STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

AccessLogValve must be configured for each application context.

DISA Rule

SV-222930r615938_rule

Vulnerability Number

V-222930

Group Title

SRG-APP-000016-AS-000013

Rule Version

TCAT-AS-000050

Severity

CAT II

CCI(s)

• CCI-000067 - The information system monitors remote access methods.
• CCI-000130 - The information system generates audit records containing information that establishes what type of event occurred.
• CCI-000133 - The information system generates audit records containing information that establishes the source of the event.
• CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.
• CCI-000166 - The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
• CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.
• CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Weight

10

Fix Recommendation

As a privileged user on the Tomcat server:

Edit the $CATALINA_BASE/conf/server.xml file.

Create a <Valve> element that is nested within the <Context> element containing an AccessLogValve.

EXAMPLE:

<Context
...
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="application_name_log" suffix=".txt"
pattern="%h %l %t %u &quot;%r&quot; %s %b" />
...
/>

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Check Contents

As an elevated user on the Tomcat server:

Edit the $CATALINA_BASE/conf/server.xml file.

Review for all <Context> elements.

If a <Valve className="org.apache.catalina.valves.AccessLogValve" .../> element is not defined within each <Context> element, this is a finding.

EXAMPLE:

<Context
...
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="application_name_log" suffix=".txt"
pattern=""%h %l %t %u &quot;%r&quot; %s %b" />
...
/>

Vulnerability Number

V-222930

Documentable

False

Rule Version

TCAT-AS-000050

Severity Override Guidance

As an elevated user on the Tomcat server:

Edit the $CATALINA_BASE/conf/server.xml file.

Review for all <Context> elements.

If a <Valve className="org.apache.catalina.valves.AccessLogValve" .../> element is not defined within each <Context> element, this is a finding.

EXAMPLE:

<Context
...
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="application_name_log" suffix=".txt"
pattern=""%h %l %t %u &quot;%r&quot; %s %b" />
...
/>

Check Content Reference

M

Target Key

4094

Comments