JBoss

Security Benchmark JBoss Fuse 6.x


Status: draft Date: 2013-09-17


Notice

This content was developed by Red Hat, Inc. for use by JBoss Fuse 6.x Administrators and is released under the Public Domain License.

Table of Contents

Notice

Front Matter

Requirements

Steps to Run

Profiles

  1. JBoss A-MQ 6
  2. JBoss Fuse 6

Guidance

  1. JBoss Fuse Policy Guidelines
    1. Apache Karaf Configuration
      1. Ensure adequate physical protections are in place
      2. Assign a JBoss administrator
      3. Document incident response procedures
      4. Perform periodic incident response exercises
      5. Document disaster recovery procedures
      6. Perform periodic disaster recovery exercises
      7. Identify and document application data flows
      8. Java permissions for deployed applications should be documented and reviewed prior to deployment
      9. Regular backups should be performed
      10. Auditing policy should exist
      11. Access control policy and procedures
      12. Define an appropriate minimum and maximum password length requirement
      13. Define an appropriate minimum password complexity requirement
      14. Define an appropriate minimum password expiration interval
      15. Jboss Fuse should be a vendor supported version.
      16. Ensure Java Runtime Environment is a supported version.
      17. Ensure all downloaded software is authentic
      18. Hot deployment must be disabled in production.
      19. Remove, rename, or comment out default user accounts from production servers.
      20. Remove, rename, or comment out default roles from production servers.
      21. Configure Java Security Manager to use an environment specific policy/
      22. Ensure proper permissions are configured for deployed applications: java.io.FilePermission
      23. Ensure proper permissions are configured for deployed applications: java.net.NetPermission
      24. Ensure proper permissions are configured for deployed applications: java.lang.RuntimePermission
      25. Ensure proper permissions are configured for deployed applications: java.net.SocketPermission
      26. Ensure proper permissions are configured for deployed applications: java.security.AllPermission
      27. Ensure default system Java Authentication and Authorization Service configuration is in use.
      28. Ensure deployed applications requiring authentication utilizes DoD PKI Class 3 or Class 4 certificate and hardware security token or NSA-certified product
      29. Enable Federal Information and Processing Systems 140-2 (FIPS) compliant cryptographic modules for use by JBoss Java environment
      30. Eliminate clear-text passwords from production servers.
      31. Ensure JBoss process owner is executing with least privilege.
      32. Deny the JBoss process owner console access.
      33. Set JBoss file ownership.
      34. Set JBoss file permissions.
      35. Ensure remote access is either secured or disabled.
      36. Ensure Web Console is either secured or removed.
      37. Ensure JMX access is either secured or disabled.
      38. Password hashing must be enabled within the appropriate login module
      39. Only application and/or system administrators should be able to change security related configuration attributes.
      40. Only authorized users should be allowed to associate PKI information.
      41. SSL should be enabled on the Web Console.
      42. Remote Access should only be done via SSH or other secure means.
      43. Logging should be configured to reduce to the likelihood of storage capacity being exceeded.
      44. Logging should be configured to maintain logs for a organization defined continuous number of days.
      45. Server configuration changes should be restricted to Jboss Administrators only.
      46. All non-essential bundles and features should be removed from production servers.
      47. All non-essential ports, protocols, and services should be disabled.
      48. All passwords should be encrypted when other means are not being utilized.
      49. Encryption must be used when LDAP is enabled.
      50. FIPS 140-2 approved encryption modules must be used.
      51. DoD or CNS approved PKI Class 3 and Class 4 certificates should be used.
      52. LDAP should be configured to fail securely.
      53. Logging should be configured such that sensitive information is not revealed.
      54. Log files should be restricted so only authorized personnel may view them.
      55. Ensure Web Console is using PKI.
      56. All PKI Certificates should be valid DoD Certificates.
      57. Only administrators should be able to modify configuration files.
    2. Apache ActiveMQ Configuration
      1. Remove, rename, or comment out default user accounts from production servers.
      2. Remove, rename, or comment out default roles from production servers.
      3. Ensure default system Java Authentication and Authorization Service configuration is in use.
      4. Eliminate clear-text passwords from production servers.
      5. Only application and/or system administrators should be able to change security related configuration attributes.
      6. SSL should be enabled on the ActiveMQ Web Console.
      7. All passwords should be encrypted when other means are not being utilized.
      8. Ensure ActiveMQ Web Console is using PKI.
      9. All PKI Certificates should be valid DoD Certificates.
      10. Only administrators should be able to modify configuration files.
    3. Apache Camel Configuration
      1. Apache CXF Configuration

        Rear Matter

        Front Matter

        JBoss Fuse is an open source Enterprise Service Bus (ESB) with an elastic footprint that supports integration beyond the data center. The lack of license fees and the ability to deploy JBoss Fuse in several different configurations advances intelligent integration to all facets of your business – on premise or in the Cloud.

