Check: TCAT-AS-000260
Apache Tomcat Application Server 9 STIG:
TCAT-AS-000260
(in versions v2 r7 through v1 r1)
Title
HTTP status code must be logged. (Cat III impact)
Discussion
The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The %s pattern code is included in the pattern element and logs the server response code associated with the event e.g. 200 OK or 400 Bad Request. Including the status pattern in the log configuration provides useful server response information about the event which is critical for troubleshooting and forensic investigations.
Check Content
As an elevated user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Review all "Valve" elements. If the pattern= statement does not include %s, this is a finding. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host>
Fix Text
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Modify the <Valve> element(s) nested within the <Host> element(s). Change the AccessLogValve setting to include %s in the pattern= statement. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: SV-222941r879565_rule
Vulnerability ID: V-222941
Group Title: SRG-APP-000097-AS-000060
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000132 |
The information system generates audit records containing information that establishes where the event occurred. |
Controls
Number | Title |
---|---|
AU-3 |
Content Of Audit Records |