Apache Tomcat Application Server STIG - Xylok Custom
Apache Tomcat Application Server STIG. Version v1 r1.1, released June 20, 2019.
TOMCAT-000220-AS-000148: The Tomcat server must invalidate session identifiers upon user logout or other session termination.
Check the web.xml configuration file for the following lines: <session-config> <session-timeout>1</session-timeout> </session-config> The session-timeout setting should be set to an organization defined timeout. If the sess-timeout is not set to the organization defined timeout or is defined to ridiculously high value (i.e. 600000 minutes), this is a finding.
Discussion
If communications sessions remain open for extended periods of time even when unused, there is the potential for an adversary to hijack the session and use it to gain access to the device or networks to which it is attached. Terminating sessions after a logout event or after a certain period of inactivity is a method for mitigating the risk of this vulnerability. When a user management session becomes idle, or when a user logs out of the management interface, the application server must terminate the session.
Fix
Configure the application server to terminate administrative sessions upon logout or any other organization- or policy-defined session termination events.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000440-AS-000167: The Tomcat server must employ approved cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
The Tomcat server must use SSL in order to maintain the confidentiality and integrity of information during preperation for transmission. Review the server.xml configuration file and check if the “SSL HTTP/1.1 Connector” entry is uncommented. If the “SSL HTTP/1.1 Connector” entry is commented out or does not exist., this is a finding.
Discussion
Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec tunnel. If data in transit is unencrypted, it is vulnerable to disclosure and modification. If approved cryptographic algorithms are not used, encryption strength cannot be assured. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. TLS must be enabled and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies the preferred configurations for government systems.
Fix
Configure the application server to use AES 128 or AES 256 encryption for data in transit.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000098-AS-000061: The application server must produce log records containing sufficient information to establish the sources of the events.
Review the server.xml configuration file for Tomcat server and verify that logging has been setup with at least the following entries: %h In the server.xml file look for the following section in the xml: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> If the pattern attribute does not contain “common” or at least the following : “%h”, this is a finding.
Discussion
Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise. Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked.
Fix
Configure the application server to generate the source of each logable event.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000100-AS-000063: The Tomcat server must generate log records containing information that establishes the identity of any individual or process associated with the event.
Review the server.xml configuration file for an entry for the AccessLogValve. An example looks like: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t %r %s %b"/> If the %u or comman is not included in the pattern, this is a finding. If the AccessLogValve line does not exist in the server.xml, this is a finding.
Discussion
Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Application servers have differing levels of logging capabilities that can be specified by setting a verbosity level. The application server must, at a minimum, be capable of establishing the identity of any user or process that is associated with any particular event.
Fix
Configure the Tomcat server logging system to log the identity of the user or process related to the events.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000095-AS-000056: The Tomcat server must produce log records containing information to establish what type of events occurred.
Review the server.xml configuration file for an entry for the AccessLogValve. An example looks like: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t %r %s %b"/> If the %r or common is not included in the pattern, this is a finding. If the AccessLogValve line does not exist in the server.xml, this is a finding.
Discussion
Information system logging capability is critical for accurate forensic analysis. Without being able to establish what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible. Log record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Application servers must log all relevant log data that pertains to the application server. Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD/Web server activity, and application server-related system process activity.
Fix
Configure the application server to include the event type in the log data.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000141-AS-000095: The Tomcat server must adhere to the principles of least functionality by providing only essential capabilities.
Ask the SA, if there are any unnecessary modules installed in the Tomcat server. If any modules are present, but not documented, this is a finding.
Discussion
Application servers provide a myriad of differing processes, features and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. Application servers must provide the capability to disable or deactivate functionality and services that are deemed to be non-essential to the server mission or can adversely impact server performance, for example, disabling dynamic JSP reloading on production application servers as a best practice.
Fix
Configure the application server to use only essential features and capabilities.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000223-AS-000150: The Tomcat server must generate a unique session identifier for each session.
Reveiew the Tomcat server.xml configuration: Determine if the randomClass attribute is not commented out and has a value. If the randomClass attribute is commented out or missing, this is a finding. Determine if the sessionIdLength attribute is 16 (default) or higher. If the sessionIdLength is commented out, missing, or not 16 or greater, this is a finding.