        JBoss Fuse combines Apache Camel, Apache CXF, Apache ActiveMQ, Apache Karaf and Fuse Fabric in a single integrated distribution. Core messaging is provided by Apache ActiveMQ, services framework (SOAP, XML/HTTP, RESTful HTTP) is provided by Apache CXF and integration framework is provided by Apache Camel. Apache Karaf provides a lightweight OSGI-based runtime container.

        This benchmark provides security guidance on JBoss Fuse 6 running on Red Hat Enterprise Linux. This document assumes that the reader is familiar with JBoss Fuse 6 and Red Hat Enterprise Linux administration. This document also assumes that the baseline configuration of the operating system and JBoss Fuse 6 are up-to-date in terms of installed patches. The content within this benchmark was tested for compatibility with multiple SCAP tools on Red Hat Enterprise Linux 6. The following compatibility matrix shows our results:

        XCCDFExec v1.1.4 Build 19 SPAWAR Compliance Checker v3.1.1 OpenSCAP v0.9.7
        RHEL 6 - i386 Additional Dependencies Needed Fully Compatible Fully Compatible
        RHEL 6 - x86_64 Additional Dependencies Needed Fully Compatible Fully Compatible

        The recommendations included in this benchmark have been derived from various government and industry sources. All rules include a rationale, validation instructions (for OCIL rules), remediation instructions, references, risk assessments, and NIST/DoD Control mappings.


        Platform(s):


        Requirements

        Before running the JBoss Fuse 6.x benchmark, the target machine must meet the following requirements.


        Steps to Run

        The JBoss Fuse 6.x SCAP Benchmark can be run using the XCCDFExec interpreter. Follow the steps below to run the benchmark using XCCDFExec.

        1. Ensure all requirements detailed here have been met.
        2. Download the XCCDF Interpreter from sourceforge: http://sourceforge.net/projects/xccdfexec/
        3. Unzip and install the XCCDF Interpreter, as directed by its README.txt.
          1. NOTE: The XCCDF Interpreter is packaged with a Win32 build of the OVAL Definition Interpreter. To run OVAL checks on your Linux system you can edit the oval.dir and oval.bin properties within the xccdf_interpreter.properties file to reference your local OVALDI installation.
          2. A Linux build of the OVAL Definition Interpreter may be obtained at: http://sourceforge.net/projects/ovaldi/
        4. Navigate to the XCCDF Interpreter directory. For example:
          cd /xccdf_interpreter_1.1.4_build_19-bin
        5. To run the interpreter, type the following replacing [PROFILE_NAME] with the name of the profile you want to run (as defined in the next section). The command assumes that the Fuse 6.x SCAP files are in the same directory as the xccdf interpreter:
          java -jar xccdfexec.jar fuse6-xccdf.xml -c fuse6-cpe-oval.xml -C fuse6-cpe-dictionary.xml -P [PROFILE_NAME]
        6. When prompted with the OCIL Interpreter, answer each questionnaire, save the results, and exit.
        7. The results of the tests will be displayed on the screen and in several output files under the results directory. The XML result files can be transformed to HTML using transforms available online.
        8. A result of PASS indicates that the test passed, a result of FAIL indicates that the test failed and a setting may need to be adjusted. You can review the remediation instructions available for each rule to adjust any settings. A result of "NOT APPLICABLE" means that the recommendation is not applicable to your deployment. A result of "NOT CHECKED" means that the recommendations OCIL questionnaire was not answered.

        Alternative Tools

        There are several alternative tools that you can use to run the Fuse 6.x SCAP Benchmark. These tools include:

        Please see the included documentation for instructions on how to run these tools.


