Check: TCAT-AS-000180
Apache Tomcat Application Server 9 STIG:
TCAT-AS-000180
(in versions v2 r7 through v1 r1)
Title
AccessLogValve must be configured per each virtual host. (Cat II impact)
Discussion
Application servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component loggable events. The application server must be configured to select which personnel are assigned the role of selecting which loggable events are to be logged. Satisfies: SRG-APP-000090-AS-000051, SRG-APP-000095-AS-000056, SRG-APP-000100-AS-000063, SRG-APP-000101-AS-000072, SRG-APP-000503-AS-000228, SRG-APP-000505-AS-000230, SRG-APP-000506-AS-000231
Check Content
As an elevated user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Review for all <Host> elements. If a <Valve className="org.apache.catalina.valves.AccessLogValve" .../> element is not nested within each <Host> element, this is a finding. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host>
Fix Text
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Create a <Valve> element that is nested beneath the <Host> element containing an AccessLogValve. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: SV-222938r879560_rule
Vulnerability ID: V-222938
Group Title: SRG-APP-000090-AS-000051
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
CCI-000171 |
The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. |
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
CCI-001487 |
The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event. |