{
"stig": {
"date": "2021-12-27",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-222926": {
"checkid": "C-24598r426222_chk",
"checktext": "If the manager application is not in use or has been deleted from the system, this is not a finding.\n\nFrom the Tomcat server as an elevated user run the following command:\n\nsudo grep -i maxactivesessions $CATALINA_BASE/webapps/manager/ META-INF/context.xml\n\nIf the maxActiveSesions setting is not configured according to the number of connections defined in the SSP, this is a finding.",
"description": "The manager application provides configuration access to the Tomcat server. Access to the manager application must be limited and that includes the number of sessions allowed to access the management application. A balance must be struck between the number of simultaneous connections allowed to the management application and the number of authorized admins requiring access at any given time.\n\nDetermine the number of authorized admins requiring simultaneous access and increase the number of allowed simultaneous sessions by a small percentage in order to help prevent potential lockouts.\n\nDocument that value in the System Security Plan (SSP).",
"fixid": "F-24587r426223_fix",
"fixtext": "Determine the number of authorized admins requiring simultaneous access and increase the number of allowed simultaneous sessions by a small percentage in order to address potential lockout scenarios. Document that value in the System Security Plan.\n\nReview the maxActiveSessions setting in the $CATALINA_BASE/webapps/manager/ META-INF/context.xml configuration file.\n\nConfigure maxActiveSessions setting according to admin access requirements defined in the SSP.\n\nEXAMPLE:\n",
"iacontrols": null,
"id": "V-222926",
"ruleID": "SV-222926r615938_rule",
"severity": "low",
"title": "The number of allowed simultaneous sessions to the manager application must be limited.\n",
"version": "TCAT-AS-000010"
},
"V-222927": {
"checkid": "C-24599r426225_chk",
"checktext": "From the Tomcat server console, run the following command:\n\nsudo grep -i ciphers $CATALINA_BASE/conf/server.xml.\n\nExamine each element that is not a redirect to a secure port. Identify the ciphers that are configured on each connector and determine if any of the ciphers are not secure.\n\nFor a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1.\n\nIf insecure ciphers are configured for use, this is a finding.",
"description": "The Tomcat element controls the TLS protocol and the associated ciphers used. If a strong cipher is not selected, an attacker may be able to circumvent encryption protections that are configured for the connector. Strong ciphers must be employed when configuring a secured connector.\n\nThe configuration attribute and its values depend on what HTTPS implementation the user is utilizing. The user may be utilizing either Java-based implementation aka JSSE \u2014 with BIO and NIO connectors, or OpenSSL-based implementation \u2014 with APR connector.\n\nTLSv1.2 ciphers are configured via the server.xml file on a per connector basis. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1.",
"fixid": "F-24588r426226_fix",
"fixtext": "As a privileged user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml and modify the element.\n\nAdd the SSLEnabledProtocols=\"TLSv1.2\" setting to the connector or modify the existing setting.\n\nSet SSLEnabledProtocols=\"TLSv1.2\". Save the server.xml file and restart Tomcat:\nsudo systemctl restart tomcat\nsudo systemctl reload-daemon",
"iacontrols": null,
"id": "V-222927",
"ruleID": "SV-222927r615938_rule",
"severity": "medium",
"title": "Secured connectors must be configured to use strong encryption ciphers.\n",
"version": "TCAT-AS-000020"
},
"V-222928": {
"checkid": "C-48815r754862_chk",
"checktext": "From the Tomcat server console, run the following command:\n\nsudo grep -i -A5 -B8 hstsEnable $CATALINA_BASE/conf/web.xml file.\n\nIf the httpHeaderSecurity filter is commented out or if hstsEnable is not set to \"true\", this is a finding.",
"description": "HTTP Strict Transport Security (HSTS) instructs web browsers to only use secure connections for all future requests when communicating with a website. Doing so helps prevent SSL protocol attacks, SSL stripping, cookie hijacking, and other attempts to circumvent SSL protection.\n\nImplementing HSTS requires testing of your web applications to ensure SSL certificates align correctly with application requirements and sub-domains if sub-domains are used. Ensure certificates are installed and working correctly. If sub-domains are in use, all sub-domains must be covered in the SSL/TLS certificate and the includeSubDomains directive must be specified in order for HSTS to function properly.",
"fixid": "F-37850r754863_fix",
"fixtext": "From the Tomcat server as a privileged user, edit the web.xml file:\n\nsudo nano $CATALINA_BASE/conf/web.xml file.\n\nUncomment the existing httpHeaderSecurity filter section or create the filter section using the following code:\n\nNOTE: includeSubDomains param-value and url-pattern values may change and can vary according to local deployment requirements. \n\nhttpHeaderSecurity\norg.apache.catalina.filters.HttpHeaderSecurityFilter\n\n hstsEnabled\n true\n\n\n maxAgeSeconds\n 31536000\n \n \n includeSubDomains\n true\n \ntrue\n\n\nCreate or uncomment the httpHeaderSecurity filter mapping:\n\nhttpHeaderSecurity\n/*\nREQUEST\n",
"iacontrols": null,
"id": "V-222928",
"ruleID": "SV-222928r754865_rule",
"severity": "low",
"title": "HTTP Strict Transport Security (HSTS) must be enabled.",
"version": "TCAT-AS-000030"
},
"V-222929": {
