Check: TCAT-AS-001700
Apache Tomcat Application Server 9 STIG:
TCAT-AS-001700
(in versions v2 r7 through v1 r1)
Title
Tomcat users in a management role must be approved by the ISSO. (Cat II impact)
Discussion
Deploying applications to Tomcat requires a Tomcat user account that is in the "manager-script" role. Any user accounts in a Tomcat management role must be approved by the ISSO.
Check Content
Review the Tomcat servers System Security Plan/server documentation. Ensure that user accounts and roles with access to Tomcat management features such as the "manager-script" role are documented and approved by the ISSO. If the ISSO has not approved of documented roles and users who have management rights to the Tomcat server, this is a finding.
Fix Text
Document the users and the roles that have been defined for use with the Tomcat server. Ensure that all users and roles with access to Tomcat management features and capabilities are approved by the ISSO.
Additional Identifiers
Rule ID: SV-223006r879887_rule
Vulnerability ID: V-223006
Group Title: SRG-APP-000516-AS-000237
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |