267104">
<h3>Result for Unused features should be disabled or deleted: Seam</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1115</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Features and services not in use should be removed. Seam is an \
application framework for Java designed to reduce application complexity.</p> \
<p>Removing unused features or services is a common security strategy that reduces \
the potential attack surface of an information system. Removing unused features or \
services also reduces resource usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable the this component, Delete the \
following files and directories:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deployers/seam.deployer</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deployers/webbeans.deployer</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52271168">
<h3>Result for Unused features should be disabled or deleted: JBoss \
Internet Inter-ORB Protocol (IIOP)</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1116</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Features and services not in use should be removed. JBoss IIOP \
implements a standards compliant CORBA server for JBoss.</p> <p>Removing unused \
features or services is a common security strategy that reduces the potential attack \
surface of an information system. Removing unused features or services also reduces \
resource usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable this component, Delete these files \
and directories:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/conf/jacorb.properties</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/iiop-service.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deployers/ejb3.deployer/META-INF/ejb3-iiop-deployers-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/lib/jacorb.jar</p>
</li>
</ul>
<p>Make the identified changes to the following files:</p>
<p>In JBOSS_HOME/server/[PROFILE]/conf/jndi.properties, Replace:</p>
<p>
<pre class="code">
<code>java.naming.factory.initial=org.jboss.iiop.naming.ORBInitialContextFactory</code>
</pre>
</p>
<p>with</p>
<p>
<pre class="code">
<code>java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory</code>
</pre>
</p>
<p>In JBOSS_HOME/server/[PROFILE]/conf/standardjboss.xml, Delete \
text:</p> <p>
<pre class="code">
<code>invoker-proxy-binding iiop</code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52275232">
<h3>Result for Unused features should be disabled or deleted: \
Miscellaneous</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1117</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p>
<p>Miscellaneous features and services not in use should be removed.</p>
<p>Removing unused features or services is a common security strategy \
that reduces the potential attack surface of an information system. Removing unused \
features or services also reduces resource usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable these components, Delete these files \
and directories:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]deployers/xnio.deployer</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]deployers/hibernate-deployer-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/jboss-xa-jdbc.rar</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/jmx-console.war</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/profileservice-jboss-beans.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/sqlexception-service.xml</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/xnio-provider.jar </p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/management/</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52279296">
<h3>Result for Unused features should be disabled or deleted: HTTP \
Invokers</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1118</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Features and services not in \
use should be removed. HTTP invocation allows the JBoss server to receive and act on \
remote instructions. This can be useful for administrators - especially in large or \
distributed environments.</p> <p>Removing unused features or services is a common \
security strategy that reduces the potential attack surface of an information system. \
Removing unused features or services also reduces resource usage.</p> <div \
class="xccdf-fixtext"> <h4 class="short">Remediation instructions</h4>
<p>In order to completely disable HTTP Invoker for JNDI, EJB and JMX, \
Delete these files and directories:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/http-invoker.sar</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/httpha-invoker.sar</p>
</li>
</ul>
<p>In order to completely disable HTTP Invoker for JMS, Delete this \
directory:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/jms/jbossmq-httpil.sar</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52283376">
<h3>Result for Unused features should be disabled or deleted: Java \
Management Extensions (JMX) Invoker</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1119</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Features and services not in \
use should be removed. The JMX Invoker exposes the JMX MBeanServer interface via \
Remote Method Invocation compatible interface. This can be useful for administrators \
- especially in large or distributed environments.</p> <p>Removing unused features \
or services is a common security strategy that reduces the potential attack surface \
of an information system. Removing unused features or services also reduces resource \
usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable this component, Delete these files \
and directories:</p> <p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/jmx-invoker-service.xml</p>
</li>
</ul>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52287440">
<h3>Result for Unused features should be disabled or deleted: Pooled \
Invoker</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1120</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Features and services not in \
use should be removed. The org.jboss.invocation.pooled.server.PooledInvoker provides \
RMI over a custom socket implementation of the Invoker interface.</p> <p>Removing \
unused features or services is a common security strategy that reduces the potential \
attack surface of an information system. Removing unused features or services also \
reduces resource usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable this component, take the following \
actions:</p> <p>In JBOSS_HOME/server/[PROFILE]/deploy/legacy-invokers-service.xml, \
Delete the <mbean> with name attribute of "jboss:service=invoker,type=pooled" \
</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52291504">
<h3>Result for Unused features should be disabled or deleted: Java Remote \
Method Protocol (JRMP) Invoker</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1121</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Features and services not in \
use should be removed. The org.jboss.invocation.jrmp.server.JRMPInvoker provides the \
RMI/JRMP implementation of the Invoker interface.</p> <p>Removing unused features or \
services is a common security strategy that reduces the potential attack surface of \
an information system. Removing unused features or services also reduces resource \
usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable this component, take the following \
actions:</p> <p>In JBOSS_HOME/server/[PROFILE]/deploy/legacy-invokers-service.xml, \
Delete the <mbean> with name attribute of "jboss:service=invoker,type=jmrp" \
</p> </div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
<div class="result-detail" id="ruleresult-idp52295568">
<h3>Result for Unused features should be disabled or deleted: \
Clustering</h3>
<p class="result-notchecked">Result: <strong \
class="strong">notchecked</strong></p>
<p>Rule ID: <strong \
class="strong">xccdf_com.redhat.eap5.scap_rule_1123</strong></p>
<p>Time: <strong class="strong"><abbr title="2014-04-23T02:56:12" \
class="date">2014-04-23 02:56</abbr></strong></p> <p>Features and services not in \
use should be removed. Clustering allows deployed applications to run distributed \
across multiple JBoss Enterprise Application Platform servers.</p> <p>Removing \
unused features or services is a common security strategy that reduces the potential \
attack surface of an information system. Removing unused features or services also \
reduces resource usage.</p> <div class="xccdf-fixtext">
<h4 class="short">Remediation instructions</h4>
<p>In order to completely disable this component, take the following \
actions:</p> <p>Delete these files and directories:</p>
<p></p>
<ul class="itemizedlist">
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy-hasingleton/</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/farm/</p>
</li>
<li>
<p>JBOSS_HOME/server/[PROFILE]/deploy/cluster/</p>
</li>
</ul>
<p>In JBOSS_HOME/server/[PROFILE]/conf/bootstrap/profile.xml, Delete \
the following from "BootstrapProfileFactory":</p> <p>
<pre class="code">
<code><property name="farmURIs">
<list elementClass="java.net.URI">
<value>${jboss.server.home.url}farm</value>
</list>
</property></code>
</pre>
</p>
</div>
<p class="link">
<a href="#results-overview">results overview</a>
</p>
</div>
</div>
</div>
<div id="footer">
<p> Generated by <a href="http://open-scap.org">OpenSCAP</a>
(1.0.8)
on <abbr title="2014-04-23T02:56:13+02:00" class="date">2014-04-23 \
02:56</abbr>.</p> </div>
</div>
</body>
</html>
[Attachment #7 (text/plain)]
_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic