Red Hat Jboss Enterprise Application Platform (EAP) 6.3 STIG Ver 2, Rel 5 Checklist Details (Checklist Revisions)
Supporting Resources:
-
Download Standalone XCCDF 1.1.4 - JBoss Enterprise Application Platform (EAP) 6.3 STIG - Ver 2, Rel 5
- Defense Information Systems Agency
Target:
Target | CPE Name |
---|---|
Red Hat JBoss Enterprise Application Platform 6.3.0 | cpe:/a:redhat:jboss_enterprise_application_platform:6.3.0 (View CVEs) |
Checklist Highlights
- Checklist Name:
- Red Hat Jboss Enterprise Application Platform (EAP) 6.3 STIG
- Checklist ID:
- 764
- Version:
- Ver 2, Rel 5
- Type:
- Compliance
- Review Status:
- Final
- Authority:
- Governmental Authority: Defense Information Systems Agency
- Original Publication Date:
- 04/28/2017
Checklist Summary:
The JBoss Enterprise Application Platform 6.3 (EAP) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. This document is meant for use in conjunction with the Enclave, Network Infrastructure, Web Server, Application Security and Development, and appropriate operating system (OS) STIGs. This document is intended to be applied to Red Hat JBoss EAP version 6.3 for both Windows and UNIX platforms. Scope for the guidance is limited to the management of the JBoss EAP server and does not extend to applications that are hosted on the server or underlying OS or web server components. There have been numerous reported security vulnerabilities related to the JBoss EAP product. The security issues have been largely attributed to misconfiguration of the product and a lack of timely patching of the product. In the 6.3 version, the management interfaces used to manage the EAP server are secured by default. This prevents remote access to the system until access is specifically configured, which helps to assure a more secure initial deployment. While integrated patch management capability is offered in the form of email notifications and manual application of downloaded patches, an automated patch management solution is not included with EAP. To ensure the EAP servers are kept up to date in regard to patching, patch management tasks must be performed directly by system administrators via the use of underlying OS tools and/or third-party configuration management solutions. Automatically applying patches to any application server without prior testing increases the risk of adversely impacting the hosted applications.
Checklist Role:
- Application Server
Known Issues:
Not provided.
Target Audience:
These requirements are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), Information Assurance Officers (IAOs), and System Administrators (SAs) with configuring and maintaining security controls.
Target Operational Environment:
- Managed
- Specialized Security-Limited Functionality (SSLF)
Testing Information:
Not provided.
Regulatory Compliance:
DoD Instruction (DoDI) 8500.01 requires that “all IT that receives, processes, stores, displays, or transmits DoD information will be […] configured […] consistent with applicable DoD cybersecurity policies, standards, and architectures” and tasks that Defense Information Systems Agency (DISA) “develops and maintains control correlation identifiers (CCIs), security requirements guides (SRGs), security technical implementation guides (STIGs), and mobile code risk categories and usage guides that implement and are consistent with DoD cybersecurity policies, standards, architectures, security controls, and validation procedures, with the support of the NSA/CSS, using input from stakeholders, and using automation whenever possible.” This document is provided under the authority of DoDI 8500.01.
Comments/Warnings/Miscellaneous:
Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.
Disclaimer:
Not provided.
Product Support:
Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.
Point of Contact:
disa.stig_spt@mail.mil
Sponsor:
Not provided.
Licensing:
Not provided.
Change History:
Updated to FINAL - 05/30/2017 Updated URL to reflect change to the DISA website - http --> https updated to v1,r3 - 1/22/19 Updated to FINAL - 2/19/19 Updated URLs - 6/13/19 updated URLs - 11/1/19 Changed URLs - 8/4/2020 Updated resource per DISA - 1/26/21 Updated resource per DISA - 7/29/21 updated URLs - 1/26/2022 Update Version and Resources - 06/10/2024 Resource and Title Updated - 11/08/2024 Resource Title Updated - 11/14/2024
Dependency/Requirements:
URL | Description |
---|
References:
Reference URL | Description |
---|