Check: TCAT-AS-000690
Apache Tomcat 9 STIG:
TCAT-AS-000690
(in version v1 r0.1)
Title
LDAP authentication must be secured. (Cat I impact)
Discussion
LDAP does not provide encryption by default. This can lead to authentication credentials being transmitted across network connections in clear text. To address this risk, Tomcat must be configured to use secure LDAP (LDAPS).
Check Content
From the Tomcat server as a privileged user, run the following commands: sudo grep -i -A8 JNDIRealm $CATALINA_HOME/conf/server.xml If the JNDIRealm connectionURL setting is not configured to use LDAPS, if it does not exist, or is commented out, this is a finding. EXAMPLE: This is an example. Substitute localhost for the LDAP server IP and configure other LDAP-related settings as well. <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldaps://localhost:686" ... />
Fix Text
Identify the server IP that is providing LDAP services and configure the Tomcat user roles schema within LDAP. Refer to the manager and host-manager web.xml files for application specific role information that can be used for setting up the roles for those applications. The default location for these files is: $CATALINA_HOME/webapps/<AppName>/WEB-INF/web.xml From the Tomcat server console as a privileged user, edit the $CATALINA_HOME/conf/server.xml file. Locate the <Realm> element in the server.xml file, add a nested <Realm> element using the JNDIRealm className and configure the associated LDAP settings as per the LDAP server connection requirements. EXAMPLE: This is for illustration purposes only. The user must modify the LDAP settings on a case by case basis as per the individual LDAP server and schema. <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldaps://localhost:686" userPattern="uid={0},ou=people,dc=myunit,dc=mil" roleBase="ou=groups,dc=myunit,dc=mil" roleName="cn" roleSearch="(uniqueMember={0})" />
Additional Identifiers
Rule ID: TCAT-AS-000690_rule
Vulnerability ID: TCAT-AS-000690
Group Title: SRG-APP-000172-AS-000121
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |