Check: TCAT-AS-000250
Apache Tomcat 9 STIG:
TCAT-AS-000250
(in version v1 r0.1)
Title
Remote hostname must be logged. (Cat II impact)
Discussion
The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The %h pattern code is included in the pattern element and logs the remote hostname. Including the hostname pattern in the log configuration provides useful information about the connecting host that is critical for troubleshooting and forensic investigations.
Check Content
As an elevated user on the Tomcat server: Edit the $CATALINA_HOME/conf/server.xml file. Review all <Valve> elements. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> If the pattern= statement does notinclude %h, this is a finding.
Fix Text
As a privileged user on the Tomcat server: Edit the $CATALINA_HOME/conf/server.xml file. Modify the <Valve> element(s) nested within the <Host> element(s). Change the AccessLogValve setting to include %h in the pattern= statement. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: TCAT-AS-000250_rule
Vulnerability ID: TCAT-AS-000250
Group Title: SRG-APP-000097-AS-000060
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000132 |
The information system generates audit records containing information that establishes where the event occurred. |
Controls
Number | Title |
---|---|
AU-3 |
Content Of Audit Records |