Title

A manager role must be assigned to the Apache Tomcat Web apps (Manager, Host-Manager). (Cat II impact)

Discussion

If a manager role is not assigned to the Apache Tomcat web apps, the system administrator will not be able to manage and configure the web apps and security setting may not be configured correctly, with could leave the Apache Tomcat susceptible to attack by an intruder.

Check Content

Verify a manager role has been assigned to the Apache Tomcat Web apps (Manager, Host-Manager). Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\. Confirm a user with the manager role to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\tomcat-users.xml exists. example: <user username="admin" roles="manager-gui,manager-script" ..../> If a manager role has not been assigned to the Apache Tomcat Web apps, this is a finding.

Fix Text

To add a manager role to the Apache Tomcat Web apps (Manager, Host-Manager), run the ISEC7 integrated installer or use the following manual procedure: By default there are no users with the manager role assigned. To make use of the manager webapp, add a new role and user into the <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\tomcat-users.xml file. Log in to the ISEC7 SPHERE server. Navigate to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\. Add a user with the manager role to <Drive>:\Program Files\ISEC7 SPHERE\Tomcat\conf\tomcat-users.xml. example: <user username="admin" roles="manager-gui,manager-script" ..../> Save the file.

Additional Identifiers

Rule ID: SV-224791r1013882_rule

Vulnerability ID: V-224791

Group Title: SRG-APP-000090

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.