Title

All Web applications included with Apache Tomcat that are not required must be removed. (Cat II impact)

Discussion

Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.

Check Content

Verify CATALINA_HOME/webapps Tomcat administrative tool has been configured to remove all Web applications that are not required. Log in to the ISEC7 EMM Suite server. Browse to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\webapps\ Confirm all folders in the directory with the exception of Manager and Host-Manager have been removed. If the CATALINA_HOME/webapps Tomcat administrative tool has not been configured to remove all Web applications that are not required, this is a finding.

Fix Text

To configure the CATALINA_HOME/webapps Tomcat administrative tool to remove all Web applications that are not required, run the ISEC7 integrated installer or use the following manual procedure: Login to the ISEC7 EMM Suite server. Browse to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\webapps\ Remove all folders in the directory with the exception of Manager and Host-Manager.

Additional Identifiers

Rule ID: SV-224781r505933_rule

Vulnerability ID: V-224781

Group Title: SRG-APP-000383

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.