The WebSphere Application Server files must be owned by the non-root WebSphere user ID.

From IBM WebSphere Traditional V9.x Security Technical Implementation Guide

Part of SRG-APP-000141-AS-000095

Associated with: CCI-000381

SV-95985r1_rule The WebSphere Application Server files must be owned by the non-root WebSphere user ID.

Vulnerability discussion

Having files owned by the root or administrator user is an indication that the WebSphere processes are being run with escalated privileges. Running as root/admin user gives attackers elevated privileges that can be used to compromise the system more easily compared to operating the WebSphere processes with regular user privileges.Specifying a regular OS user when installing and managing WebSphere is best practice. By doing so, the WebSphere files will be owned by the user ID specified rather than being owned by the admin user.Use the underlying OS file permissions to ensure that access to the WebSphere files are restricted to only those users who require access.

Check content

Review System Security Plan documentation. Interview the system administrator. Determine the OS user and group information associated with the WebSphere processes. Identify the paths, files, and folders associated with the WebSphere installation. These include: - : where you installed WebSphere. default location: For UNIX: /opt/IBM/WebSphere/AppServer For Windows: C:\Program Files\IBM\WebSphere\AppServer - : where the appserver instance resides. The default location is under "/profiles". - : any additional files that may reside outside of . Examples include: - shared library .jar files - Resource Adapter .rar files - Key and trust store files (.jks and .p12) - Other files such as jdbc drivers For Linux, use the command "find -user root" to find files owned by root user. On windows use the "dir /Q /S" command from the root directories to show the owners of all files. Examine the output for files owned by the administrator or root account. If any WebSphere file or additional files as described above are owned by root or the administrator, this is a finding.

Fix text

Note: executing this fix without proper planning regarding file ownership can render your installation inoperable. See vulnerability discussion before executing this fix. Ensure all WebSphere related files and folders are owned by the WebSphere OS user. Ensure OS group membership is restricted. File ownership changes for UNIX systems: chown -R chown -R , chown -R , may be zero or more directories for other files Group ownership changes for UNIX systems: chgrp -R chgrp -R , chgrp -R , where may be zero or more root directories for other files File ownership changes for Windows systems: "takeown /r /u /f ", where the is , , or

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer