Check: TCAT-AS-000240
Apache Tomcat 9 STIG:
TCAT-AS-000240
(in version v1 r0.1)
Title
Date and time of events must be logged. (Cat II impact)
Discussion
The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The %t pattern code is included in the pattern element and logs the date and time of the event. Including the date pattern in the log configuration provides useful information about the time of the event which is critical for troubleshooting and forensic investigations.
Check Content
As an elevated user on the Tomcat server: Edit the $CATALINA_HOME/conf/server.xml file. Review all <Valve> elements. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> If the pattern= statement does notinclude %t, this is a finding.
Fix Text
As a privileged user on the Tomcat server: Edit the $CATALINA_HOME/conf/server.xml file. Modify the <Valve> element(s) nested within the <Host> element(s). Change the AccessLogValve setting to include %t in the pattern= statement. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: TCAT-AS-000240_rule
Vulnerability ID: TCAT-AS-000240
Group Title: SRG-APP-000096-AS-000059
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000131 |
The information system generates audit records containing information that establishes when an event occurred. |
Controls
Number | Title |
---|---|
AU-3 |
Content Of Audit Records |