STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

LockOutRealms failureCount attribute must be set to 5 failed logins for admin users.

DISA Rule

SV-222981r615938_rule

Vulnerability Number

V-222981

Group Title

SRG-APP-000316-AS-000199

Rule Version

TCAT-AS-001030

Severity

CAT II

CCI(s)

• CCI-002322 - The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period.

Weight

10

Fix Recommendation

From the Tomcat server console as a privileged user edit the $CATALINA_BASE/conf/server.xml file.

sudo nano $CATALINA_BASE/conf/server.xml file

Locate or add the LockOutRealm element. Set LockOutRealm failureCount="5"

EXAMPLE:
<Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="5" lockOutTime="600">
...
</Realm>

Check Contents

From the Tomcat server console, run the following command:

sudo grep -i LockOutRealm $CATALINA_BASE/conf/server.xml.

If there are no results or if the LockOutRealm failureCount setting is not configured to 5, this is a finding.

Vulnerability Number

V-222981

Documentable

False

Rule Version

TCAT-AS-001030

Severity Override Guidance

From the Tomcat server console, run the following command:

sudo grep -i LockOutRealm $CATALINA_BASE/conf/server.xml.

If there are no results or if the LockOutRealm failureCount setting is not configured to 5, this is a finding.

Check Content Reference

M

Target Key

4094

Comments