STIGQter STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Connectors must be secured.

DISA Rule

SV-222935r615938_rule

Vulnerability Number

V-222935

Group Title

SRG-APP-000033-AS-000024

Rule Version

TCAT-AS-000100

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the Tomcat server as a privileged user, edit the server.xml file.

sudo nano $CATALINA_BASE/conf/server.xml.

Locate each <Connector/> element which is lacking a secure setting.

EXAMPLE Connector:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />

Set or add scheme="https" and secure="true" for each HTTP connector element.

EXAMPLE:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true".../>

Save the server.xml file and restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl reload-daemon

Check Contents

From the Tomcat server console, run the following command:

sudo cat $CATALINA_BASE/conf/server.xml.

Examine each <Connector/> element.

For each connector, verify the secure= flag is set to "true" and the scheme= flag is set to "https" on each connector.

If the secure flag is not set to "true" and/or the scheme flag is not set to "https" for each HTTP connector element, this is a finding.

Vulnerability Number

V-222935

Documentable

False

Rule Version

TCAT-AS-000100

Severity Override Guidance

From the Tomcat server console, run the following command:

sudo cat $CATALINA_BASE/conf/server.xml.

Examine each <Connector/> element.

For each connector, verify the secure= flag is set to "true" and the scheme= flag is set to "https" on each connector.

If the secure flag is not set to "true" and/or the scheme flag is not set to "https" for each HTTP connector element, this is a finding.

Check Content Reference

M

Target Key

4094

Comments