Check: TCAT-AS-000100
Apache Tomcat 9 STIG:
TCAT-AS-000100
(in version v1 r0.1)
Title
Connectors must be secured. (Cat II impact)
Discussion
The unencrypted HTTP protocol does not protect data from interception or alteration which can subject users to eavesdropping, tracking, and the modification of received data. To secure an HTTP connector, both the secure and scheme flags must be set.
Check Content
From the Tomcat server console, run the following command: sudo cat $CATALINA_HOME/conf/server.xml. Examine each <Connector/> element. For each connector, verify the secure= flag is set to "true" and the scheme= flag is set to "https" on each connector. If the secure flag is not set to "true" and/or the scheme flag is not set to "https" for each HTTP connector element, this is a finding.
Fix Text
From the Tomcat server as a privileged user, edit the server.xml file. sudo nano $CATALINA_HOME/conf/server.xml. Locate each <Connector/> element which is lacking a secure setting. EXAMPLE Connector: <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> Set or add scheme="https" and secure="true" for each HTTP connector element. EXAMPLE: <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true".../> Save the server.xml file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl reload-daemon
Additional Identifiers
Rule ID: TCAT-AS-000100_rule
Vulnerability ID: TCAT-AS-000100
Group Title: SRG-APP-000033-AS-000024
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |