Check: TCAT-AS-000180
Apache Tomcat 9 STIG:
TCAT-AS-000180
(in version v1 r0.1)
Title
Role based access controls must be configured for logging. (Cat II impact)
Discussion
Application servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component logable events. The application server must be configured to select which personnel are assigned the role of selecting which logable events are to be logged.
Check Content
As an elevated user on the Tomcat server: Edit the $CATALINA_HOME\conf\server.xml file. Review for all <Host> elements. If a <Valve className="org.apache.catalina.valves.AccessLogValve" .../> element is not defined for each <Host> element, this is a finding. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host>
Fix Text
As a privileged user on the Tomcat server: Edit the $CATALINA_HOME\conf\server.xml file. Create a <Valve> element that is nested beneath the <Host> element containing an AccessLogValve. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: TCAT-AS-000180_rule
Vulnerability ID: TCAT-AS-000180
Group Title: SRG-APP-000090-AS-000051
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000171 |
The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. |
Controls
Number | Title |
---|---|
AU-12 |
Audit Generation |