STIGQter STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Tomcat servers must mutually authenticate proxy or load balancer connections.

DISA Rule

SV-222971r615938_rule

Vulnerability Number

V-222971

Group Title

SRG-APP-000219-AS-000147

Rule Version

TCAT-AS-000800

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

Modify each <Connector> element where the IP address is behind a proxy or load balancer.

Set clientAuth="true" then identify the applications that are associated with the connector and edit the associated web.xml files. Assure the <auth-method> is set to CLIENT-CERT.

Check Contents

Review system security plan and/or system architecture documentation and interview the system admin. Identify any proxy servers or load balancers that provide services for the Tomcat server. If there are no load balancers or proxies in use, this is not a finding.

If there is a documented risk acceptance for not mutually authenticating proxy or load balancer connections due to operational issues, or RMF system categorization this is not a finding.

Using the aforementioned documentation, identify each Tomcat IP address that is served by a load balancer or proxy.

From the Tomcat server as a privileged user, review the $CATALINA_BASE/conf/server.xml file. Review each <Connector> element for the address setting and the clientAuth setting.

sudo grep -i -B1 -A5 connector $CATALINA_BASE/conf/server.xml

If a connector has a configured IP address that is proxied or load balanced and the clientAuth setting is not "true", this is a finding.

Vulnerability Number

V-222971

Documentable

False

Rule Version

TCAT-AS-000800

Severity Override Guidance

Review system security plan and/or system architecture documentation and interview the system admin. Identify any proxy servers or load balancers that provide services for the Tomcat server. If there are no load balancers or proxies in use, this is not a finding.

If there is a documented risk acceptance for not mutually authenticating proxy or load balancer connections due to operational issues, or RMF system categorization this is not a finding.

Using the aforementioned documentation, identify each Tomcat IP address that is served by a load balancer or proxy.

From the Tomcat server as a privileged user, review the $CATALINA_BASE/conf/server.xml file. Review each <Connector> element for the address setting and the clientAuth setting.

sudo grep -i -B1 -A5 connector $CATALINA_BASE/conf/server.xml

If a connector has a configured IP address that is proxied or load balanced and the clientAuth setting is not "true", this is a finding.

Check Content Reference

M

Target Key

4094

Comments