"checkid": "C-24601r426231_chk",
"checktext": "From the Tomcat server console, run the following command:\n\nsudo cat $CATALINA_BASE/conf/server.xml.\n\nExamine each element.\n\nFor every HTTP protocol connector:\nVerify the SSLEnabledProtocols=\"TLSv1.2\" flag is set on each connector.\n\nIf the SSLEnabledProtocols setting is not set to TLSv1.2 or greater, this is a finding.",
"description": "Using older versions of TLS introduces security vulnerabilities that exist in the older versions of the protocol. Tomcat by default will use all available versions of the SSL/TLS protocols unless the version is explicitly defined in the SSL configuration attribute for the associated connector. This introduces the opportunity for the client to negotiate the use of an older protocol version and increases the risk of compromise of the Tomcat server.\n\nAll connectors must use TLS 1.2. While this check specifically verifies the use of TLSv1.2, it does not provide all of the steps required to successfully configure a secured TLS connection. That task involves multiple additional steps that are not included here. Refer to Tomcat documentation for all of the steps needed to create a TLS protected connector.\n\nSatisfies: SRG-APP-000015-AS-000010, SRG-APP-000172-AS-000120, SRG-APP-000439-AS-000155",
"fixid": "F-24590r426232_fix",
"fixtext": "As a privileged user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml and modify the element.\n\nAdd the \"SSLEnabledProtocols=\" flag to the connector or modify the existing flag.\n\nSet SSLEnabledProtocols=\"TLSv1.2\". Save the server.xml file and restart Tomcat:\nsudo systemctl restart tomcat\nsudo systemctl reload-daemon",
"iacontrols": null,
"id": "V-222929",
"ruleID": "SV-222929r615938_rule",
"severity": "medium",
"title": "TLS 1.2 must be used on secured HTTP connectors.\n",
"version": "TCAT-AS-000040"
},
"V-222930": {
"checkid": "C-24602r426234_chk",
"checktext": "As an elevated user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nReview for all elements.\n\nIf a element is not defined within each element, this is a finding.\n\nEXAMPLE:\n\n\n ...\n/>",
"description": "Tomcat has the ability to host multiple contexts (applications) on one physical server by using the attribute. This allows the admin to specify audit log settings on a per application basis.\n\nSatisfies: SRG-APP-000016-AS-000013, SRG-APP-000080-AS-000045, SRG-APP-000089-AS-000050, SRG-APP-000091-AS-000052, SRG-APP-000095-AS-000056, SRG-APP-000098-AS-000061, SRG-APP-000099-AS-000062",
"fixid": "F-24591r426235_fix",
"fixtext": "As a privileged user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nCreate a element that is nested within the element containing an AccessLogValve.\n\nEXAMPLE:\n\n\n ...\n/>\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222930",
"ruleID": "SV-222930r615938_rule",
"severity": "medium",
"title": "AccessLogValve must be configured for each application context.\n",
"version": "TCAT-AS-000050"
},
"V-222931": {
"checkid": "C-24603r426237_chk",
"checktext": "From the Tomcat server console, run the following command to check the keystore:\n\nsudo keytool -list -v \n\nWhen prompted for the keystore password type \"changeit\" sans quotes.\n\nIf the contents of the keystore are displayed, this is a finding.",
"description": "Tomcat currently operates only on JKS, PKCS11, or PKCS12 format keystores. The JKS format is Java's standard \"Java KeyStore\" format, and is the format created by the keytool command-line utility which is included in the JDK. The PKCS12 format is an internet standard, and is managed using OpenSSL or Microsoft's Key-Manager. This requirement only applies to JKS keystores. When a new JKS keystore is created, if a password is not specified during creation the default password used by Tomcat is \"changeit\" (all lower case). If the default password is not changed, the keystore is at risk of compromise.\n\nSatisfies: SRG-APP-000033-AS-000023, SRG-APP-000176-AS-000125",
"fixid": "F-24592r426238_fix",
"fixtext": "From the Tomcat server as a privileged user, run the following command:\n\nsudo keytool -storepasswd \n\nWhen prompted for the keystore password, select a strong password, minimum 10 characters, mixed case alpha-numeric.\n\nDocument the password and store in a secured location that is only accessible to authorized personnel.",
"iacontrols": null,
"id": "V-222931",
"ruleID": "SV-222931r615938_rule",
"severity": "high",
"title": "Default password for keystore must be changed.",
"version": "TCAT-AS-000060"
},
"V-222932": {
"checkid": "C-24604r426240_chk",
"checktext": "From the Tomcat server console, run the following command:\n\nsudo grep -i -B10 -A1 \\/cookie-config $CATALINA_BASE/conf/web.xml\n\nIf the command returns no results or if the element is not set to true, this is a finding.\n\nEXAMPLE:\n\n 15\n \n true\n true\n \n",
"description": "It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header.\n\nThe $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the element.",
"fixid": "F-24593r426241_fix",
"fixtext": "From the Tomcat server console as a privileged user:\n\nedit the $CATALINA_BASE/conf/web.xml\n\nIf the cookie-config section does not exist it must be added. Add or modify the setting and set to true.\n\nEXAMPLE:\n\n 15\n \n true\n true\n \n",
"iacontrols": null,
"id": "V-222932",
"ruleID": "SV-222932r615938_rule",
"severity": "medium",
"title": "Cookies must have secure flag set.",
"version": "TCAT-AS-000070"
},
"V-222933": {
"checkid": "C-24605r426243_chk",
"checktext": "From the Tomcat server console, run the following command:\n\nsudo grep -i -B10 -A1 \\/cookie-config $CATALINA_BASE/conf/web.xml\n\nIf the command returns no results or if the element is not set to true, this is a finding.\n\nEXAMPLE:\n\n 15\n \n true\n true\n \n",
"description": "It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the setting into the response header.\n\nThe $CATALINA_BASE/conf/web.xml file controls how all applications handle cookies via the element.",
"fixid": "F-24594r426244_fix",
"fixtext": "From the Tomcat server console as a privileged user:\n\nedit the $CATALINA_BASE/conf/web.xml\n\nIf the cookie-config section does not exist it must be added. Add or modify the setting and set to true.\n\nEXAMPLE:\n\n 15\n \n true\n true\n \n",
"iacontrols": null,
"id": "V-222933",
"ruleID": "SV-222933r615938_rule",
"severity": "medium",
"title": "Cookies must have http-only flag set.",
"version": "TCAT-AS-000080"
},
"V-222934": {
"checkid": "C-24606r622485_chk",
"checktext": "From the Tomcat server run the following command:\n\nsudo cat $CATALINA_BASE/conf/web.xml |grep -i -A5 -B2 defaultservlet \n\nIf the \"readonly\" param-value for the \"DefaultServlet\" servlet class = \"false\" or does not exist, this is a finding.",
"description": "The DefaultServlet is a servlet provided with Tomcat. It is called when no other suitable page can be displayed to the client. The DefaultServlet serves static resources as well as directory listings and is declared globally in $CATALINA_BASE/conf/web.xml. By default, Tomcat behaves as if the DefaultServlet is set to \"true\" (HTTP commands like PUT and DELETE are rejected). However, the readonly parameter is not in the web.xml file by default so to ensure proper configuration and system operation, the \"readonly\" parameter in web.xml must be created and set to \"true\". Creating the setting in web.xml provides assurances the system is operating as required. Changing the readonly parameter to false could allow clients to delete or modify static resources on the server and upload new resources. ",
"fixid": "F-24595r622486_fix",
"fixtext": "From the Tomcat server console as a privileged user:\n\nEdit the $CATALINA_BASE/conf/web.xml file. \n\nIf the \"readonly\" param-value does not exist, it must be created.\n\nEnsure the \"readonly\" param-value for the \"DefaultServlet\" servlet class = \"true\".",
"iacontrols": null,
"id": "V-222934",
"ruleID": "SV-222934r615938_rule",
"severity": "medium",
"title": "DefaultServlet must be set to readonly for PUT and DELETE.",
"version": "TCAT-AS-000090"
},
"V-222935": {
"checkid": "C-24607r426249_chk",
"checktext": "From the Tomcat server console, run the following command:\n\nsudo cat $CATALINA_BASE/conf/server.xml. \n\nExamine each element. \n\nFor each connector, verify the secure= flag is set to \"true\" and the scheme= flag is set to \"https\" on each connector.\n\nIf the secure flag is not set to \"true\" and/or the scheme flag is not set to \"https\" for each HTTP connector element, this is a finding.",
"description": "The unencrypted HTTP protocol does not protect data from interception or alteration which can subject users to eavesdropping, tracking, and the modification of received data. To secure an HTTP connector, both the secure and scheme flags must be set.",
"fixid": "F-24596r426250_fix",
"fixtext": "From the Tomcat server as a privileged user, edit the server.xml file.\n\nsudo nano $CATALINA_BASE/conf/server.xml. \n\nLocate each element which is lacking a secure setting. \n\nEXAMPLE Connector:\n\n\nSet or add scheme=\"https\" and secure=\"true\" for each HTTP connector element.\n\nEXAMPLE:\n\n\nSave the server.xml file and restart Tomcat:\nsudo systemctl restart tomcat\nsudo systemctl reload-daemon",
"iacontrols": null,
"id": "V-222935",
"ruleID": "SV-222935r615938_rule",
"severity": "medium",
"title": "Connectors must be secured.",
"version": "TCAT-AS-000100"
},
"V-222936": {
"checkid": "C-24608r426252_chk",
"checktext": "Review system documentation. Identify the tomcat systemd startup file which for STIG purposes is called \"tomcat.service\" and can be viewed as a link in the /etc/systemd/system/ folder.\n\nRun the following command:\nsudo cat /etc/systemd/system/tomcat.service |grep -i security\n\nIf there is a documented and approved risk acceptance for not operating the Security Manager, the finding can be reduced to a CAT III.\n \nIf the ExecStart parameter does not include the -security flag, this is a finding.",
"description": "The Java Security Manager (JSM) is what protects the Tomcat server from trojan servlets, JSPs, JSP beans, tag libraries, or even from inadvertent mistakes. The JSM works the same way a client's web browser isolates a running web application via a sandbox, the difference being the sandbox is running on the server rather than the client. To ensure application operability, JSM security policies must be set to allow the hosted application access to the underlying system based on individual application requirements. The JSM settings cannot be determined at the STIG level and will vary based on each hosted application.\n\nExamples include setting JSM policy to allow an application to write to folders on the server or to initiate network connections to other servers via TCP/IP.