Check: TCAT-AS-000810
Apache Tomcat 9 STIG:
TCAT-AS-000810
(in version v1 r0.1)
Title
Idle timeout for management application must be set to 10 minutes. (Cat III impact)
Discussion
Tomcat can set idle session timeouts on a per application basis. The management application is provided with the Tomcat installation and is used to manage the applications that are installed on the Tomcat Server. Setting the idle timeout for the management application will kill the admin user's session after 10 minutes of inactivity. This will limit the opportunity for unauthorized persons to hijack the admin session. This setting will also affect the default timeout behavior of all hosted web applications. To adjust the individual hosted application settings that are not related to management of the system, modify the individual application web.xml file if application timeout requirements differ from the STIG.
Check Content
If the manager application has been deleted from the system, this is not a finding. From the Tomcat server as a privileged user, run the following commands: sudo grep -i session-timeout $CATALINA_HOME/webapps/manager/META-INF/web.xml sudo grep -i session-timeout $CATALINA_HOME/conf/web.xml If the session-timeout setting is not configured to be 10 minutes in at least one of these files, this is a finding.
Fix Text
If the manager application has been deleted from the system, this is not a finding. From the Tomcat server as a privileged user: To affect session timeout for all applications including the management application, edit the $CATALINA_HOME/conf/web.xml file. To affect session timeout for the management application only, edit the $CATALINA_HOME/webapps/manager/META-INF/web.xml file. Locate the session-timeout setting located within the session-config element. Modify the session-timeout setting to be 10 minutes. Save the file. sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: TCAT-AS-000810_rule
Vulnerability ID: TCAT-AS-000810
Group Title: SRG-APP-000220-AS-000148
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001185 |
The information system invalidates session identifiers upon user logout or other session termination. |
Controls
Number | Title |
---|---|
SC-23 (1) |
Invalidate Session Identifiers At Logout |