The WebSphere Application Server process must not be started from the command line with the -password option.

An XCCDF Rule

Description

<VulnDiscussion>The use of the -password option to launch a WebSphere process from the command line can result in a security exposure. Password information may become visible to any user with the ability to view system processes. For example, on a Linux system the "ps" command will display all running processes, which would include all of the command line flags used to start a WebSphere process.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-95983r1_rule
Severity: Medium
References: CCI-000381
Updated: about 1 year ago

When starting WebSphere commands, such as wsadmin, stopManager, stopNode, stopServer, or syncNode; do not use the "-password <password>" option.

Use the interactive mode instead; you will be prompted for user id and password.

For scripts, you may configure user id and password in the "connector properties" files. These files are under "Profile_Root/Properties" folder.
- soap.client.props: for default SOAP
- sas.client.props : for RMI and JSR160RMI connectors
- ipc.client.props: for IPC connector

The WebSphere Application Server process must not be started from the command line with the -password option.

Description

Remediation - Manual Procedure