Group
Guide to the Secure Configuration of Java Runtime Environment
Group contains 2 groups and 11 rules |
Group
Java
Group contains 1 group and 11 rules |
[ref]
Java is a general-purpose computer programming language. It is intended to
let application developers "write once, run anywhere." Java applications are
typically compiled to bytecode that can run on any Java virtual machine (JVM)
regardless of computer architecture. As such, the Java runtime environment (JRE)
is required to be installed so that Java applications can run. This section
provides settings for configuring Java policies to meet compliance
settings for Java running on Red Hat Enterprise Linux systems.
|
Group
Configure the deployment.config File
Group contains 3 rules |
[ref]
The deployment.config file if used for specifying the System-level
deployment.properties file. The System-level configuration for Java is
configured in /etc/.java/deployment . By default, no deployment.config
file exists. To ensure that the Java /etc/.java/deployment/deployment.config file
is configured correctly, deployment.system.config and
deployment.system.config.mandatory need to be set correctly. |
Rule
Configure the deployment.properties File Path
[ref] | To ensure that the Java properties file is set in
/etc/.java/deployment/deployment.config , add or modify
deployment.system.config to equal
file:///etc/.java/deployment/deployment.properties . | Rationale: | Without a proper path for the properties file, deployment would not be possible.
If the path specified does not lead to a properties file, the value of the
'deployment.system.config.mandatory' key determines how to handle the situation.
If the value of this key is true, JRE will not run if the path to the properties
file is invalid. | Severity: | medium | Identifiers and References | References:
DCBP-1, JRE-JRE0060-UX | |
|
Rule
The Java Configuration File Exists
[ref] | If the Java configuration file does not exist, it can be added by running:
$ sudo mkdir -p -m 755 /etc/.java/deployment
$ sudo touch /etc/.java/deployment/deployment.config
$ sudo chmod 644 /etc/.java/deployment/deployment.config | Rationale: | The deployment.config file is used for specifying the location and execution of
system-level properties for the Java Runtime Environment. By default no
deployment.config file exists; thus, no system-wide deployment.properties file exists.
Without the deployment.config file, setting particular options for the Java
control panel is impossible. | Severity: | medium | Identifiers and References | References:
DCBP-1, JRE-JRE0070-UX | |
|
Rule
Configure The Java Deployment Mandatory Setting
[ref] | To configure the Java mandatory deployment setting, add or modify
deployment.system.config.mandatory to equal false
in /etc/.java/deployment/deployment.config . | Rationale: | Without a proper path for the properties file, deployment would not be possible.
If the path specified does not lead to a properties file, the value of the
'deployment.system.config.mandatory' key determines how to handle the situation.
If the value of this key is true, JRE will not run if the path to the properties
file is invalid. | Severity: | medium | Identifiers and References | References:
DCBP-1, JRE-JRE0060-UX | |
|
Rule
Disable User Access to Online Certificate Validation Settings
[ref] | To ensure that users cannot change the online certificate verification settings,
add deployment.security.validation.ocsp.locked to
/etc/.java/deployment/deployment.properties . | Rationale: | Online certificate validation provides a greater degree of validation of certificates
when running a signed Java applet. Permitting execution of an applet with an invalid
certificate may result in malware execution , system modification, invasion of privacy,
and denial of service. As such, ensuring users cannot change settings contributes to
a more consistent security profile. | Severity: | medium | Identifiers and References | References:
DCBP-1, JRE-JRE0050-UX | |
|
Rule
Disable User Access to Revocation Check Settings
[ref] | To ensure that users cannot change certificate revocation check settings,
add deployment.security.validation.crl.locked to
/etc/.java/deployment/deployment.properties . | Rationale: | Permitting execution of an applet published with a revoked certificate may
result in spoofing, malware, system modification, invasion of privacy,
and denial of service. As such, ensuring users cannot change settings
contributes to a more consistent security profile. | Severity: | medium | Identifiers and References | References:
DCBP-1, JRE-JRE0030-UX | |
|
Rule
The Java Properties File Exists
[ref] | If the Java properties file does not exist, it can be added by running:
$ sudo mkdir -p -m 755 /etc/.java/deployment
$ sudo touch /etc/.java/deployment/deployment.properties
$ sudo chmod 644 /etc/.java/deployment/deployment.properties | Rationale: | Each option in the Java control panel is represented by property keys.
These keys adjust the options in the Java control panel based on the value
assigned to that key. By default no deployment.properties file exists; thus,
no system-wide exists. Without the deployment.properties file, setting particular
options for the Java control panel is impossible. | Severity: | medium | Identifiers and References | References:
DCBP-1, JRE-JRE0080-UX | |
|
Rule
Disable User Access to Untrusted Sources Settings
[ref] | To ensure that users cannot change the untrusted sources settings,
add deployment.security.askgrantdialog.notinca.locked to
/etc/.java/deployment/deployment.properties . | Rationale: | Permitting execution of signed Java applets from un-trusted sources may
result in malware running on the system, and risks system modification,
invasion of privacy, or denial of service. As such, ensuring users cannot
change the permission settings which control the execution of signed Java
applets contributes to a more consistent security profile. | Severity: | medium | Identifiers and References | References:
DCBP-1, JRE-JRE0010-UX | |
|
Rule
Disable Java Execution From Untrusted Sources
[ref] | To ensure that Java cannot execute from untrusted sources, set
deployment.security.askgrantdialog.notinca to equal false
in /etc/.java/deployment/deployment.properties . | Rationale: | Permitting execution of signed Java applets from un-trusted sources
may result in acquiring malware, and risks system modification, invasion of
privacy, or denial of service. | Severity: | medium | Identifiers and References | References:
DCBP-1, JRE-JRE0001-UX | |
|
Rule
Enable Revocation Checks for Publisher Certificates
[ref] | To ensure that certificate revocation checks are enabled, set
deployment.security.validation.crl to equal true
in /etc/.java/deployment/deployment.properties . | Rationale: | Certificates may be revoked due to improper issuance, compromise of the certificate,
and failure to adhere to policy. Therefore, any certificate found on a CRL
should not be trusted. Permitting execution of an applet published with a
revoked certificate may result in spoofing, malware, system modification,
invasion of privacy, and denial of service. | Severity: | medium | Identifiers and References | References:
DCBP-1, JRE-JRE0020-UX | |
|
Rule
Ensure Java Patches Installed
[ref] | If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded and installed using rpm . | Rationale: | Running an older version of the JRE can introduce security
vulnerabilities to the system. | Severity: | medium | Identifiers and References | References:
DCBP-1, JRE-JRE0090-UX | |
|
Rule
Enable Online Certificate Validation
[ref] | To ensure that online certificate verification is enabled, set
deployment.security.validation.ocsp to equal true
in /etc/.java/deployment/deployment.properties . | Rationale: | Online certificate validation provides a greater degree of validation of certificates
when running a signed Java applet. Permitting execution of an applet with an invalid
certificate may result in malware execution , system modification, invasion of privacy,
and denial of service. | Severity: | medium | Identifiers and References | References:
DCBP-1, JRE-JRE0040-UX | |
|