Skip to content

The JBoss server must be configured with Role Based Access Controls.

An XCCDF Rule

Description

<VulnDiscussion>By default, the JBoss server is not configured to utilize role based access controls (RBAC). RBAC provides the capability to restrict user access to their designated management role, thereby limiting access to only the JBoss functionality that they are supposed to have. Without RBAC, the JBoss server is not able to enforce authorized access according to role.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-213498r615939_rule
Severity
High
References
Updated



Remediation - Manual Procedure

Run the following command.
<JBOSS_HOME>/bin/jboss-cli.sh -c -> connect -> cd /core-service=management/access-authorization :write-attribute(name=provider, value=rbac)

Restart JBoss.

Map users to roles by running the following command.  Upper-case words  are variables.