III - Administrative Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000015-AS-000010
Group -
HTTPS must be enabled for JBoss web interfaces.
Encryption is critical for protection of web-based traffic. If encryption is not being used to protect the application server's web connectors, malicious users may gain the ability to read or modif...Rule Medium Severity -
SRG-APP-000033-AS-000024
Group -
Java permissions must be set for hosted applications.
The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources out...Rule High Severity -
SRG-APP-000033-AS-000024
Group -
The Java Security Manager must be enabled for the JBoss application server.
The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources out...Rule High Severity -
SRG-APP-000033-AS-000024
Group -
The JBoss server must be configured with Role Based Access Controls.
By default, the JBoss server is not configured to utilize role based access controls (RBAC). RBAC provides the capability to restrict user access to their designated management role, thereby limit...Rule High Severity -
SRG-APP-000033-AS-000024
Group -
Users in JBoss Management Security Realms must be in the appropriate role.
Security realms are a series of mappings between users and passwords and users and roles. There are 2 JBoss security realms provided by default; they are "management realm" and "application realm"...Rule Medium Severity -
SRG-APP-000033-AS-000024
Group -
Silent Authentication must be removed from the Default Application Security Realm.
Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis...Rule High Severity -
SRG-APP-000033-AS-000024
Group -
Silent Authentication must be removed from the Default Management Security Realm.
Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis...Rule High Severity -
SRG-APP-000033-AS-000024
Group -
JBoss management interfaces must be secured.
JBoss utilizes the concept of security realms to secure the management interfaces used for JBoss server administration. If the security realm attribute is omitted or removed from the management in...Rule High Severity -
SRG-APP-000089-AS-000050
Group -
The JBoss server must generate log records for access and authentication events to the management interface.
Log records can be generated from various components within the JBoss application server. The minimum list of logged events should be those pertaining to access and authentication events to the ma...Rule Medium Severity -
SRG-APP-000090-AS-000051
Group -
JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.
The JBoss server must be configured to select which personnel are assigned the role of selecting which loggable events are to be logged. In JBoss, the role designated for selecting auditable events...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.