\n\nBecause the JSM isolates application code to prevent an application from adversely accessing resources on the underlying Tomcat server, care must be taken to ensure the JSM policies are configured properly. Allowing untrusted web applications to run on the Tomcat server without a JSM policy that limits access to server resources creates a risk of compromise to the server. \n\nIdeally, the JSM policy is implemented and tested during the application development phase. This is when the application resource requirements are best identified and documented so the correct JSM policy can be implemented in the production environment. \n\nCreating the correct JSM policy can be a challenge when installing commercial software that does not provide the policy as part of the installation process or via documentation. This is due to the fact that the critical application access requirements to the system will typically not be known to the system administrator. In these cases, running the JSM can result in failure for some application functionality (e.g., an application might not be able to write logs to a particular folder on the system or communicate with other systems as intended). \n\nWhen faced with application functionality failures, the typical troubleshooting approach for the system administrator to follow is to install the application in a test environment, set the $CATALINA_POLICY setting to debug, and identify failure events in the logs. This can aid in identifying what privileges the application requires. From there the JSM policies can be set, tested, documented, and transferred to production. If these actions do not address all of the issues, the Risk Management Framework processes come into effect and a risk acceptance for this requirement must be obtained from the ISSO.\n\nFor additional technical information on the security manager and available JSM policy settings, refer to the Security Manager How-To on the Apache Tomcat version 9 website.",
"fixid": "F-24597r426253_fix",
"fixtext": "Refer to the vulnerability discussion of this requirement for additional information. Install the application in a test environment and determine the application access requirements. Test and document the Java Security Manager policy and then transfer the JSM policy to the $CATALINA_BASE/conf/catalina.properties file. If operating multiple instances of Tomcat, use $CATALINA_BASE in place of $CATALINA_HOME as per standard Tomcat practice.\n\nAs an admin user on the Tomcat server, modify the /etc/systemd/system/tomcat.service file and set the \"ExecStart\" parameter to read:\n\"ExecStart=/opt/tomcat/bin/startup.sh -security\"\n\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222936",
"ruleID": "SV-222936r615938_rule",
"severity": "medium",
"title": "The Java Security Manager must be enabled.",
"version": "TCAT-AS-000110"
},
"V-222937": {
"checkid": "C-24609r426255_chk",
"checktext": "Review the System Security Plan and determine if the Tomcat server resides behind a proxy server or load balancer. If the Tomcat server is not behind a proxy server or load balancer, this requirement is NA. \n\nFrom the Tomcat server run the following command:\n\nsudo grep -i RemoteIpValve $CATALINA_BASE/conf/server.xml file.\n\nIf the results are empty or if the requestAttributesEnabled setting is not configured as \"True\", this is a finding.\n\nsudo grep -i AccessLogValve $CATALINA_BASE/conf/server.xml file.\n\nIf the requestAttributesEnabled setting is not configured as \"True\", this is a finding.",
"description": "When running Tomcat behind a load balancer or proxy, default behavior is for Tomcat to log the proxy or load balancer IP address as the client IP. Desired behavior is to log the actual client IP rather than the proxy IP address. The RemoteIpValve logging component instructs Tomcat to grab the HTTP header X-Forwarded-For and use that for access logging.\n\nTomcat will identify 127.0.0.1, class A and class C RFC1918 addresses as internal proxy addresses; however, if the proxy has a routable IP or a class B private network address space (172.16.0.0/12), the user must also verify the \"internalProxies setting is configured to reflect the proxy IP address.",
"fixid": "F-24598r426256_fix",
"fixtext": "From the Tomcat server as a privileged user: \n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nOnly execute this first step if the proxy server is using a routable IP address or an RFC 1918 Class B address space: Add or edit the RemoteIpValve and configure the internalProxies setting to reflect the proxy addresses.\n\nModify the AccessLogValve and configure the requestAttributesEnabled setting = \"True\".\n\nEXAMPLE:\n\n\n\n\n\nRestart Tomcat:\nsudo systemctl restart tomcat\nsudo systemctl tomcat daemon-reload",
"iacontrols": null,
"id": "V-222937",
"ruleID": "SV-222937r615938_rule",
"severity": "medium",
"title": "Tomcat servers behind a proxy or load balancer must log client IP.",
"version": "TCAT-AS-000170"
},
"V-222938": {
"checkid": "C-24610r426258_chk",
"checktext": "As an elevated user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nReview for all elements.\n\nIf a element is not nested within each element, this is a finding.\n\nEXAMPLE:\n\n...\n\n ...\n",
"description": "Application servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component loggable events. The application server must be configured to select which personnel are assigned the role of selecting which loggable events are to be logged.\n\nSatisfies: SRG-APP-000090-AS-000051, SRG-APP-000095-AS-000056, SRG-APP-000100-AS-000063, SRG-APP-000101-AS-000072, SRG-APP-000503-AS-000228, SRG-APP-000505-AS-000230, SRG-APP-000506-AS-000231",
"fixid": "F-24599r426259_fix",
"fixtext": "As a privileged user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nCreate a element that is nested beneath the element containing an AccessLogValve.\n\nEXAMPLE:\n\n...\n\n ...\n\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222938",
"ruleID": "SV-222938r615938_rule",
"severity": "medium",
"title": "AccessLogValve must be configured per each virtual host.\n",
"version": "TCAT-AS-000180"
