STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Hosted applications must be documented in the system security plan.

DISA Rule

SV-223007r615938_rule

Vulnerability Number

V-223007

Group Title

SRG-APP-000516-AS-000237

Rule Version

TCAT-AS-001710

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Document the applications that have an ATO on the Tomcat server.

Retain the information in the SSP and present to the auditor in the event of a CCRI.

Check Contents

Review the Tomcat servers System Security Plan/server documentation.

Access the Tomcat server and review the $CATALINA_BASE/webapps folder.

Ensure that all webapps are documented in the SSP.

If the applications that are hosted on the Tomcat server are not documented in the SSP, this is a finding.

Vulnerability Number

V-223007

Documentable

False

Rule Version

TCAT-AS-001710

Severity Override Guidance

Review the Tomcat servers System Security Plan/server documentation.

Access the Tomcat server and review the $CATALINA_BASE/webapps folder.

Ensure that all webapps are documented in the SSP.

If the applications that are hosted on the Tomcat server are not documented in the SSP, this is a finding.

Check Content Reference

M

Target Key

4094

Comments