STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

AccessLogValve must be configured per each virtual host.

DISA Rule

SV-222938r615938_rule

Vulnerability Number

V-222938

Group Title

SRG-APP-000090-AS-000051

Rule Version

TCAT-AS-000180

Severity

CAT II

CCI(s)

• CCI-000130 - The information system generates audit records containing information that establishes what type of event occurred.
• CCI-000135 - The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.
• CCI-000171 - The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.
• CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
• CCI-001487 - The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.

Weight

10

Fix Recommendation

As a privileged user on the Tomcat server:

Edit the $CATALINA_BASE/conf/server.xml file.

Create a <Valve> element that is nested beneath the <Host> element containing an AccessLogValve.

EXAMPLE:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="false">
...
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %t %u &quot;%r&quot; %s %b" />
...
</Host>

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Check Contents

As an elevated user on the Tomcat server:

Edit the $CATALINA_BASE/conf/server.xml file.

Review for all <Host> elements.

If a <Valve className="org.apache.catalina.valves.AccessLogValve" .../> element is not nested within each <Host> element, this is a finding.

EXAMPLE:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="false">
...
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %t %u &quot;%r&quot; %s %b" />
...
</Host>

Vulnerability Number

V-222938

Documentable

False

Rule Version

TCAT-AS-000180

Severity Override Guidance

As an elevated user on the Tomcat server:

Edit the $CATALINA_BASE/conf/server.xml file.

Review for all <Host> elements.

If a <Valve className="org.apache.catalina.valves.AccessLogValve" .../> element is not nested within each <Host> element, this is a finding.

EXAMPLE:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="false">
...
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %t %u &quot;%r&quot; %s %b" />
...
</Host>

Check Content Reference

M

Target Key

4094

Comments