Users in JBoss Management Security Realms must be in the appropriate role.
An XCCDF Rule
Description
<VulnDiscussion>Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they are "management realm" and "application realm". Management realm stores authentication information for the management API, which provides functionality for the web-based management console and the management command line interface (CLI). mgmt-groups.properties stores user to group mapping for the ManagementRealm but only when role-based access controls (RBAC) is enabled. If management users are not in the appropriate role, unauthorized access to JBoss resources can occur.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-213499r615939_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Document approved management users and their roles. Configure the application server to use RBAC and ensure users are placed into the appropriate roles.