STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021: STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:SV-222926r615938_rule
V-222926
SRG-APP-000001-AS-000001
TCAT-AS-000010
CAT III
10
Determine the number of authorized admins requiring simultaneous access and increase the number of allowed simultaneous sessions by a small percentage in order to address potential lockout scenarios. Document that value in the System Security Plan.
Review the maxActiveSessions setting in the $CATALINA_BASE/webapps/manager/ META-INF/context.xml configuration file.
Configure maxActiveSessions setting according to admin access requirements defined in the SSP.
EXAMPLE:
<Manager … maxActiveSessions="10" />
If the manager application is not in use or has been deleted from the system, this is not a finding.
From the Tomcat server as an elevated user run the following command:
sudo grep -i maxactivesessions $CATALINA_BASE/webapps/manager/ META-INF/context.xml
If the maxActiveSesions setting is not configured according to the number of connections defined in the SSP, this is a finding.
V-222926
False
TCAT-AS-000010
If the manager application is not in use or has been deleted from the system, this is not a finding.
From the Tomcat server as an elevated user run the following command:
sudo grep -i maxactivesessions $CATALINA_BASE/webapps/manager/ META-INF/context.xml
If the maxActiveSesions setting is not configured according to the number of connections defined in the SSP, this is a finding.
M
4094