STIGQter STIGQter: STIG Summary: ISEC7 Sphere Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

Tomcat SSL must be restricted except for ISEC7 EMM Suite tasks.

DISA Rule

SV-224793r505933_rule

Vulnerability Number

V-224793

Group Title

SRG-APP-000439

Rule Version

ISEC-06-551700

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

To restrict Tomcat SSL to only ISEC7 EMM Suite tasks, run the ISEC7 integrated installer or use the following manual procedure:

To restrict SSL for all users except for agent task, the user needs to add a security constraint tag to <Drive>:\ProgramFiles\ISEC7 EMM Suite\Tomcat\conf\web.xml

Login to the ISEC7 EMM Suite server.
Navigate to <Drive>:\ProgramFiles\ISEC7 EMM Suite\Tomcat\conf\
Edit the web.xml file with Notepad.exe
Add the following entry:

<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecure</web-resource-name>
<!-- Agent -->
<url-pattern>/BNator/agent/*</url-pattern>
<url-pattern>/app/agent/*</url-pattern>
<url-pattern>/app/admin/agentinstaller.jnlp</url-pattern>
<!-- Client -->
<url-pattern>/app/clients/*</url-pattern>
<url-pattern>/app/data/*</url-pattern>
<!-- Remote Control -->
<url-pattern>/rc/*</url-pattern>
<!-- Traffic Push -->
<url-pattern>/BNator/uss/trafficinfo/*</url-pattern>
<url-pattern>/BNator/data/mds/trafficpush</url-pattern>
<url-pattern>/BNator/favorites/*</url-pattern>
<url-pattern>/app/resource/*</url-pattern>
</web-resource-collection>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Check Contents

Verify Tomcat SSL is restricted to only ISEC7 EMM Suite tasks.

Log in to the ISEC7 EMM Suite server.
Navigate to <Drive>:\ProgramFiles\ISEC7 EMM Suite\Tomcat\conf\
Edit the web.xml file with Notepad.exe
Verify the following entries are present:

<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecure</web-resource-name>
<!-- Agent -->
<url-pattern>/BNator/agent/*</url-pattern>
<url-pattern>/app/agent/*</url-pattern>
<url-pattern>/app/admin/agentinstaller.jnlp</url-pattern>
<!-- Client -->
<url-pattern>/app/clients/*</url-pattern>
<url-pattern>/app/data/*</url-pattern>
<!-- Remote Control -->
<url-pattern>/rc/*</url-pattern>
<!-- Traffic Push -->
<url-pattern>/BNator/uss/trafficinfo/*</url-pattern>
<url-pattern>/BNator/data/mds/trafficpush</url-pattern>
<url-pattern>/BNator/favorites/*</url-pattern>
<url-pattern>/app/resource/*</url-pattern>
</web-resource-collection>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

If Tomcat SSL is not restricted to only ISEC7 EMM Suite tasks, this is a finding.

Vulnerability Number

V-224793

Documentable

False

Rule Version

ISEC-06-551700

Severity Override Guidance

Verify Tomcat SSL is restricted to only ISEC7 EMM Suite tasks.

Log in to the ISEC7 EMM Suite server.
Navigate to <Drive>:\ProgramFiles\ISEC7 EMM Suite\Tomcat\conf\
Edit the web.xml file with Notepad.exe
Verify the following entries are present:

<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecure</web-resource-name>
<!-- Agent -->
<url-pattern>/BNator/agent/*</url-pattern>
<url-pattern>/app/agent/*</url-pattern>
<url-pattern>/app/admin/agentinstaller.jnlp</url-pattern>
<!-- Client -->
<url-pattern>/app/clients/*</url-pattern>
<url-pattern>/app/data/*</url-pattern>
<!-- Remote Control -->
<url-pattern>/rc/*</url-pattern>
<!-- Traffic Push -->
<url-pattern>/BNator/uss/trafficinfo/*</url-pattern>
<url-pattern>/BNator/data/mds/trafficpush</url-pattern>
<url-pattern>/BNator/favorites/*</url-pattern>
<url-pattern>/app/resource/*</url-pattern>
</web-resource-collection>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

If Tomcat SSL is not restricted to only ISEC7 EMM Suite tasks, this is a finding.

Check Content Reference

M

Target Key

4200

Comments