Skip to content

Users in JBoss Management Security Realms must be in the appropriate role.

An XCCDF Rule

Description

<VulnDiscussion>Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they are "management realm" and "application realm". Management realm stores authentication information for the management API, which provides functionality for the web-based management console and the management command line interface (CLI). mgmt-groups.properties stores user to group mapping for the ManagementRealm but only when role-based access controls (RBAC) is enabled. If management users are not in the appropriate role, unauthorized access to JBoss resources can occur.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-213499r615939_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Document approved management users and their roles.  Configure the application server to use RBAC and ensure users are placed into the appropriate roles.