Remote access to JMX subsystem must be disabled.

An XCCDF Rule

Description

<VulnDiscussion>The JMX subsystem allows you to trigger JDK and application management operations remotely. In a managed domain configuration, the JMX subsystem is removed by default. For a standalone configuration, it is enabled by default and must be removed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-213522r960963_rule
Severity: Medium
References: CCI-000381
Updated: 17 days ago

Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
Using the relevant OS commands and syntax, cd to the <JBOSS_HOME>/bin/ folder.
Run the jboss-cli script to start the Command Line Interface (CLI).
Connect to the server and authenticate.

For a Managed Domain configuration you must check each profile name:
For each PROFILE NAME, run the command:
"/profile=<PROFILE NAME>/subsystem=jmx/remoting-connector=jmx:remove"

For a Standalone configuration:
"/subsystem=jmx/remoting-connector=jmx:remove"

Remote access to JMX subsystem must be disabled.

Description

Remediation - Manual Procedure