        Profiles

        1. JBoss A-MQ 6

        Profile for testing a secure deployment of JBoss A-MQ 6.x.

        Profile Name: pr_jboss_amq
        2. JBoss Fuse 6

        Profile for testing a secure deployment of JBoss Fuse 6.x.

        Profile Name: pr_jboss_fuse

        Guidance

        JBoss Fuse Policy Guidelines

        The rules in this group are used to manage Jboss servers in a secure manner. These rules are policy related.

        Apache Karaf Configuration

        The rules in this group validate Apache Karaf related items.

        2.1 - Ensure adequate physical protections are in place

        The hardware and software executing JBoss Fuse, as well as the software critical to security policy enforcement must be protected from unauthorized modification including unauthorized modifications by potentially hostile outsiders. Reasonable physical security measures to ensure that unauthorized personnel do not have physical access to the hardware running the JBoss Enterprise Application Platform software must be implemented.

        Rationale

        Many software security precautions can easily be bypassed by personnel with physical access to hardware storing data or executing an application.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: PE-1,PE-2,PE-3,PE-7,PE-18

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.2 - Assign a JBoss administrator

        There must be one or more competent individuals who are assigned to manage JBoss Fuse, its environment and the security of the information it contains.

        Rationale

        Incompetent, careless, or negligent JBoss administrators can completely invalidate a secure JBoss configuration and create numberless problems for JBoss.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: AT-2,AT-3,AT-4

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.3 - Document incident response procedures

        Ensure well developed procedures exist for incident handling. Incidents include any events that are anomalous to the environment.

        Rationale

        Planning for incidents prior to real-life scenarios increases incident response time and mitigates damages. Failure to adequately prepare, plan, and exercise for these scenarios can result in extensive losses.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: IR-1, IR-8

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.4 - Perform periodic incident response exercises

        Production environments should exercise incident response procedures at least annually. Environments requiring higher assurances of security should test incident response procedures more often, possibly quarterly or even monthly. Incident response procedures should cover all anomalous events.

        Rationale

        Planning for incidents and practicing procedures to be followed prior to real-life scenario improves response time and mitigates damages/losses that occur with incidents.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: IR-3

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.5 - Document disaster recovery procedures

        Robust disaster recovery documentation and procedures should exist. This documentation should include provisions for the JBoss platform, deployed applications, required source code, and supporting applications (such as authentication stores or database servers).

        Rationale

        Planning for disasters and extended outages prior to a real-life scenario helps mitigate losses associated with identified disasters. Failure to adequately prepare, plan, and exercise for these scenarios can result in extensive losses.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: CP-1,CP-2

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.6 - Perform periodic disaster recovery exercises

        Production environments should exercise disaster recovery procedures that include provisions for the JBoss platform, deployed applications, and any required source code at least annually. Environments requiring higher assurances of disaster recovery ability should test procedures more often, possibly quarterly or even monthly.

        Rationale

        Planning for disasters and extended outages prior to a real-life scenario helps mitigate losses associated with identified disasters. Failure to adequately prepare, plan, and exercise for these scenarios can result in extensive losses.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: CP-4

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.7 - Identify and document application data flows

        It is recommended to identify and document application data flows. This will allow insight into what paths sensitive information takes through the application environment and what data source connections need to be encrypted.

        Rationale

        Failure to document an application's data flows reduces security, increases the chance for architectural and configuration errors, and can impede performance. Many applications use network services that are not immediately apparent.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: SC-8,SC-9,SC-23

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.8 - Java permissions for deployed applications should be documented and reviewed prior to deployment

        Java permissions for applications should be documented and carefully reviewed prior to deployment. Developers and administrators should strive to balance application permissions and application functionality.

        Rationale

        Java permissions for deployed applications should be carefully restricted to enforce the least privilege principle. Careful documentation, along with a thorough review will help prevent needlessly insecure permission assignments for applications. An overabundance of Java permissions can allow applications to circumvent one of Java's strongest security features - the Java Security Manager sandbox.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: AC-1

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.9 - Regular backups should be performed

        JBoss applications and configuration files should be backed up at least weekly, possibly more if needed by the environment.

        Rationale

        Failure to regularly backup JBoss configuration files and deployed applications can result in extensive downtime or information losses in the event of a disaster or other system outage.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: CP-9

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.10 - Auditing policy should exist

        In order to effectively audit and review system logs, an audit policy should be written to identify data and trends of interest.

