The WebSphere Application Server process must not be started from the command line with the -password option.

An XCCDF Rule

Description

The use of the -password option to launch a WebSphere process from the command line can result in a security exposure. Password information may become visible to any user with the ability to view system processes. For example, on a Linux system the "ps" command will display all running processes, which would include all of the command line flags used to start a WebSphere process.

ID: SV-95983r1_rule
Version: WBSP-AS-000910
Severity: Medium
References: CCI-000381
Updated: 4 days ago

Remediation Templates

When starting WebSphere commands, such as wsadmin, stopManager, stopNode, stopServer, or syncNode; do not use the "-password <password>" option.

Use the interactive mode instead; you will be prompted for user id and password.

For scripts, you may configure user id and password in the "connector properties" files. These files are under "Profile_Root/Properties" folder.
- soap.client.props: for default SOAP
- sas.client.props : for RMI and JSR160RMI connectors
- ipc.client.props: for IPC connector

The WebSphere Application Server process must not be started from the command line with the -password option.

Description

Remediation Templates

A Manual Procedure