Details

The use of the -password option to launch a WebSphere process from the command line can result in a security exposure. Password information may become visible to any user with the ability to view system processes. For example, on a Linux system the ‘ps’ command will display all running processes, which would include all of the command line flags used to start a WebSphere process.

Solution

When starting WebSphere commands, such as wsadmin, stopManager, stopNode, stopServer, or syncNode; do not use the ‘-password ‘ option.

Use the interactive mode instead; you will be prompted for user id and password.

For scripts, you may configure user id and password in the ‘connector properties’ files. These files are under ‘Profile_Root/Properties’ folder.

– soap.client.props: for default SOAP
– sas.client.props : for RMI and JSR160RMI connectors
– ipc.client.props: for IPC connector

Supportive Information

The following resource is also helpful.

• http://iasecontent.disa.mil/stigs/zip/U_IBM_WebSphere_Traditional_V9-x_V1R1_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.

References

• 800-53|CM-7a.
• CAT|II
• CCI|CCI-000381
• Rule-ID|SV-95983r1_rule
• STIG-ID|WBSP-AS-000910
• Vuln-ID|V-81269

Source

• Tenable.com/audits