Title

The Tomcat server must produce log records containing sufficient information to establish where the events occurred. (Cat II impact)

Discussion

Application server logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined. Ascertaining the correct location or process within the application server where the events occurred is important during forensic analysis. To determine where an event occurred, the log data must contain information that identifies the source and destination of the events such as application components, modules, filenames, host names, servlets, containers, API’s, and other functionality.

Check Content

Review the server.xml configuration file for Tomcat server and verify that logging has been setup with at least the following entries: %h %l %u %t %r %s %b In the server.xml file look for the following section in the xml: <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> If the pattern attribute does not contain “common” or at least the following : “%h %l %u %t %r %s %b”, this is a finding.

Fix Text

Configure the application server logging system to log where the event took place.

Additional Identifiers

Rule ID: SV-46454r4_rule

Vulnerability ID: V-35167

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.