Check: TCAT-AS-000480
Apache Tomcat 9 STIG:
TCAT-AS-000480
(in version v1 r0.1)
Title
Diagnostic tracing must be disabled. (Cat III impact)
Discussion
HTTP Trace provides debugging and diagnostics information for a given request. Diagnostic information, such as that found in the response to a Trace request, often contains sensitive information that may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced. HTTP trace is configured via the connector elements in the server.xml file. Each connector element represents an endpoint on the tomcat server which receives and responds to client requests so each connector on the server must be evaluated for the HTTP trace setting.
Check Content
From the Tomcat server run the following OS command: sudo cat $CATALINA_HOME/conf/server.xml | grep -i connector Review each connector element, ensure each connector does not have an "allowTrace" setting or ensure the "allowTrace" setting is set to false. <Connector ... allowTrace="false" /> Do the same for each application by checking every $CATALINA_HOME/webapps/<APP_NAME>/WEBINF/web.xml file on the system. sudo cat $CATALINA_HOME/webapps/<APP_NAME>/WEBINF/web.xml |grep -i connector If a connector element in the server.xml file or in any of the <APP NAME>/WEBINF/web.xml files contains the "allow Trace = true" statement, this is a finding.
Fix Text
From the Tomcat server as a privileged user, edit the xml files containing the "allow Trace=true" statement. Remove the "allow Trace=true" statement from the affected xml configuration files and restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: TCAT-AS-000480_rule
Vulnerability ID: TCAT-AS-000480
Group Title: SRG-APP-000141-AS-000095
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |