STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021: STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:SV-222970r615938_rule
V-222970
SRG-APP-000211-AS-000146
TCAT-AS-000790
CAT II
10
Update system documentation (SSP) and identify the documented management networks as well as the documented client networks.
As a privileged user, edit the $CATALINA_BASE/webapps/manager/META-INF/context.xml file.
Configure the RemoteAddrValve or RemoteCIDRValve to restrict access to the management application. This can be a restriction to the localhost or to specific management networks or hosts on the management network. Choice of address or CIDR block usage is based on operational requirements.
Order is allow from, deny from. See Tomcat Valve component documentation at the Tomcat website for specific details and additional configuration options.
Test the access restrictions once configured to assure compliance.
EXAMPLES:
- RemoteAddrValve Localhost only IPV4 and IPV6
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
- Localhost and Management network CIDR block IPV4 and IPV6
<Valve className="org.apache.catalina.valves.RemoteCIDRValve"
allow="127.0.0.1, ::1",192.168.1.0/24/>
Review system documentation (SSP) and identify the documented management networks as well as the documented client networks. If the manager application has been deleted from the system, this is not a finding.
Run the following command as a privileged user:
sudo grep -i -A1 "RemoteAddrValve\|RemoteCIDRValve" $CATALINA_BASE/webapps/manager/META-INF/context.xml
If there are no results, then no address valves exist and this is a finding.
If the Remote Address Valve settings are commented out or not configured to restrict access to localhost or the management network, this is a finding.
EXAMPLES:
- RemoteAddrValve Localhost only IPV4 and IPV6 example
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
- Localhost and Management network CIDR block IPV4 and IPV6 example
<Valve className="org.apache.catalina.valves.RemoteCIDRValve"
allow="127.0.0.1, ::1",192.168.1.0/24/>
V-222970
False
TCAT-AS-000790
Review system documentation (SSP) and identify the documented management networks as well as the documented client networks. If the manager application has been deleted from the system, this is not a finding.
Run the following command as a privileged user:
sudo grep -i -A1 "RemoteAddrValve\|RemoteCIDRValve" $CATALINA_BASE/webapps/manager/META-INF/context.xml
If there are no results, then no address valves exist and this is a finding.
If the Remote Address Valve settings are commented out or not configured to restrict access to localhost or the management network, this is a finding.
EXAMPLES:
- RemoteAddrValve Localhost only IPV4 and IPV6 example
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/>
- Localhost and Management network CIDR block IPV4 and IPV6 example
<Valve className="org.apache.catalina.valves.RemoteCIDRValve"
allow="127.0.0.1, ::1",192.168.1.0/24/>
M
4094