},
"V-222939": {
"checkid": "C-24611r426261_chk",
"checktext": "As an elevated user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nReview all \"Valve\" elements.\n\nIf the pattern= statement does not include %t, this is a finding.\n\nEXAMPLE:\n\n...\n\n ...\n",
"description": "The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The %t pattern code is included in the pattern element and logs the date and time of the event. Including the date pattern in the log configuration provides useful information about the time of the event which is critical for troubleshooting and forensic investigations.",
"fixid": "F-24600r426262_fix",
"fixtext": "As a privileged user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nModify the element(s) nested within the element(s). \n\nChange the AccessLogValve setting to include %t in the pattern= statement. \n\nEXAMPLE:\n\n...\n\n ...\n\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222939",
"ruleID": "SV-222939r615938_rule",
"severity": "medium",
"title": "Date and time of events must be logged.",
"version": "TCAT-AS-000240"
},
"V-222940": {
"checkid": "C-24612r426264_chk",
"checktext": "As an elevated user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nReview all \"Valve\" elements.\n\nIf the pattern= statement does not include %h, this is a finding.\n\nEXAMPLE:\n\n...\n\n ...\n",
"description": "The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The %h pattern code is included in the pattern element and logs the remote hostname. Including the hostname pattern in the log configuration provides useful information about the connecting host that is critical for troubleshooting and forensic investigations.",
"fixid": "F-24601r426265_fix",
"fixtext": "As a privileged user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nModify the element(s) nested within the element(s).\n\nChange the AccessLogValve setting to include %h in the pattern= statement. \n\nEXAMPLE:\n\n...\n\n ...\n\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222940",
"ruleID": "SV-222940r615938_rule",
"severity": "medium",
"title": "Remote hostname must be logged.",
"version": "TCAT-AS-000250"
},
"V-222941": {
"checkid": "C-24613r426267_chk",
"checktext": "As an elevated user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nReview all \"Valve\" elements.\n\nIf the pattern= statement does not include %s, this is a finding.\n\nEXAMPLE:\n\n...\n\n ...\n",
"description": "The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The %s pattern code is included in the pattern element and logs the server response code associated with the event e.g. 200 OK or 400 Bad Request. Including the status pattern in the log configuration provides useful server response information about the event which is critical for troubleshooting and forensic investigations.",
"fixid": "F-24602r426268_fix",
"fixtext": "As a privileged user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nModify the element(s) nested within the element(s).\n\nChange the AccessLogValve setting to include %s in the pattern= statement. \n\nEXAMPLE:\n\n...\n\n ...\n\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222941",
"ruleID": "SV-222941r615938_rule",
"severity": "low",
"title": "HTTP status code must be logged.",
"version": "TCAT-AS-000260"
},
"V-222942": {
"checkid": "C-24614r426270_chk",
"checktext": "As an elevated user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nReview all \"Valve\" elements.\n\nIf the pattern= statement does not include "%r", this is a finding.\n\nEXAMPLE:\n\n...\n\n ...\n",
"description": "The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The "%r" pattern code is included in the pattern element and logs the first line associated with the event, namely the request method, URL path, query string, and protocol (\""\" simply specifies a literal double quote). Including the pattern in the log configuration provides useful information about the time of the event which is critical for troubleshooting and forensic investigations.",
"fixid": "F-24603r426271_fix",
"fixtext": "As a privileged user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nModify the element(s) nested within the element(s).\n\nChange the AccessLogValve setting to include "%r" in the pattern= statement. \n\nEXAMPLE:\n\n...\n\n ...\n\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222942",
"ruleID": "SV-222942r615938_rule",
"severity": "medium",
"title": "The first line of request must be logged.",
"version": "TCAT-AS-000270"
},
"V-222943": {
"checkid": "C-24615r426273_chk",
"checktext": "Access the Tomcat server from the command line and execute the following OS command:\n\nsudo find $CATALINA_BASE/logs -follow -maxdepth 0 -type d \\( \\! -perm 750 \\) -ls\n\nIf ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance.\n\nIf no folders are displayed, this is not a finding.\n\nIf results indicate the $CATALINA_BASE/logs folder permissions are not set to 750, this is a finding.",
"description": "Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions.",
"fixid": "F-24604r426274_fix",
"fixtext": "If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance.\n\nRun the following command on the Tomcat server:\n\nsudo find $CATALINA_BASE/logs -follow -maxdepth 0 -type d -print0 | sudo xargs chmod 750 $CATALINA_BASE/logs",
"iacontrols": null,
"id": "V-222943",
"ruleID": "SV-222943r615938_rule",
"severity": "medium",
"title": "$CATALINA_BASE/logs folder permissions must be set to 750.",
"version": "TCAT-AS-000360"
},
"V-222944": {
"checkid": "C-24616r426276_chk",
"checktext": "Access the Tomcat server from the command line and execute the following OS command:\n\nsudo find $CATALINA_BASE/logs/* -follow -maxdepth 0 -type f \\( \\! -perm 640 \\) -ls\n\nIf ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance.\n\nIf no files are displayed, this is not a finding.\n\nIf results indicate any of the file permissions contained in the $CATALINA_BASE/logs folder are not set to 640, this is a finding.",
"description": "Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions.",
"fixid": "F-24605r426277_fix",
"fixtext": "If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance.\n\nRun the following command on the Tomcat server:\n\nsudo find $CATALINA_BASE/logs/* -follow -maxdepth 0 -type f -print0 | sudo xargs chmod 640 $CATALINA_BASE/logs/*",
"iacontrols": null,
"id": "V-222944",
"ruleID": "SV-222944r615938_rule",
"severity": "medium",
"title": "Files in the $CATALINA_BASE/logs/ folder must have their permissions set to 640.",
"version": "TCAT-AS-000361"
},
"V-222945": {
"checkid": "C-24617r426279_chk",
"checktext": "Access the Tomcat server from the command line and execute the following OS command:\n\nsudo find $CATALINA_BASE/conf/* -follow -maxdepth 0 -type f \\( \\! -perm 640 \\) -ls\n\nIf ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance.\n\nIf no files are displayed, this is not a finding.\n\nIf results indicate any of the file permissions contained in the $CATALINA_BASE/conf folder are not set to 640, this is a finding.",
"description": "Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user group tomcat rather than root user group tomcat. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions.\n\nIf the ISSM determines the operational need to allow application admins access to change the Tomcat configuration outweighs the risk of limiting that access, then they can change the group membership to accommodate. Ownership must not be changed. The ISSM should take the exposure of the system to high risk networks into account.\n\nSatisfies: SRG-APP-000119-AS-000079, SRG-APP-000380-AS-000088",
"fixid": "F-24606r426280_fix",
"fixtext": "If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance.\n\nRun the following command on the Tomcat server:\n\nsudo find $CATALINA_BASE/conf/* -follow -maxdepth 0 -type f -print0 | sudo xargs chmod 640 $CATALINA_BASE/conf/*",
"iacontrols": null,
"id": "V-222945",
"ruleID": "SV-222945r615938_rule",
"severity": "medium",
"title": "Files in the $CATALINA_BASE/conf/ folder must have their permissions set to 640.",
"version": "TCAT-AS-000370"
},
"V-222946": {
"checkid": "C-24618r426282_chk",
"checktext": "Access the Tomcat server from the command line and execute the following OS command:\n\nsudo find $CATALINA_BASE/conf -follow -maxdepth 0 -type d \\( \\! -perm 750 \\) -ls\n\nIf ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance.\n\nIf no folders are displayed, this is not a finding.\n\nIf results indicate the $CATALINA_BASE/conf folder permissions are not set to 750, this is a finding.",
"description": "Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions.\n\nIf the ISSM determines the operational need to allow application admins access to change the Tomcat configuration outweighs the risk of limiting that access, then they can change the group membership to accommodate. Ownership must not be changed. The ISSM should take the exposure of the system to high risk networks into account.\n\nSatisfies: SRG-APP-000119-AS-000079, SRG-APP-000380-AS-000088",
"fixid": "F-24607r426283_fix",
"fixtext": "If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance.\n\nRun the following command on the Tomcat server:\n\nsudo find $CATALINA_BASE/conf -follow -maxdepth 0 -type d -print0 | sudo xargs chmod 750 $CATALINA_BASE/conf",
"iacontrols": null,
"id": "V-222946",
"ruleID": "SV-222946r754839_rule",
"severity": "medium",
"title": "$CATALINA_BASE/conf folder permissions must be set to 750.",
"version": "TCAT-AS-000371"
},
"V-222947": {
"checkid": "C-24619r426285_chk",
"checktext": "Access the Tomcat server from the command line and execute the following OS command:\n\nsudo find $CATALINA_HOME/bin/*jar -follow -maxdepth 0 -type f \\( \\! -perm 640 \\) -ls\n\nIf there are no results, or if .sh extensions are found, this is not a finding.\n\nIf results indicate any of the jar file permissions contained in the $CATALINA_HOME/bin folder are not set to 640, this is a finding.",
"description": "Tomcat's file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with the group Tomcat. While root has read/write privileges, tomcat group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions.",
"fixid": "F-24608r426286_fix",
"fixtext": "Run the following command on the Tomcat server:\n\nsudo find $CATALINA_HOME/bin/*jar -follow -maxdepth 0 -type f -print0 | sudo xargs chmod 640 $CATALINA_HOME/bin/*jar",
"iacontrols": null,
"id": "V-222947",
"ruleID": "SV-222947r754840_rule",
"severity": "medium",
"title": "Jar files in the $CATALINA_HOME/bin/ folder must have their permissions set to 640.",
"version": "TCAT-AS-000380"
},
"V-222948": {
"checkid": "C-24620r426288_chk",
"checktext": "Access the Tomcat server from the command line and execute the following OS command:\n\nsudo find $CATALINA_HOME/bin -follow -maxdepth 0 -type d \\( \\! -perm 750 \\) -ls\n\nIf no folders are displayed, this is not a finding.\n\nIf results indicate the $CATALINA_HOME/bin folder permissions are not set to 750, this is a finding.",
"description": "Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions. Note that running Tomcat in a Docker environment can impact how file permissions and user ownership settings are applied. Due to associated Docker configuration complexities, the STIG is scoped for standalone rather than virtual Docker deployments.\n\nSatisfies: SRG-APP-000121-AS-000081, SRG-APP-000122-AS-000082, SRG-APP-000123-AS-000083, SRG-APP-000340-AS-000185",
"fixid": "F-24609r426289_fix",
"fixtext": "Run the following command on the Tomcat server:\n\nsudo find $CATALINA_HOME/bin -follow -maxdepth 0 -type d -print0 | sudo xargs chmod 750 $CATALINA_HOME/bin",
"iacontrols": null,
"id": "V-222948",
"ruleID": "SV-222948r754841_rule",
"severity": "medium",
"title": "$CATALINA_HOME/bin folder permissions must be set to 750.",
"version": "TCAT-AS-000390"
},
"V-222949": {
"checkid": "C-24621r426291_chk",
"checktext": "Reference the system documentation and make relevant changes to the following commands if the system differs:\n\nFrom the Tomcat server command line run the following command:\n\nsudo cat /etc/systemd/system/tomcat.service | grep -i umask\n\nIf the umask is not = 0027, this is a finding.",
"description": "For Unix-based systems, umask settings affect file creation permissions. If the permissions are too loose, newly created log files and applications could be accessible to unauthorized users via the file system. Ensure the Tomcat OS user account has the correct file creation permission settings by validating the OS umask settings for the Tomcat user. Setting umask to 0027 gives the Tomcat user full rights, group users r-x permission and all others no access. Tomcat will most likely be running as a systemd service. Locate the systemd service file for Tomcat. The default location for the link to the service file is in /etc/systemd/system folder. The service file name should be indicative of the Tomcat process so tomcat.service is the logical name for the service file and is the name referenced by the STIG.",
"fixid": "F-24610r426292_fix",
"fixtext": "From the Tomcat server as a privileged user:\n\nUse a file editor like nano or vi and edit the /etc/systemd/system/tomcat.service file.\n\nChange the \"UMask=\" setting to 0027.\n \nUMask =0027\n\nSave the file and restart Tomcat:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222949",
"ruleID": "SV-222949r615938_rule",
"severity": "medium",
"title": "Tomcat user UMASK must be set to 0027.",
"version": "TCAT-AS-000450"
},
"V-222950": {
"checkid": "C-24622r426294_chk",
"checktext": "From the Tomcat server run the following OS command:\n\nsudo cat $CATALINA_BASE/conf/server.xml | grep -i connector \n\nReview each connector element, ensure each connector does not have an \"allowTrace\" setting or ensure the \"allowTrace\" setting is set to false.\n\n\n\nDo the same for each application by checking every $CATALINA_BASE/webapps//WEBINF/web.xml file on the system.\n\nsudo cat $CATALINA_BASE/webapps//WEBINF/web.xml |grep -i connector \n\nIf a connector element in the server.xml file or in any of the /WEBINF/web.xml files contains the \"allow Trace = true\" statement, this is a finding.",
"description": "Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, Tomcat will provide this call stack information to the requestor which could result in the loss of sensitive information or data that could be used to compromise the system. As with all STIG settings, it is acceptable to temporarily enable for troubleshooting and debugging purposes but the setting must not be left enabled after troubleshooting tasks have been completed.",
"fixid": "F-24611r426295_fix",
"fixtext": "From the Tomcat server as a privileged user, edit the xml files containing the \"allow Trace=true\" statement.\n\nRemove the \"allow Trace=true\" statement from the affected xml configuration files and restart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222950",
"ruleID": "SV-222950r615938_rule",
"severity": "medium",
"title": "Stack tracing must be disabled.",
"version": "TCAT-AS-000470"
},
"V-222951": {
"checkid": "C-24623r426297_chk",
"checktext": "From the Tomcat server run the following OS command:\n\n$ sudo grep -i shutdown $CATALINA_BASE/conf/server.xml\n\nEnsure the server shutdown port attribute in $CATALINA_BASE/conf/server.xml is set to -1. \n\nEXAMPLE:\n\n\nIf Server port not = \"-1\" shutdown=\"SHUTDOWN\", this is a finding.",
"description": "Tomcat listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. Set the shutdown attribute in $CATALINA_BASE/conf/server.xml.",
"fixid": "F-24612r426298_fix",
"fixtext": "From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file: set the Server port setting to -1 and restart the Tomcat server.\n\n\n\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222951",
"ruleID": "SV-222951r615938_rule",
"severity": "medium",
"title": "The shutdown port must be disabled.",
"version": "TCAT-AS-000490"
},
"V-222952": {
"checkid": "C-24624r426300_chk",
"checktext": "Review SSP for list of approved connectors and associated TCP/IP ports. Ensure only approved connectors are present. Execute the following command on the Tomcat server to find configured Connectors:\n\n$ grep \u201cConnector\u201d $CATALINA_BASE/conf/server.xml\n\nReview results and verify all connectors and their associated network ports are approved in the SSP.\n\nIf connectors are found but are not approved in the SSP, this is a finding.",
"description": "Connectors are how Tomcat receives requests, passes them to hosted web applications, and then sends back the results to the requestor. Tomcat provides HTTP and Apache JServ Protocol (AJP) connectors and makes these protocols available via configured network ports. Unapproved connectors provide open network connections to either of these protocols and put the system at risk.",
"fixid": "F-24613r426301_fix",