Discussion
Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of session identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. Application servers must generate a unique session identifier for each application session so as to prevent session hijacking.
Fix
Configure the application server to generate a unique session identifier for each session.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000267-AS-00A170: The Tomcat server must restrict error messages only to authorized users.
Review the conf/server.xml file to determine if the error report valve has the attributes showReport and showServerInfo set to false If the showReport and showServerInfo attribtues are not set to false, this is a finding.
Discussion
If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.
Fix
Configure the application server to restrict access to error messages so only authorized users may view or otherwise access them.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000225-AS-000154: The Tomcat server must provide a clustering capability.
Ask the SA, if clustering is needed or required. If clustering is not needed or required this check is N/A. Check the server.xml file for the following line: <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> If the line does not exist or is commented out, this is a finding.
Discussion
This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When application failure is encountered, preserving application state facilitates application restart and return to the operational mode of the organization with less disruption of mission/business processes. Clustering of multiple application servers is a common approach to providing fail-safe application availability when system MAC and confidentiality levels require redundancy.
Fix
This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Configure the application server to provide application failover or participate in an application cluster which provides failover.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000356-AS-000202: The Tomcat server must provide centralized management and configuration of the content to be captured in log records generated by all application components.
Review the server.xml configuration file for Tomcat server and verify that logging has been setup with at least the following entries: %h %l %u %t %r %s %b In the server.xml file look for the following section in the xml: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> If the pattern attribute does not contain “common” or at least the following : “%h %l %u %t %r %s %b”, this is a finding.
Discussion
A clustered application server is made up of several servers working together to provide the user a failover and increased computing capability. To facilitate uniform logging in the event of an incident and later forensic investigation, the record format and logable events need to be uniform. This can be managed best from a centralized server. Without the ability to centrally manage the content captured in the log records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.
Fix
Configure the application server to allow centralized management and configuration of the content to be captured in log records.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000380-AS-000088: The Tomcat server must enforce access restrictions associated with changes to server configuration.
The Tomcat server configuration files must have permissions set to 640 or less permissive. Check the permissions on the following configuration files: conf/server.xml conf/catalina.properties If the permissions are more permissive than 640, this is a finding.
Discussion
When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software, and/or application server configuration can potentially have significant effects on the overall security of the system. Access restrictions for changes also include application software libraries. If the application server provides automatic code deployment capability, (where updates to applications hosted on the application server are automatically performed, usually by the developers' IDE tool), it must also provide a capability to restrict the use of automatic application deployment. Automatic code deployments are allowable in a development environment, but not in production.
Fix
Configure the application server to enforce access restrictions associated with changes to the application server configuration to include code deployment, library updates, and changes to application server configuration settings.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000442-AS-000259: The Tomcat server must maintain the confidentiality and integrity of information during reception.
he Tomcat server must use SSL in order to maintain the confidentiality and integrity of information during preperation for transmission. Review the server.xml configuration file and check if the “SSL HTTP/1.1 Connector” entry is uncommented. If the “SSL HTTP/1.1 Connector” entry is commented out or does not exist., this is a finding.
Discussion
Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Protecting the confidentiality and integrity of received information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. The application server must utilize approved encryption when receiving transmitted data.
Fix
Configure the application server to utilize a transmission method that maintains the confidentiality and integrity of information during reception.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000456-AS-000266: The Tomcat server must have security-relevant software updates installedwithin the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
Ask the SA if the Tomcat server is updated with security-relevant software updates within a timeframe directed by an authoritative source. If Tomcat is not updated with security-relevant software updates, this is a finding.
Discussion
Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes) to production systems after thorough testing of the patches within a lab environment. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
Fix
Configure the application server to use a patch management system to ensure security-relevant updates are installed within the time period directed by the authoritative source.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000435-AS-000069: The Tomcat server, when a MAC I system, must be in a high-availability (HA) cluster.
If the Tomcat server is not a MAC I system, this requirement is NA. Ask the SA if the Tomcat server is part of an HA cluster. If the Tomcat server is not part of an HA cluster, this is a finding.
Discussion
A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provided high-availability.
Fix
If the application server is not a MAC I system, this requirement is NA. Configure the application server to be part of an HA cluster.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000096-AS-000059: The Tomcat server must produce log records containing sufficient information to establish when (date and time) the events occurred.
Review the server.xml configuration file for an entry for the AccessLogValve. An example looks like: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b"/> If the %t is not included in the pattern, this is a finding. If the AccessLogValve line does not exist in the server.xml, this is a finding.
Discussion
Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety. Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, file names involved, access control, or flow control rules invoked. In addition to logging event information, application servers must also log the corresponding dates and times of these events. Examples of event data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity, and application server-related system process activity.
Fix
Configure the application server logging system to log date and time with the event.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000099-AS-000062: The Tomcat server must produce log records that contain sufficient information to establish the outcome of events.
The handlers for: catalina localhost manager host-manager need to be defined in the logging.properties file. If all 4 handlers are not defined, this is a finding. For each handler the level property should be set to at least ‘FINE’. If the level property is not at least ‘FINE’, this is a finding.
Discussion
Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control or flow control rules invoked. Success and failure indicators ascertain the outcome of a particular application server event or function. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response. Event outcome may also include event-specific results (e.g., the security state of the information system after the event occurred).
Fix
Configure the application server logging system to log the event outcome.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000092-AS-000053: The Tomcat server must initiate session logging upon startup.
Review the logging.properties file for session logging to determine if the server generates log records when at startup. The following lines are an example of session logging enabled (note: these are example lines): 1catalina.org.apache.juli.FileHandler.level = FINE 1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 1catalina.org.apache.juli.FileHandler.prefix = catalina 1catalina.org.apache.juli.FileHandler.rotatable = false 2localhost.org.apache.juli.FileHandler.level = FINE 2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 2localhost.org.apache.juli.FileHandler.prefix = localhost 2localhost.org.apache.juli.FileHandler.rotatable = false If these lines do not exist or are commented out, this is a finding.
Discussion
Session logging activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.
Fix
Configure the application server to initiate session logging on application server startup.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000441-AS-000258: The Tomcat server must maintain the confidentiality and integrity of information during preparation for transmission.
The Tomcat server must use SSL in order to maintain the confidentiality and integrity of information during preperation for transmission. Review the server.xml configuration file and check if the “SSL HTTP/1.1 Connector” entry is uncommented. If the “SSL HTTP/1.1 Connector” entry is commented out or does not exist., this is a finding.
Discussion
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. An example of this would be an SMTP queue. This queue may be part of the application server so error messages from the server can be sent to system administrators, or SMTP functionality can be added to hosted applications by developers. Any modules used by the application server that queue data before transmission must maintain the confidentiality and integrity of the information before the data is transmitted.
Fix
Configure the application server to maintain the confidentiality and integrity of information during preparation for transmission.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000122-AS-000082: The Tomcat server must protect log tools from unauthorized modification.
Check the permissions on all log files in CATALINE_HOME/logs: The permissions should be 640 or less permissive. If they are more permissive, this is a finding.
Discussion
Protecting log data also includes identifying and protecting the tools used to view and manipulate log data. Depending upon the log format and application, system and application log tools may provide the only means to manipulate and manage application and system log data. It is, therefore, imperative that access to log tools be controlled and protected from unauthorized modification. If an attacker were to modify log tools, he could also manipulate logs to hide evidence of malicious activity. Application servers provide a web- and/or a command line-based management functionality for managing the application server log capabilities. In addition, subsets of log tool components may be stored on the file system as jar or xml configuration files. The application server must ensure that in addition to protecting any web-based log tools, any file system-based tools are protected as well.
Fix
Configure the application server or the OS to protect log tools from unauthorized modification.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000156-AS-000106: The application server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
If SOAP services are not used this check is NA. The Tomcat server must use SSL in order to provide security for the SOAP service. Review the server.xml configuration file and check if the “SSL HTTP/1.1 Connector” entry is uncommented. If the “SSL HTTP/1.1 Connector” entry is commented out or does not exist., this is a finding.
Discussion
Application servers may provide a web services capability that could be leveraged to allow remote access to sensitive application data. A web service, which is a repeatable process used to make data available to remote clients, should not be confused with a web server. Many web services utilize SOAP, which in turn utilizes XML and HTTP as a transport. Natively, SOAP does not provide security protections. As such, the application server must provide security extensions to enhance SOAP capabilities to ensure that secure authentication mechanisms are employed to protect sensitive data. The WS_Security suite is a widely used and acceptable SOAP security extension.
Fix
Configure the application server to utilize secure authentication when SOAP web services are used to access sensitive data.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000091-AS-000052: Tomcat must generate log records when successful/unsuccessful attempts to access subject privileges occur.
Review the logging.properties file for manager logging to determine if the server generates log records when successful/unsuccessful attempts are made to access privileges. The following lines are an example of manager logging enabled: 3manager.org.apache.juli.FileHandler.level = FINE 3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 3manager.org.apache.juli.FileHandler.prefix = manager 3manager.org.apache.juli.FileHandler.rotatable = false If these lines do not exist or are commented out, this is a finding.
Discussion
Accessing a subject's privileges can be used to elevate a lower-privileged subject's privileges temporarily in order to cause harm to the application server or to gain privileges to operate temporarily for a designed purpose. When these actions take place, the event needs to be logged. Application servers either provide a local user store, or they integrate with enterprise user stores like LDAP. When the application server provides the user store and enforces authentication, the application server must generate a log record when modification of privileges is successfully or unsuccessfully performed.
Fix
Configure the Tomcat server to generate log records when privileges are successfully/unsuccessfully accessed.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000097-AS-000060: The Tomcat server must produce log records containing sufficient information to establish where the events occurred.
Review the server.xml configuration file for Tomcat server and verify that logging has been setup with at least the following entries: %h %l %u %t %r %s %b In the server.xml file look for the following section in the xml: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> If the pattern attribute does not contain “common” or at least the following : “%h %l %u %t %r %s %b”, this is a finding.
Discussion
Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the application server where the events occurred is important during forensic analysis. To determine where an event occurred, the log data must contain information that identifies the source and destination of the events such as application components, modules, filenames, host names, servlets, containers, API’s, and other functionality.
Fix
Configure the application server logging system to log where the event took place.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000118-AS-000078: The Tomcat server must protect log information from any type of unauthorized read access.
Check the permissions on all log files in CATALINE_HOME/logs: The permissions should be 640 or less permissive. If they are more permissive, this is a finding.
Discussion
If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage. Application servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access. Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized read access.
Fix
Configure the application server to protect log information from unauthorized read access.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000001-AS-000001: Tomcat must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
Review the Tomcat server.xml configuration to determine if the maxConnections under the Connector node is set to the organization-defined number of sessions. If a feature to limit the number of concurrent sessions is not set or is set to unlimited, this is a finding.
Discussion
Application management includes the ability to control the number of sessions that utilize an application by all accounts and/or account types. Limiting the number of allowed sessions is helpful in limiting risks related to Denial of Service attacks. Application servers host and expose business logic and application processes. The application server must possess the capability to limit the maximum number of concurrent sessions in a manner that affects the entire application server or on an individual application basis. Although there is some latitude concerning the settings themselves, the settings should follow DoD-recommended values, but the settings should be configurable to allow for future DoD direction. While the DoD will specify recommended values, the values can be adjusted to accommodate the operational requirement of a given system.
Fix
Configure the application server to limit the number of concurrent sessions for all accounts and/or account types to the organization-defined number.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000295-AS-000263: The Tomcat server must automatically terminate a user session after organization-defined time period.
Review the Tomcat server web.xml file and determine if an organization defined timeout has been implemented. The <session-timeout> tag should exist and contain a number of minutes defined by the organization. The following is an example: <session-config> <session-timeout>30</session-timeout> <!-- 30 minutes --> </session-config> If the <session-timeout> tag does not exist or does not match the organization defined timeout, this is a finding.
Discussion
An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.
Fix
Configure the application server to terminate user sessions on defined conditions or trigger events.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000091: The Tomcat server must allow only the Tomcat system user to select which logable events are to be logged.
Check the owner and group on the logging.properties files and veryfiy it is owned by the tomcat user and the tomcat group (Solaris install instructions say create a user named tomcat and a group tomcat). If the logging.properties file is not owned by the tomcat user, this is a finding. If the logging.properties file is not group owned by the tomcat group, this is a finding.
Discussion
Log records can be generated from various components within the application server, (e.g., httpd, beans, etc.) From an application perspective, certain specific application functionalities may be logged, as well. The list of logged events is the set of events for which logs are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating log records (e.g., logable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). Application servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component logable events. The application server must be configured to select which personnel are assigned the role of selecting which logable events are to be logged. The personnel or roles that can select logable events are only the ISSM (or individuals or roles appointed by the ISSM).
Fix
Configure the application server to only allow the ISSM (or individuals or roles appointed by the ISSM) to change logable events.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000014-AS-000009: The Tomcat server must use encryption during remote access management sessions.
By default there are no users with the manager role. Check if there are any users with the manager role in the CATALINA_HOME/conf/tomcat-users.xml file. If no users have the manager role this check is N/A. <role rolename="manager"/> <user username="darren" password="ReallyComplexPassword" roles="manager"/> Check that Tomcat is configured to use an SSL Connector in server.xml. Check if the CATALINA_HOME/webapps/manager/WEB-INF/web.xml has the following lines <security-constraint></security-constraint> tags. <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> If these tags do not exist or are commented out, this is a finding.
Discussion
Remote management access is accomplished by leveraging common communication protocols and establishing a remote connection to the application server via a network for the purposes of managing the application server. If cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised. Types of management interfaces utilized by an application server include web-based HTTPS interfaces as well as command line-based management interfaces.
Fix
Configure the application server to use encryption strength in accordance with the categorization of the management data during remote access management sessions.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000375-AS-000211: The Tomcat server must record time stamps for log records that meet a granularity of one second for a minimum degree of precision.
Review the server.xml configuration file for Tomcat server and verify that logging has been setup with at least the following entries: %t In the server.xml file look for the following section in the xml: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> If the pattern attribute does not contain “common” or at least the following : “%t”, this is a finding.
Discussion
To investigate an incident, the log records should be easily put into chronological order. Without sufficient granularity of time stamps, the chronological order cannot be determined. Time stamps generated by the application server include date and time. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks.
Fix
Configure the application server to use time stamps for log records that can meet a granularity of one second.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000120-AS-000080: The Tomcat server must protect log information from unauthorized deletion.
Check the permissions on all log files in CATALINE_HOME/logs: The permissions should be 640 or less permissive. If they are more permissive, this is a finding.
Discussion
If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. Application servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow for unfettered access to those records. Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access. Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized deletion.
Fix
Configure the application server to protect log information from unauthorized deletion.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000119-AS-000079: The Tomcat server must protect log information from unauthorized modification.
Check the permissions on all log files in CATALINE_HOME/logs: The permissions should be 640 or less permissive. If they are more permissive, this is a finding.
Discussion
If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to log records provides information an attacker could potentially use to his or her advantage. Application servers contain admin interfaces that allow reading and manipulation of log records. Therefore, these interfaces should not allow unfettered access to those records. Application servers also write log data to log files which are stored on the OS, so appropriate file permissions must also be used to restrict access. Log information includes all information (e.g., log records, log settings, transaction logs and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized modification.
Fix
Configure the application server to protect log information from unauthorized modification.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
TOMCAT-000219-AS-000147: The Tomcat server must ensure authentication of both client and server during the entire session.
The Tomcat server must use SSL in order to maintain the confidentiality and integrity of information during preperation for transmission. Review the server.xml configuration file and check if the “SSL HTTP/1.1 Connector” entry is uncommented. If the “SSL HTTP/1.1 Connector” entry is commented out or does not exist., this is a finding.
Discussion
This control focuses on communications protection at the session, versus packet level. At the application layer, session IDs are tokens generated by web applications to uniquely identify an application user's session. Web applications utilize session tokens or session IDs in order to establish application user identity. Proper use of session IDs addresses man-in-the-middle attacks, including session hijacking or insertion of false information into a session. Application servers must provide the capability to perform mutual authentication. Mutual authentication is when both the client and the server authenticate each other.
Fix
Configure the application server to mutually authenticate during the entire session as required by application design and policy.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None