STIGQter STIGQter: STIG Summary: ISEC7 EMM Suite v6.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2019:

The Apache Tomcat Manager Web app password must be cryptographically hashed with a DoD approved algorithm.

DISA Rule

SV-106381r1_rule

Vulnerability Number

V-97275

Group Title

SRG-APP-000171

Rule Version

ISEC-06-550150

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To encrypt the Tomcat Manager Web app password, run the ISEC7 integrated installer or use the following manual procedure.

Note: The ISEC7 integrated installer will configure SHA-512 as the hash algorithm, which is not available with the manual procedure. The manual procedure will configure SHA-256. Both are DoD approved.

Login to the ISEC7 EMM Suite server.
Browse to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf and open Tomcat-Users.xml
Open the Command Prompt and CD to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\bin
Execute the following command:

digest -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler *

*where password is the 15 character password designated for the account

Copy the output, which is the SHA-256 hashed digest password.
In Tomcat-Users.xml, add in the password for the user with the obfuscated output.

ex: <user password="310c55aa3d5b42217e7f0e80ce30467d$100000$529cceb1fbc80f4f461fc1bd56219d79d9c94d4a8fc46abad0646f27e753ff9e" roles="manager-gui,manager-script" username="admin"/>

Save the file.

Open <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml with Notepad.exe
Select Edit >> Find and search for CredentialHandler.
Replace the text with: <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-256" />
Save the file.
Restart the ISEC7 EMM Suite Web service using the services.msc

Check Contents

Verify the Apache Tomcat Manager Web app password is hashed using SHA-256 (or SHA-512).

Login to the ISEC7 EMM Suite server.
Navigate to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\
Open tomcat-users.xml and verify the user password has been hashed with an obfuscated password.

ex: <user password="310c55aa3d5b42217e7f0e80ce30467d$100000$529cceb1fbc80f4f461fc1bd56219d79d9c94d4a8fc46abad0646f27e753ff9e" roles="manager-gui,manager-script" username="admin"/>

Open <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml with Notepad.exe

Select Edit >> Find and search for CredentialHandler.

Confirm the text: <CredentialHandler algorithm="PBKDF2WithHmacSHA512" keyLength="256" />

Close the file.

If the Apache Tomcat Manager Web app password is not hashed using SHA-256 (or SHA-512), this is a finding.

Vulnerability Number

V-97275

Documentable

False

Rule Version

ISEC-06-550150

Severity Override Guidance

Verify the Apache Tomcat Manager Web app password is hashed using SHA-256 (or SHA-512).

Login to the ISEC7 EMM Suite server.
Navigate to <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\
Open tomcat-users.xml and verify the user password has been hashed with an obfuscated password.

ex: <user password="310c55aa3d5b42217e7f0e80ce30467d$100000$529cceb1fbc80f4f461fc1bd56219d79d9c94d4a8fc46abad0646f27e753ff9e" roles="manager-gui,manager-script" username="admin"/>

Open <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\conf\server.xml with Notepad.exe

Select Edit >> Find and search for CredentialHandler.

Confirm the text: <CredentialHandler algorithm="PBKDF2WithHmacSHA512" keyLength="256" />

Close the file.

If the Apache Tomcat Manager Web app password is not hashed using SHA-256 (or SHA-512), this is a finding.

Check Content Reference

M

Target Key

3503

Comments