STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide

Version

V2R6

Benchmark ID

JBoss_EAP_6-3_STIG

Total Checks

67

Tags

application

CAT I: 10CAT II: 56CAT III: 1

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (67)

V-213494MEDIUMHTTP management session traffic must be encrypted.V-213495MEDIUMHTTPS must be enabled for JBoss web interfaces.V-213496HIGHJava permissions must be set for hosted applications.V-213497HIGHThe Java Security Manager must be enabled for the JBoss application server.V-213498HIGHThe JBoss server must be configured with Role Based Access Controls.V-213499MEDIUMUsers in JBoss Management Security Realms must be in the appropriate role.V-213500HIGHSilent Authentication must be removed from the Default Application Security Realm.V-213501HIGHSilent Authentication must be removed from the Default Management Security Realm.V-213502HIGHJBoss management interfaces must be secured.V-213503MEDIUMThe JBoss server must generate log records for access and authentication events to the management interface.V-213504MEDIUMJBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.V-213505MEDIUMJBoss must be configured to initiate session logging upon startup.V-213506MEDIUMJBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.V-213507MEDIUMJBoss must be configured to produce log records containing information to establish what type of events occurred.V-213508MEDIUMJBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.V-213509MEDIUMJBoss must be configured to produce log records that establish which hosted application triggered the events.V-213510MEDIUMJBoss must be configured to record the IP address and port information used by management interface network traffic.V-213511MEDIUMThe application server must produce log records that contain sufficient information to establish the outcome of events.V-213512MEDIUMJBoss ROOT logger must be configured to utilize the appropriate logging level.V-213513MEDIUMFile permissions must be configured to protect log information from any type of unauthorized read access.V-213514MEDIUMFile permissions must be configured to protect log information from unauthorized modification.V-213515MEDIUMFile permissions must be configured to protect log information from unauthorized deletion.V-213516MEDIUMJBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.V-213517MEDIUMmgmt-users.properties file permissions must be set to allow access to authorized users only.V-213518HIGHJBoss process owner interactive access must be restricted.V-213519MEDIUMGoogle Analytics must be disabled in EAP Console.V-213520HIGHJBoss process owner execution permissions must be limited.V-213521MEDIUMJBoss QuickStarts must be removed.V-213522MEDIUMRemote access to JMX subsystem must be disabled.V-213523LOWWelcome Web Application must be disabled.V-213524MEDIUMAny unapproved applications must be removed.V-213525MEDIUMJBoss application and management ports must be approved by the PPSM CAL.V-213526MEDIUMThe JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.V-213527MEDIUMThe JBoss Server must be configured to use certificates to authenticate admins.V-213528MEDIUMThe JBoss server must be configured to use individual accounts and not generic or shared accounts.V-213529MEDIUMJBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.V-213530MEDIUMThe JBoss Password Vault must be used for storing passwords or other sensitive configuration information.V-213531MEDIUMJBoss KeyStore and Truststore passwords must not be stored in clear text.V-213532MEDIUMLDAP enabled security realm value allow-empty-passwords must be set to false.V-213533MEDIUMJBoss must utilize encryption when using LDAP for authentication.V-213534MEDIUMThe JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.V-213535MEDIUMThe JBoss server must separate hosted application functionality from application server management functionality.V-213536MEDIUMJBoss file permissions must be configured to protect the confidentiality and integrity of application files.V-213537MEDIUMAccess to JBoss log files must be restricted to authorized users.V-213538MEDIUMNetwork access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller.V-213539MEDIUMThe application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.V-213540MEDIUMThe JBoss server must be configured to log all admin activity.V-213541MEDIUMThe JBoss server must be configured to utilize syslog logging.V-213542MEDIUMProduction JBoss servers must not allow automatic application deployment.V-213543MEDIUMProduction JBoss servers must log when failed application deployments occur.V-213544MEDIUMProduction JBoss servers must log when successful application deployments occur.V-213545MEDIUMJBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.V-213546MEDIUMThe JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.V-213547MEDIUMJBoss must be configured to use an approved TLS version.V-213548MEDIUMJBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.V-213549HIGHProduction JBoss servers must be supported by the vendor.V-213550HIGHThe JRE installed on the JBoss server must be kept up to date.V-213551MEDIUMJBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur.V-213552MEDIUMJBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur.V-213553MEDIUMJBoss must be configured to generate log records when successful/unsuccessful logon attempts occur.V-213554MEDIUMJBoss must be configured to generate log records for privileged activities.V-213555MEDIUMJBoss must be configured to generate log records that show starting and ending times for access to the application server management interface.V-213556MEDIUMJBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface.V-213557MEDIUMJBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events.V-213558MEDIUMThe JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.V-213559MEDIUMJBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.V-217099MEDIUMThe JBoss server must be configured to bind the management interfaces to only management networks.