STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Tomcat servers behind a proxy or load balancer must log client IP.

DISA Rule

SV-222937r615938_rule

Vulnerability Number

V-222937

Group Title

SRG-APP-000089-AS-000050

Rule Version

TCAT-AS-000170

Severity

CAT II

CCI(s)

• CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.

Weight

10

Fix Recommendation

From the Tomcat server as a privileged user:

Edit the $CATALINA_BASE/conf/server.xml file.

Only execute this first step if the proxy server is using a routable IP address or an RFC 1918 Class B address space: Add or edit the RemoteIpValve and configure the internalProxies setting to reflect the proxy addresses.

Modify the AccessLogValve and configure the requestAttributesEnabled setting = "True".

EXAMPLE:

<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="172.16.0.10|172.16.0.11" />

<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="access"
suffix=".log"
pattern="combined"
renameOnRotate="true"
requestAttributesEnabled="true"
/>

Restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl tomcat daemon-reload

Check Contents

Review the System Security Plan and determine if the Tomcat server resides behind a proxy server or load balancer. If the Tomcat server is not behind a proxy server or load balancer, this requirement is NA.

From the Tomcat server run the following command:

sudo grep -i RemoteIpValve $CATALINA_BASE/conf/server.xml file.

If the results are empty or if the requestAttributesEnabled setting is not configured as "True", this is a finding.

sudo grep -i AccessLogValve $CATALINA_BASE/conf/server.xml file.

If the requestAttributesEnabled setting is not configured as "True", this is a finding.

Vulnerability Number

V-222937

Documentable

False

Rule Version

TCAT-AS-000170

Severity Override Guidance

Review the System Security Plan and determine if the Tomcat server resides behind a proxy server or load balancer. If the Tomcat server is not behind a proxy server or load balancer, this requirement is NA.

From the Tomcat server run the following command:

sudo grep -i RemoteIpValve $CATALINA_BASE/conf/server.xml file.

If the results are empty or if the requestAttributesEnabled setting is not configured as "True", this is a finding.

sudo grep -i AccessLogValve $CATALINA_BASE/conf/server.xml file.

If the requestAttributesEnabled setting is not configured as "True", this is a finding.

Check Content Reference

M

Target Key

4094

Comments