Check: TCAT-AS-001460
Apache Tomcat Application Server 9 STIG:
TCAT-AS-001460
(in versions v2 r7 through v1 r1)
Title
The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster. (Cat II impact)
Discussion
A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provided high-availability.
Check Content
This requirement only applies to a system that is categorized as high within the Risk Management Framework (RMF). Review the System Security Plan (SSP) or other system documentation that specifies the operational uptime requirements and RMF system categorization. If the system is categorized as high, from the Tomcat server as a privileged user, run the following command: sudo grep -i -A10 -B2 "Cluster" $CATALINA_BASE/conf/server.xml If the <Cluster/> element is commented out, or no results returned, then the system is not clustered and this is a finding.
Fix Text
From the Tomcat server as a privileged user, modify the $CATALINA_BASE/conf/server.xml file. Uncomment the "<Cluster/> object and configure the system into a cluster as per the Tomcat clustering documentation provided at the Tomcat website. https://tomcat.apache.org/tomcat-9.0-doc/config/cluster.html
Additional Identifiers
Rule ID: SV-222995r879806_rule
Vulnerability ID: V-222995
Group Title: SRG-APP-000435-AS-000069
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
SC-5 |
Denial Of Service Protection |