Check: TCAT-AS-001710
Apache Tomcat 9 STIG:
TCAT-AS-001710
(in version v1 r0.1)
Title
Hosted applications must be documented in the system security plan. (Cat III impact)
Discussion
The system administrator must be cognizant of all applications operating on the Tomcat server, and must address any security implications associated with the operation of the applications.
Check Content
Review the Tomcat servers System Security Plan/server documentation. Access the Tomcat server and review the $CATALINA_HOME/webapps folder and the $CATALINA_BASE/webapps folder (if they exist). Ensure that all webapps are documented in the SSP. If the applications that are hosted on the Tomcat server are not documented in the SSP, this is a finding.
Fix Text
Document the applications that have an ATO on the Tomcat server. Retain the information in the SSP and present to the auditor in the event of a CCRI.
Additional Identifiers
Rule ID: TCAT-AS-001710_rule
Vulnerability ID: TCAT-AS-001710
Group Title: SRG-APP-000516-AS-000237
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |