Rule ID
SV-250342r961353_rule
Version
V2R4
CCIs
The reader role is a management role that allows read-only access to select administrative REST APIs as well as the Admin Center UI (adminCenter-1.0). Preventing non-privileged users from viewing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Users granted reader role access must be authorized.
As a user with access to the ${server.config.dir}/server.xml file. Review the contents and identify if users have been granted the reader-role.
grep -i reader-role ${server.config.dir}/server.xml
If the reader-role has been created, users in that role must be documented and approved.
If users in the reader-role are not approved, this is a finding.
EXAMPLE:
<featureManager><feature>appSecurity-2.0</feature></featureManager>
<reader-role>
<group>group</group>
<group-access-id>group:realmName/groupUniqueId</group-access-id>
<user>user</user>
<user-access-id>user:realmName/userUniqueId</user-access-id>
</reader-role>Edit the ${server.config.dir}/server.xml file. If unauthorized users have been added to the reader-role, remove those users.
Otherwise, document the users who are granted the reader-role access.
To allow read-only access to select administrative REST APIs, the ${server.config.dir}/server.xml must be configured as follows. Additionally, the users and groups they are a part of must be defined within LDAP.
EXAMPLE:
<featureManager>
<feature>appSecurity-2.0</feature>
</featureManager>
<reader-role>
<group>group</group><group-access-id> group:realmName/groupUniqueId</group-access-id><user>user</user><user-access-id>user:realmName/userUniqueId</user-access-id>
</reader-role>
<ldapRegistry id="ldap" realm="SampleLdapRealm" host="${ldap.server.name}" port="${ldap.server.port}" ignoreCase="true"
baseDN="${ldap.server.base.dn}"
ldapType="${ldap.vendor.type}"
searchTimeout="8m">
</ldapRegistry>