Title

The Tomcat server must enforce access restrictions associated with changes to server configuration. (Cat II impact)

Discussion

When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software, and/or application server configuration can potentially have significant effects on the overall security of the system. Access restrictions for changes also include application software libraries. If the application server provides automatic code deployment capability, (where updates to applications hosted on the application server are automatically performed, usually by the developers' IDE tool), it must also provide a capability to restrict the use of automatic application deployment. Automatic code deployments are allowable in a development environment, but not in production.

Check Content

The Tomcat server configuration files must have permissions set to 640 or less permissive. Check the permissions on the following configuration files: conf/server.xml conf/catalina.properties If the permissions are more permissive than 640, this is a finding.

Fix Text

Configure the application server to enforce access restrictions associated with changes to the application server configuration to include code deployment, library updates, and changes to application server configuration settings.

Additional Identifiers

Rule ID: SV-71767r2_rule

Vulnerability ID: V-57491

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.