Title

LockOutRealm must not be removed from Apache Tomcat. (Cat II impact)

Discussion

LockOutRealm prevents brute force attacks against user passwords. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.

Check Content

Log in to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\Isec7 EMM Suite\Tomcat\Config Open the server.xml file with Notepad. Select Edit >> Find and search for LockOutRealm. Confirm the following line is in the server.xml file: <Realm className="org.apache.catalina.realm.LockOutRealm"> If it is not found or has been commented out, this is a finding. If the LockOutRealm has been removed and can't be used, this is a finding.

Fix Text

Login to the ISEC7 EMM Suite server. Navigate to <Drive>:\Program Files\Isec7 EMM Suite\Tomcat\Config Open the server.xml file with Notepad. Select Edit >> Find and search for LockOutRealm. Add the following line is in the server.xml file: <Realm className="org.apache.catalina.realm.LockOutRealm"> Restart the ISEC7 EMM Suite Web service in the services.msc

Additional Identifiers

Rule ID: SV-224782r505933_rule

Vulnerability ID: V-224782

Group Title: SRG-APP-000383

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.