JBoss process owner execution permissions must be limited.

From JBoss EAP 6.3 Security Technical Implementation Guide

Associated with: CCI-000381

SV-76755r1_rule JBoss process owner execution permissions must be limited.

Vulnerability discussion

JBoss EAP application server can be run as the OS admin, which is not advised. Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate. If the server is compromised, the attacker will have the same rights as the application server, which in that case would be admin rights. The JBoss EAP server must not be run as the admin user.

Check content

The script that is used to start JBoss determines the mode in which JBoss will operate, which will be in either in standalone mode or domain mode. Both scripts are installed by default in the /bin/ folder. In addition to running the JBoss server as an interactive script launched from the command line, JBoss can also be started as a service. The scripts used to start JBoss are: Red Hat: standalone.sh domain.sh Windows: standalone.bat domain.bat Use the relevant OS commands to determine JBoss ownership. When running as a process: Red Hat: "ps -ef|grep -i jboss". Windows: "services.msc". Search for the JBoss process, which by default is named "JBOSSEAP6". If the user account used to launch the JBoss script or start the JBoss process has admin rights on the system, this is a finding.

Fix text

Run the JBoss server with non-admin rights.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.