STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

TLS must be enabled on JMX.

DISA Rule

SV-222964r615938_rule

Vulnerability Number

V-222964

Group Title

SRG-APP-000153-AS-000104

Rule Version

TCAT-AS-000630

Severity

CAT I

CCI(s)

CCI-000770 - The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.

Weight

Fix Recommendation

If using JMX for management of the Tomcat server, start the Tomcat server by adding the following command line flags to the systemd startup scripts in /etc/systemd/system/tomcat.service.

Environment='CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true'

sudo systemctl start tomcat
sudo systemctl daemon-reload

Check Contents

JMX management is configured via the Tomcat CATALINA_OPTS environment variable setting maintained in the /etc/systemd/system/tomcat.service file for Ubuntu systemd UNIX. For other flavors of Linux, this location may vary.

As a privileged user from the Tomcat server run the following command:

grep -i jmxremote /etc/systemd/system/tomcat.service

Review output, if there are no results displayed, jmxremote management extensions are not used, and this requirement is NA.

If the JMXremote setting is configured and jmxremote.ssl="false", this is a finding.

EXAMPLE:
-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.authenticate=false
-Dcom.sun.management.jmxremote.ssl=false

TLS must be enabled on JMX.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments