Users in a reader-role must be authorized.

An XCCDF Rule

Description

The reader role is a management role that allows read-only access to select administrative REST APIs as well as the Admin Center UI (adminCenter-1.0). Preventing non-privileged users from viewing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Users granted reader role access must be authorized.

ID: SV-250342r961353_rule
Version: IBMW-LS-000790
Severity: Medium
References: CCI-002235
Updated: 26 days ago

Remediation Templates

Edit the ${server.config.dir}/server.xml file. If unauthorized users have been added to the reader-role, remove those users. 

Otherwise, document the users who are granted the reader-role access.

To allow read-only access to select administrative REST APIs, the ${server.config.dir}/server.xml must be configured as follows. Additionally, the users and groups they are a part of must be defined within LDAP.
EXAMPLE:
<featureManager>
<feature>appSecurity-2.0</feature>
</featureManager>

<reader-role>
<group>group</group><group-access-id> group:realmName/groupUniqueId</group-access-id><user>user</user><user-access-id>user:realmName/userUniqueId</user-access-id>
</reader-role>

<ldapRegistry id="ldap" realm="SampleLdapRealm" host="${ldap.server.name}" port="${ldap.server.port}" ignoreCase="true"
baseDN="${ldap.server.base.dn}"
ldapType="${ldap.vendor.type}"
searchTimeout="8m">
</ldapRegistry>

Users in a reader-role must be authorized.

Description

Remediation Templates

A Manual Procedure