        Rationale

        Without a comprehensive audit policy and review procedures, organizations risk missing critical events or event trends within their environment. These missed events may indicate system anomalies ranging from malicious attacks, system instabilities, system misuse, etc.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: AU-1,AU-2,AU-3,AU-5

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.11 - Access control policy and procedures

        JBoss administrators must have access to guidance regarding account creation, permissions assignments, role assignments, etc.

        Rationale

        A consistent, cohesive access control policy is impossible to attain without a well-documented access control policy and related procedures. Failure to do so typically results in over-assignment of access permissions for users and applications, stale access for users and applications, and other access control misconfigurations that reduce the effectiveness of the security policy.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: AC-1

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.12 - Define an appropriate minimum and maximum password length requirement

        Organizations should create an authenticator management policy that defines minimum and maximum password sizes for user accounts accessing JBoss and its deployed applications.

        Rationale

        In brute force scenarios, passwords of extended lengths increase password security and the length of time required to decrypt the password. However, there are risks associated with requiring passwords of great lengths, as users may take steps to circumvent policy; such as using repetitive passwords, writing password reminders, or writing down their passwords.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: IA-5

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.13 - Define an appropriate minimum password complexity requirement

        Organizations should create an authenticator management policy that defines a minimum level of complexity for user accounts accessing JBoss and its deployed applications. These requirements should also restrict passwords from containing dictionary words and reusing previous passwords.

        Rationale

        Complex passwords increase password security and the length of time required to decrypt the password. Additionally, complex passwords are less likely to be found in password dictionaries. However, there are risks associated with requiring overly complex passwords, as users may take steps to circumvent policy; such as using repetitive passwords, writing password reminders, or writing down their passwords.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: IA-5

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.14 - Define an appropriate minimum password expiration interval

        Organizations should create an authenticator management policy that defines a maximum password age for user accounts accessing JBoss and its deployed applications.

        Rationale

        In combination with password length and complexity, regularly changing passwords can defeat many attacks. If a password or password hash is intercepted by a malicious party, changing the password can remove access or render invalid a cracking attempt on the hash. However, there are risks associated with frequently changing passwords. Users may take steps to circumvent policy such as using repetitive passwords or using password derivatives. Additionally, changing passwords for system or application accounts introduces an element of configuration risk. Poorly coordinated or documented changes can result in system outages or create other problems.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: IA-5

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.15 - Jboss Fuse should be a vendor supported version.

        Evaluated JBoss installation must be a vendor supported version of JBoss Fuse 6. Organizations using JBoss Fuse must use a vendor supported version with an active support contract.

        Rationale

        Failure to utilize a supported version of JBoss in a production environment can lead to outages, unresolvable problems, no access to security or functional updates, etc.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: CM-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.16 - Ensure Java Runtime Environment is a supported version.

        Evaluated JBoss installation must use a vendor supported Java virtual machine - i.e., one that has not reached end-of-life. Migration strategies should be developed when end-of-life is impending.

        Rationale

        Java installations should be a vendor supported version. If the Java virtual machine in use by JBoss is not supported by the vendor, this may result in outages, unresolvable problems, no access to security or functional updates, etc.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: CM-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.17 - Ensure all downloaded software is authentic

        Software and packages should be downloaded from redhat.com, and hash validated.

        Rationale

        Without validating downloaded files are authentic, malicious users may compromise software before it has even been installed. Attackers may redirect traffic to alternate download locations and attempt to trick administrators into downloading modified software.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: CM-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.18 - Hot deployment must be disabled in production.

        Hot deployment should be disabled on production servers. Hot Deployment allows for automatic deployment of Java applications by simply placing Java applications into the deploy directory.

        Rationale

        Hot deployments are not a recommended best practice for production environments. By requiring the additional step of restarting the JBoss server, application deployments become more deliberate and purposeful.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT III

        NIST 800.53 Mapping: CM-7

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.19 - Remove, rename, or comment out default user accounts from production servers.

        Remove, rename, or comment out the default user accounts defined in .properties files.

        Rationale

        Default configurations are commonly leveraged by attackers to gain entry into closed systems. Removing, renaming, or commenting out default user accounts makes malicious exploitation more complex.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: IA-5

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.20 - Remove, rename, or comment out default roles from production servers.

