Check: TCAT-AS-000050
Apache Tomcat Application Server 9 STIG:
TCAT-AS-000050
(in versions v2 r7 through v1 r1)
Title
AccessLogValve must be configured for each application context. (Cat II impact)
Discussion
Tomcat has the ability to host multiple contexts (applications) on one physical server by using the <Host><Context> attribute. This allows the admin to specify audit log settings on a per application basis. Satisfies: SRG-APP-000016-AS-000013, SRG-APP-000080-AS-000045, SRG-APP-000089-AS-000050, SRG-APP-000091-AS-000052, SRG-APP-000095-AS-000056, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062
Check Content
As an elevated user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Review for all <Context> elements. If a <Valve className="org.apache.catalina.valves.AccessLogValve" .../> element is not defined within each <Context> element, this is a finding. EXAMPLE: <Context ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="application_name_log" suffix=".txt" pattern=""%h %l %t %u "%r" %s %b" /> ... />
Fix Text
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Create a <Valve> element that is nested within the <Context> element containing an AccessLogValve. EXAMPLE: <Context ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="application_name_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... /> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: SV-222930r879521_rule
Vulnerability ID: V-222930
Group Title: SRG-APP-000016-AS-000013
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000067 |
The information system monitors remote access methods. |
CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
CCI-000133 |
The information system generates audit records containing information that establishes the source of the event. |
CCI-000134 |
The information system generates audit records containing information that establishes the outcome of the event. |
CCI-000166 |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |