Check: TCAT-AS-000110
Apache Tomcat 9 STIG:
TCAT-AS-000110
(in version v1 r0.1)
Title
The Java Security Manager must be enabled. (Cat II impact)
Discussion
The Java SecurityManager is what allows a web browser to run an applet in its own sandbox to prevent untrusted code from accessing files on the local file system, connecting to a host other than the one the applet was loaded from, and so on. In the same way the SecurityManager protects the user from an untrusted applet running in the browser, use of a SecurityManager while running Tomcat can protect the server from trojan servlets, JSPs, JSP beans, tag libraries, or even inadvertent mistakes.
Check Content
Identify the tomcat systemd startup file which is usually called "tomcat.service" and can be viewed as a link in the /etc/systemd/system/ folder. sudo cat /etc/systemd/system/tomcat.service |grep -i security If the ExecStart parameter does not include the -security flag, this is a finding.
Fix Text
As an admin user on the Tomcat server, modify the /etc/systemd/system/tomcat.service file and set the "ExecStart" parameter to read: "ExecStart=/opt/tomcat/bin/startup.sh -security" Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: TCAT-AS-000110_rule
Vulnerability ID: TCAT-AS-000110
Group Title: SRG-APP-000033-AS-000024
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |