Title

The Tomcat server must allow only the Tomcat system user to select which logable events are to be logged. (Cat II impact)

Discussion

Log records can be generated from various components within the application server, (e.g., httpd, beans, etc.) From an application perspective, certain specific application functionalities may be logged, as well. The list of logged events is the set of events for which logs are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating log records (e.g., logable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked). Application servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component logable events. The application server must be configured to select which personnel are assigned the role of selecting which logable events are to be logged. The personnel or roles that can select logable events are only the ISSM (or individuals or roles appointed by the ISSM).

Check Content

Check the owner and group on the logging.properties files and veryfiy it is owned by the tomcat user and the tomcat group (Solaris install instructions say create a user named tomcat and a group tomcat). If the logging.properties file is not owned by the tomcat user, this is a finding. If the logging.properties file is not group owned by the tomcat group, this is a finding.

Fix Text

Configure the application server to only allow the ISSM (or individuals or roles appointed by the ISSM) to change logable events.

Additional Identifiers

Rule ID: SV-46429r3_rule

Vulnerability ID: V-35142

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.