        Remove, rename, or comment out the default roles defined in .properties files.

        Rationale

        Default configurations are commonly leveraged by attackers to gain entry into closed systems. Removing, renaming, or commenting out default roles makes malicious exploitation more complex.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: IA-5

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.21 - Configure Java Security Manager to use an environment specific policy/

        The Java Security Manager is a crucial piece of the Java security infrastructure. JBoss Fuse should be configured to load a Java security policy that has been vetted for use in the environment.

        Rationale

        A weak, default, or incomplete Java Security Manager policy file can completely compromise the security of a Java installation by granting excessive permissions to applications running within the sandbox. These permissions can be leveraged (maliciously or not) to run code against the operating system.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: SA-13

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.22 - Ensure proper permissions are configured for deployed applications: java.io.FilePermission

        Deployed applications must not be granted file permissions - except to those that are dedicated to the application only. These permissions are enforced by the Java Security Manager and the policies it loads at startup. These permissions can be assigned or restricted in an application-specific, granular manner.

        Rationale

        Java permissions for deployed applications should be carefully restricted to enforce the least privilege principle. Granting unrestricted access to the host operating system creates a large attack vector for malicious users that have penetrated the JBoss server.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: AC-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.23 - Ensure proper permissions are configured for deployed applications: java.net.NetPermission

        Deployed applications must not be granted network permissions. These permissions are enforced by the Java Security Manager and the policies it loads at startup. These permissions can be assigned or restricted in an application-specific, granular manner.

        Rationale

        Java permissions for deployed applications should be carefully restricted to enforce the least privilege principle.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: AC-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.24 - Ensure proper permissions are configured for deployed applications: java.lang.RuntimePermission

        Deployed applications must not be granted runtime permissions. These permissions are enforced by the Java Security Manager and the policies it loads at startup. These permissions can be assigned or restricted in an application-specific, granular manner.

        Rationale

        Java permissions for deployed applications should be carefully restricted to enforce the least privilege principle. Granting RuntimePermission to applications allows these applications to modify classloaders or modify the running security manager. Either of these actions can be used to elevate permissions and increase the number of potential damaging actions that can be taken.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: AC-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.25 - Ensure proper permissions are configured for deployed applications: java.net.SocketPermission

        Deployed applications must not be granted any socket permissions. These permissions are enforced by the Java Security Manager and the policies it loads at startup. These permissions can be assigned or restricted in an application-specific, granular manner.

        Rationale

        Java permissions for deployed applications should be carefully restricted to enforce the least privilege principle. Most well-designed applications will not need to directly manipulate sockets for network access (access to datasources should be handled through datasources, which can be assigned SocketPermission.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: AC-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.26 - Ensure proper permissions are configured for deployed applications: java.security.AllPermission

        Deployed applications must not be granted all permissions. These permissions are enforced by the Java Security Manager and the policies it loads at startup. These permissions can be assigned or restricted in an application-specific, granular manner.

        Rationale

        Java permissions for deployed applications should be carefully restricted to enforce the least privilege principle. Using AllPermissions is essentially disabling the Java security sandbox and is inadvisable in nearly every scenario.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: AC-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.27 - Ensure default system Java Authentication and Authorization Service configuration is in use.

        Using the default system JAAS configuration ensures user identification and authentication are performed by JBoss Fuse.

        Rationale

        Using an administrator specified JAAS configuration enables a more rigorous security posture.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: CM-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.28 - Ensure deployed applications requiring authentication utilizes DoD PKI Class 3 or Class 4 certificate and hardware security token or NSA-certified product

        JBoss applications implementing authentication should utilize the DoD Public Key Infrastructure. The DoD Public Key Infrastructure is designed to use hardware tokens such as the Common Access Card in conjunction with issued X.509 certificates. These tokens are typically protected with a PIN that unlocks access to the private certificate stored on the token.

        Rationale

        Leveraging the DoD Public Key Infrastructure increases the security of an application because the DoD PKI raises the bar for exploitation of user identities. Applications that require authentication and do not utilize PKI must then rely on a less secure form of authentication, such as username and password. Additionally, current DoD guidance requires the use of DoD PKI over username and password.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: IA-5

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.29 - Enable Federal Information and Processing Systems 140-2 (FIPS) compliant cryptographic modules for use by JBoss Java environment

        While JBoss itself has no need to load FIPS compliant modules, the underlying technologies such as Java do. Utilizing only FIPS compliant modules decreases compatibility with applications that are not FIPS enabled.

        Rationale

        Enabling FIPS compliant algorithms ensures that the underlying technologies that JBoss works through are using cryptographic modules that have been vetted by NIST for security, stability, and strength. Failure to utilize FIPS certified modules may cause the underlying technologies used by JBoss to utilize older, less secure algorithms. Failure to enable only FIPS compliant modules may also have regulatory consequences, as FIPS 140-2 requires the use of FIPS compliant modules by all federal agencies.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: SC-13

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.30 - Eliminate clear-text passwords from production servers.

        Eliminate clear-text passwords in JBoss configuration files. All passwords should be encrypted and all password files should have restricted file permissions.

        Rationale

        Clear-text passwords are an unnecessary security vulnerability. While risk of exposure can be mitigated through configured permissions and file ownership, these methods do not completely remediate the risk.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: SC-28

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.31 - Ensure JBoss process owner is executing with least privilege.

        Operating environment permissions assigned to the JBoss process owner should be in compliance with the principle of least privilege.

        Rationale

        n order to reduce the potential impact of exploitation against the JBoss application server (and the rest of the operating environment), the JBoss process owner should execute with as few permissions as possible in the environment (if the account is not local to the operating system or is distributed across multiple operating systems). Failure to limit permissions can dramatically increase the severity of exploits against the JBoss server, such as the execution of arbitrary code.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: AC-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.32 - Deny the JBoss process owner console access.

        The JBoss process owner should not have interactive console login access.

        Rationale

        In order to limit access in the event of an exploitation of the Jboss or one of its deployed applications, the account owning the Jboss process should be limited in its ability to interact with the supporting operating system where possible. Thus, the JBoss process owner account should not have interactive console access.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: AC-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.33 - Set JBoss file ownership.

        All JBoss Fuse files within the installation directory should be owned by the JBoss process owner account.

        Rationale

        To prevent unauthorized modification or disclosure of JBoss configuration settings, all files within the installation directory should be owned by the JBoss process owner account.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: AC-3

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.34 - Set JBoss file permissions.

        All JBoss files within the installation directory should be readable by the JBoss process owner and JBoss administrators only.

        Rationale

        To prevent unauthorized modification or disclosure of JBoss configuration settings, access to all files within the installation directory should be restricted to the JBoss process owner account and Jboss administrators.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: AC-3, AC-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.35 - Ensure remote access is either secured or disabled.

        Remote access must be secured so it is accessible by trusted administrators only. If this condition is not met, the access must be disabled from the deployment.

        Rationale

        Failure to secure against unauthorized access can quickly lead to system compromise. The default access included with JBoss is a well-known attack vector that can be leveraged to load malicious code to be executed on the server.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: AC-3

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.36 - Ensure Web Console is either secured or removed.

        The Web Console application must be secured so it is accessible by trusted administrators only. If this condition is not met, the application must be removed (deleted) from deployment.

        Rationale

        Failure to secure the default consoles against unauthorized access can quickly lead to system compromise. The default consoles included with JBoss are a well-known attack vector that can be leveraged to load malicious code to be executed on the server.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: AC-3

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.37 - Ensure JMX access is either secured or disabled.

        JMX access must be secured so it is accessible by trusted administrators only. If this condition is not met, the access must be disabled from the deployment.

        Rationale

        Failure to secure JMX against unauthorized access can quickly lead to system compromise. The default access included with JBoss is a well-known attack vector that can be leveraged to load malicious code to be executed on the server.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: AC-3

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.38 - Password hashing must be enabled within the appropriate login module

        Password hashing should be enabled in all security realms where plain-text passwords are currently in use.

        Rationale

        Failure to enable password hashing within a login module can result in plain-text exposure client passwords used for authentication.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: SC-8, SC-9

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        2.39 - Only application and/or system administrators should be able to change security related configuration attributes.

        Security attributes are typically associated with internal data structures and configuration (e.g., application deployment, logging, monitoring) within the application server and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the organizational information security policy.

        Rationale

        If unauthorized entities were able to change security attributes, the integrity and/or confidentiality of the server could be compromised.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.40 - Only authorized users should be allowed to associate PKI information.

        Throughout the course of normal usage, authorized users of application servers will have the need to associate security attributes in the form of PKI credentials with information. The server utilizes a role based authentication model when managing server resources and limits access according to user role. 

        Rationale

        The server must ensure that only the users who are authorized to associate security attributes with information are allowed to do so.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.41 - SSL should be enabled on the Web Console.

        The server must utilize cryptography to protect the confidentiality of remote access management sessions.

        Rationale

        If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.42 - Remote Access should only be done via SSH or other secure means.

        The server must utilize cryptography to protect the confidentiality of remote access management sessions.

        Rationale

        If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.43 - Logging should be configured to reduce to the likelihood of storage capacity being exceeded.

        The server must configure auditing to reduce the likelihood of storage capacity being exceeded.

        Rationale

        server auditing capability is critical for accurate forensic analysis. Alerting administrators when audit log size thresholds are exceeded helps ensure the administrators can respond to heavy activity in a timely manner. Failure to alert increases the probability that an adversary's actions will go undetected.  The server or the configured Network Attached Storage Device (SAN) must alert administrators when audit log usage reaches a defined percentage of overall capacity.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT III

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.44 - Logging should be configured to maintain logs for a organization defined continuous number of days.

        Logging should be configured to maintain logs for a organization defined continuous number of days.

        Rationale

        If adequate online audit storage capacity is not maintained, intrusion monitoring, security investigations, and forensic analysis can be negatively affected.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.45 - Server configuration changes should be restricted to Jboss Administrators only.

        The server must enforce logical access restrictions associated with changes to application configuration. 

        Rationale

        When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to server components for the purposes of initiating changes, including upgrades and application modifications.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.46 - All non-essential bundles and features should be removed from production servers.

        All non-essential bundles and features should be removed from production servers.

        Rationale

        The server provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too insecure to run on a production DoD system. Servers must provide the capability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.47 - All non-essential ports, protocols, and services should be disabled.

        The server must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.

        Rationale

        The server provides numerous processes, features and functionalities that utilize TCP/IP ports. Some of these processes may be deemed to be unnecessary or too insecure to run on a production system. For a list of approved ports and protocols reference the DoD ports and protocols web site at https://powhatan.iiie.disa.mil/ports/cal.html

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.48 - All passwords should be encrypted when other means are not being utilized.

        Stored passwords must be encrypted.

        Rationale

        Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. 

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.49 - Encryption must be used when LDAP is enabled.

        The server must utilize encryption when using LDAP for authentication.

        Rationale

        Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.50 - FIPS 140-2 approved encryption modules must be used.

        The Application Server must utilize FIPS 140-2 approved encryption modules when authenticating users and processes. 

        Rationale

        Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA certified hardware-based encryption modules.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.51 - DoD or CNS approved PKI Class 3 and Class 4 certificates should be used.

        The server must use DoD or CNS approved PKI Class 3 or Class 4 certificates.

        Rationale

        Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.52 - LDAP should be configured to fail securely.

        The server must fail securely in the event of an operational failure.

        Rationale

        Fail secure is a condition achieved by the server in order to ensure that in the event of an operational failure, the system does not enter into an unsecure state where intended security properties no longer hold.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.53 - Logging should be configured such that sensitive information is not revealed.

        Only error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages should be generated.

        Rationale

        Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered by the organization and development team. 

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.54 - Log files should be restricted so only authorized personnel may view them.

        Only authorized personnel may view log files.

        Rationale

        If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. 

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Server Security Requirements Guide V1R1

        2.55 - Ensure Web Console is using PKI.

        PKI should be enabled for the Web Console.

        Rationale

        All applications requiring user authentication to access sensitive data must be PK-enabled in compliance with DoDI 8520.2 PKI & PK Enabling and are required to credentials approved under the DoD PKI program.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Security and Development Security Technical Implementation Guide V3R5

        2.56 - All PKI Certificates should be valid DoD Certificates.

        All PKI Certificates in use should be valid at the time of use.

        Rationale

        By using invalid certificates the server may allow unauthorized users access to the system.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Security and Development Security Technical Implementation Guide V3R5

        2.57 - Only administrators should be able to modify configuration files.

        Server should be protected with permission sets which allow only an application administrator to modify application resource configuration files.

        Rationale

        An access control flaw exists if users or processes can view or modify data to which they should not be permitted. This could result in situations ranging from information disclosure to system compromise and could potentially result in the compromise of other systems on the network.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        N/A

        Remediation instructions

        N/A

        References

        1. Application Security and Development Security Technical Implementation Guide V3R5

        Apache ActiveMQ Configuration

        The rules in this group validate Apache ActiveMQ related items.

        3.1 - Remove, rename, or comment out default user accounts from production servers.

        Remove, rename, or comment out the default user accounts defined in .properties files.

        Rationale

        Default configurations are commonly leveraged by attackers to gain entry into closed systems. Removing, renaming, or commenting out default user accounts makes malicious exploitation more complex.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: IA-5

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        3.2 - Remove, rename, or comment out default roles from production servers.

        Remove, rename, or comment out the default roles defined in .properties files.

        Rationale

        Default configurations are commonly leveraged by attackers to gain entry into closed systems. Removing, renaming, or commenting out default roles makes malicious exploitation more complex.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: IA-5

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        3.3 - Ensure default system Java Authentication and Authorization Service configuration is in use.

        Using the default system JAAS configuration ensures user identification and authentication are performed by JBoss Fuse.

        Rationale

        Using an administrator specified JAAS configuration enables a more rigorous security posture.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: CM-6

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        3.4 - Eliminate clear-text passwords from production servers.

        Eliminate clear-text passwords in JBoss configuration files. All passwords should be encrypted and all password files should have restricted file permissions.

        Rationale

        Clear-text passwords are an unnecessary security vulnerability. While risk of exposure can be mitigated through configured permissions and file ownership, these methods do not completely remediate the risk.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: SC-28

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Recommended Security Controls for Federal Information Systems and Organizations R3

        3.5 - Only application and/or system administrators should be able to change security related configuration attributes.

        Security attributes are typically associated with internal data structures and configuration (e.g., application deployment, logging, monitoring) within the application server and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the organizational information security policy.

        Rationale

        If unauthorized entities were able to change security attributes, the integrity and/or confidentiality of the server could be compromised.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Application Server Security Requirements Guide V1R1

        3.6 - SSL should be enabled on the ActiveMQ Web Console.

        The server must utilize cryptography to protect the confidentiality of remote access management sessions.

        Rationale

        If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Application Server Security Requirements Guide V1R1

        3.7 - All passwords should be encrypted when other means are not being utilized.

        Stored passwords must be encrypted.

        Rationale

        Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. 

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Application Server Security Requirements Guide V1R1

        3.8 - Ensure ActiveMQ Web Console is using PKI.

        PKI should be enabled for the Web Console.

        Rationale

        All applications requiring user authentication to access sensitive data must be PK-enabled in compliance with DoDI 8520.2 PKI & PK Enabling and are required to credentials approved under the DoD PKI program.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Application Security and Development Security Technical Implementation Guide V3R5

        3.9 - All PKI Certificates should be valid DoD Certificates.

        All PKI Certificates in use should be valid at the time of use.

        Rationale

        By using invalid certificates the server may allow unauthorized users access to the system.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT I

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Application Security and Development Security Technical Implementation Guide V3R5

        3.10 - Only administrators should be able to modify configuration files.

        Server should be protected with permission sets which allow only an application administrator to modify application resource configuration files.

        Rationale

        An access control flaw exists if users or processes can view or modify data to which they should not be permitted. This could result in situations ranging from information disclosure to system compromise and could potentially result in the compromise of other systems on the network.

        Additional information

        CVSSv2 Risk Assessment: N/A / N/A - CVSSv2 Formula: N/A

        DoD Risk Category: CAT II

        NIST 800.53 Mapping: N/A

        DoD 8500.2 Mapping: N/A

        Validation instructions

        Remediation instructions

        References

        1. Application Security and Development Security Technical Implementation Guide V3R5

        Apache Camel Configuration

        The rules in this group validate Apache Camel related items.

        Apache CXF Configuration

        The rules in this group validate Apache CXF related items.


        Rear Matter

        For additional information regarding the JBoss Fuse 6.x SCAP benchmark, please visit https://fedorahosted.org/scap-security-guide/

        You may also contact the authors: