STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide

V-213537

CAT II (Medium)

Access to JBoss log files must be restricted to authorized users.

Rule ID

SV-213537r961170_rule

STIG

JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide

Version

V2R6

CCIs

CCI-001314

Discussion

If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.

Check Content

If the JBoss log folder is installed in the default location and 213514 (JBOS-AS-000170) is not a finding, the log folders are protected and this requirement is not a finding.

By default, JBoss installs its log files into a sub-folder of the "jboss-eap-6.3" home folder. 

Using a UNIX like OS example, the default location for log files is:
JBOSS_HOME/standalone/log
JBOSS_HOME/domain/log

For a standalone configuration:
JBOSS_HOME/standalone/log/server.log"  Contains all server log messages, including server startup messages.

For a domain configuration:
JBOSS_HOME/domain/log/hostcontroller.log
Host Controller boot log. Contains log messages related to the startup of the host controller.

JBOSS_HOME/domain/log/processcontroller.log
Process controller boot log. Contains log messages related to the startup of the process controller.

JBOSS_HOME/domain/servers/SERVERNAME/log/server.log
The server log for the named server. Contains all log messages for that server, including server startup messages.

Log on with an OS user account with JBoss access and permissions.

Navigate to the "Jboss-eap-6.3" folder using the relevant OS commands for either a UNIX like OS or a Windows OS.

Examine the permissions of the JBoss logs folders.

Owner can be full access.
Group can be full access.
All others must be restricted.

If the JBoss log folder is world readable or world writeable, this is a finding.

Fix Text

Configure file permissions on the JBoss log folder to protect from unauthorized access.