Title

A manager role must be assigned to the Apache Tomcat Web apps (Manager, Host-Manager). (Cat II impact)

Discussion

If a manager role is not assigned to the Apache Tomcat web apps, the system administrator will not be able to manage and configure the web apps and security setting may not be configured correctly, with could leave the Apache Tomcat susceptible to attack by an intruder.

Check Content

Verify a manager role has been assigned to the Apache Tomcat Web apps (Manager, Host-Manager). Login to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\ Confirm a user with the manager role to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\tomcat-users.xml exists. example: <user username="admin" roles="manager-gui,manager-script" ..../> If a manager role has not been assigned to the Apache Tomcat Web apps, this is a finding.

Fix Text

To add a manager role to the Apache Tomcat Web apps (Manager, Host-Manager), run the ISEC7 integrated installer or use the following manual procedure: By default there are no users with the manager role assigned. To make use of the manager webapp you need to add a new role and user into the <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\tomcat-users.xml file. Login to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\ Add a user with the manager role to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\tomcat-users.xml example: <user username="admin" roles="manager-gui,manager-script" ..../> Save the file.

Additional Identifiers

Rule ID: SV-224791r505933_rule

Vulnerability ID: V-224791

Group Title: SRG-APP-000090

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.