Title

The Tomcat server must provide a clustering capability. (Cat II impact)

Discussion

This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. When application failure is encountered, preserving application state facilitates application restart and return to the operational mode of the organization with less disruption of mission/business processes. Clustering of multiple application servers is a common approach to providing fail-safe application availability when system MAC and confidentiality levels require redundancy.

Check Content

Ask the SA, if clustering is needed or required. If clustering is not needed or required this check is N/A. Check the server.xml file for the following line: <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> If the line does not exist or is commented out, this is a finding.

Fix Text

This requirement is dependent upon system MAC and confidentiality. If the system MAC and confidentiality levels do not specify redundancy requirements, this requirement is NA. Configure the application server to provide application failover or participate in an application cluster which provides failover.

Additional Identifiers

Rule ID: SV-46711r3_rule

Vulnerability ID: V-35424

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.