U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

Red Hat Jboss Enterprise Application Platform (EAP) 6.3 STIG Ver 2, Rel 3 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Red Hat JBoss Enterprise Application Platform 6.3.0 cpe:/a:redhat:jboss_enterprise_application_platform:6.3.0 (View CVEs)

Checklist Highlights

Checklist Name:
Red Hat Jboss Enterprise Application Platform (EAP) 6.3 STIG
Checklist ID:
764
Version:
Ver 2, Rel 3
Type:
Compliance
Review Status:
Final
Authority:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:
04/28/2017

Checklist Summary:

The JBoss Enterprise Application Platform 6.3 (EAP) Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. This document is meant for use in conjunction with the Enclave, Network Infrastructure, Web Server, Application Security and Development, and appropriate operating system (OS) STIGs. This document is intended to be applied to Red Hat JBoss EAP version 6.3 for both Windows and UNIX platforms. Scope for the guidance is limited to the management of the JBoss EAP server and does not extend to applications that are hosted on the server or underlying OS or web server components. There have been numerous reported security vulnerabilities related to the JBoss EAP product. The security issues have been largely attributed to misconfiguration of the product and a lack of timely patching of the product. In the 6.3 version, the management interfaces used to manage the EAP server are secured by default. This prevents remote access to the system until access is specifically configured, which helps to assure a more secure initial deployment. While integrated patch management capability is offered in the form of email notifications and manual application of downloaded patches, an automated patch management solution is not included with EAP. To ensure the EAP servers are kept up to date in regard to patching, patch management tasks must be performed directly by system administrators via the use of underlying OS tools and/or third-party configuration management solutions. Automatically applying patches to any application server without prior testing increases the risk of adversely impacting the hosted applications.

Checklist Role:

  • Application Server

Known Issues:

Not provided.

Target Audience:

These requirements are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), Information Assurance Officers (IAOs), and System Administrators (SAs) with configuring and maintaining security controls.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoD Instruction (DoDI) 8500.01 requires that “all IT that receives, processes, stores, displays, or transmits DoD information will be […] configured […] consistent with applicable DoD cybersecurity policies, standards, and architectures” and tasks that Defense Information Systems Agency (DISA) “develops and maintains control correlation identifiers (CCIs), security requirements guides (SRGs), security technical implementation guides (STIGs), and mobile code risk categories and usage guides that implement and are consistent with DoD cybersecurity policies, standards, architectures, security controls, and validation procedures, with the support of the NSA/CSS, using input from stakeholders, and using automation whenever possible.” This document is provided under the authority of DoDI 8500.01.

Comments/Warnings/Miscellaneous:

Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Disclaimer:

Not provided.

Product Support:

Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History: 

Updated to FINAL - 05/30/2017
Updated URL to reflect change to the DISA website - http --> https
updated to v1,r3 - 1/22/19
Updated to FINAL - 2/19/19
Updated URLs - 6/13/19
updated URLs - 11/1/19
Changed URLs - 8/4/2020
Updated resource per DISA - 1/26/21
Updated resource per DISA - 7/29/21
updated URLs - 1/26/2022

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 01/26/2022