Check: TCAT-AS-001720
Apache Tomcat Application Server 9 STIG:
TCAT-AS-001720
(in versions v2 r7 through v1 r1)
Title
Connectors must be approved by the ISSO. (Cat III impact)
Discussion
Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP and then sends back the results to the requestor. A port and a protocol are tied to each connector. Only connectors approved by the ISSO must be installed. ISSO review will consist of validating connector protocol as being secure and required in order for the hosted application to operate. The ISSO will ensure that unnecessary or insecure connector protocols are not enabled. The ISSO will provide documented approval for each connector that will be maintained in the System Security Plan (SSP).
Check Content
Review the Tomcat servers System Security Plan/server documentation. Access the Tomcat server and review the server.xml file. grep -i "connector port" $CATALINA_BASE/conf/server.xml Compare the active Connectors and their associated IP ports with the Connectors documented and approved in the SSP. If the Connectors that are configured on the Tomcat server are not approved by the ISSO and documented in the SSP, this is a finding.
Fix Text
Document and obtain ISSO approval for the Connectors that are configured on the Tomcat server. Retain the information in the SSP and present to the auditor in the event of a CCRI.
Additional Identifiers
Rule ID: SV-223008r879887_rule
Vulnerability ID: V-223008
Group Title: SRG-APP-000516-AS-000237
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |