The JBoss server must be configured with Role Based Access Controls.

An XCCDF Rule

Description

<VulnDiscussion>By default, the JBoss server is not configured to utilize role based access controls (RBAC). RBAC provides the capability to restrict user access to their designated management role, thereby limiting access to only the JBoss functionality that they are supposed to have. Without RBAC, the JBoss server is not able to enforce authorized access according to role.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-213498r1028281_rule
Severity: High
References: CCI-000213
Updated: 17 days ago

Run the following command.
<JBOSS_HOME>/bin/jboss-cli.sh -c -> connect -> cd /core-service=management/access-authorization :write-attribute(name=provider, value=rbac)

Restart JBoss.

Map users to roles by running the following command.  Uppercase words  are variables.
role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)

The JBoss server must be configured with Role Based Access Controls.

Description

Remediation - Manual Procedure