STIGQter STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

DISA Rule

SV-222993r615938_rule

Vulnerability Number

V-222993

Group Title

SRG-APP-000391-AS-000239

Rule Version

TCAT-AS-001320

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/webapps/manager/WEB-INF/web.xml file and modify the auth-method for the manager application security constraint.

sudo nano $CATALINA_BASE/webapps/manager/WEB-INF/web.xml

Locate <auth-method> contained within the <login-config> section, modify <auth-method> to specify CLIENT-CERT.

EXAMPLE:
<auth-method>CLIENT-CERT</auth-method>

In addition, the connector used for accessing the manager application must be configured to require client authentication by setting clientAuth="true" and the manager application roles must be configured in the LDAP server.

Restart the Tomcat server:
sudo systemctl restart tomcat

Check Contents

If the manager application has been deleted from the Tomcat server, this is not a finding. From the Tomcat server as a privileged user, issue the following command:

sudo grep -i auth-method $CATALINA_BASE/webapps/manager/WEB-INF/web.xml

If the <Auth-Method> for the web manager application is not set to CLIENT-CERT, this is a finding.

Vulnerability Number

V-222993

Documentable

False

Rule Version

TCAT-AS-001320

Severity Override Guidance

If the manager application has been deleted from the Tomcat server, this is not a finding. From the Tomcat server as a privileged user, issue the following command:

sudo grep -i auth-method $CATALINA_BASE/webapps/manager/WEB-INF/web.xml

If the <Auth-Method> for the web manager application is not set to CLIENT-CERT, this is a finding.

Check Content Reference

M

Target Key

4094

Comments