"fixtext": "Obtain ISSO approvals for the configured connectors and document in the SSP.\n\nAlternatively, edit the $CATALINA_BASE/conf/server.xml file, remove any unapproved connectors, and restart Tomcat: \nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222952",
"ruleID": "SV-222952r615938_rule",
"severity": "medium",
"title": "Unapproved connectors must be disabled.",
"version": "TCAT-AS-000500"
},
"V-222953": {
"checkid": "C-24625r426303_chk",
"checktext": "From the Tomcat server run the following OS command:\n\nsudo cat $CATALINA_BASE/conf/web.xml |grep -i -A10 -B2 defaultservlet \n\nThe above command will include ten lines after and two lines before the occurrence of \"defaultservlet\". Some systems may require that the user increase the after number (A10) in order to determine the \"debug\" param-value. \n\nIf the \"debug\" param-value for the \"DefaultServlet\" servlet class does not = 0, this is a finding.",
"description": "The DefaultServlet serves static resources as well as serves the directory listings (if directory listings are enabled). It is declared globally in $CATALINA_BASE/conf/web.xml and by default is configured with the \"debug\" parameter set to 0, which is disabled. Changing this to a value of 1 or higher sets the servlet to print debug level information. DefaultServlet debug setting must be set to 0 (disabled).",
"fixid": "F-24614r426304_fix",
"fixtext": "From the Tomcat server as a privileged user:\n\nEdit the $CATALINA_BASE/conf/web.xml file.\n\nExamine the elements within the element, if the \"debug\" element is not \"0\"\" change the \"debug\" to read \"0\".\n\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222953",
"ruleID": "SV-222953r615938_rule",
"severity": "low",
"title": "DefaultServlet debug parameter must be disabled.",
"version": "TCAT-AS-000510"
},
"V-222954": {
"checkid": "C-24626r426306_chk",
"checktext": "From the Tomcat server run the following OS command:\n\nsudo cat $CATALINA_BASE/conf/web.xml |grep -i -A10 -B2 defaultservlet \n\nThe above command will include ten lines after and two lines before the occurrence of \"defaultservlet\". Some systems may require that the user increase the after number (A10) in order to determine the \"listings\" param-value. \n\nIf the \"listings\" param-value for the \"DefaultServlet\" servlet class does not = \"false\", this is a finding.",
"description": "The DefaultServlet serves static resources as well as directory listings. It is declared globally in $CATALINA_BASE/conf/web.xml and by default is configured with the directory \"listings\" parameter set to disabled. If no welcome file is present and the \"listings\" setting is enabled, a directory listing is shown. Directory listings must be disabled.",
"fixid": "F-24615r426307_fix",
"fixtext": "From the Tomcat server as a privileged user:\n\nEdit the $CATALINA_BASE/conf/web.xml file.\n\nExamine the elements within the element, if the \"listings\" element is \"true\" change the \"listings\" to read \"false\".\n\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222954",
"ruleID": "SV-222954r615938_rule",
"severity": "low",
"title": "DefaultServlet directory listings parameter must be disabled.",
"version": "TCAT-AS-000520"
},
"V-222955": {
"checkid": "C-24627r426309_chk",
"checktext": "If the SSP associated with the Host contains ISSM documented approvals for deployXML, this is not a finding.\n\nFrom the Tomcat server as a privileged user:\n\nsudo grep -i deployXML $CATALINA_BASE/conf/server.xml\n\nIf the deployXML setting is configured as true and there is no documented authorization to allow automatic deployment of applications, this is a finding.",
"description": "The Host element controls deployment. Automatic deployment allows for simpler management, but also makes it easier for an attacker to deploy a malicious application. Automatic deployment is controlled by the autoDeploy and deployOnStartup attributes. If both are false, only Contexts defined in server.xml will be deployed, and any changes will require a Tomcat restart.\n\nIn a hosted environment where web applications may not be trusted, set the deployXML attribute to false to ignore any context.xml packaged with the web application that may try to assign increased privileges to the web application. Note that if the security manager is enabled that the deployXML attribute will default to false.\n\nThis requirement is NA for test and development systems on non-production networks. For DevSecOps application environments, the ISSM may authorize autodeploy functions on a production Tomcat system if the mission need specifies it and an application security vulnerability testing and assurance regimen is included in the DevSecOps process.",
"fixid": "F-24616r426310_fix",
"fixtext": "Document authorization for application auto deployment in the System Security Plan (SSP).\n\nFrom the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.\n\nsudo nano $CATALINA_BASE/conf/server.xml\n\nLocate each element in the server xml file. \n\nIf the deployXML=\"true\" ensure each host is authorized for application auto deployment and document the authorization in the system security plan.\n\nIf authorization is not provided, set the deployXML=\"false\".",
"iacontrols": null,
"id": "V-222955",
"ruleID": "SV-222955r615938_rule",
"severity": "medium",
"title": "The deployXML attribute must be set to false in hosted environments.",
"version": "TCAT-AS-000530"
},
"V-222956": {
"checkid": "C-24628r426312_chk",
"checktext": "If the SSP associated with the Host contains ISSM documented approvals for AutoDeploy, this is not a finding.\n\nFrom the Tomcat server run the following OS command:\n\nsudo cat $CATALINA_BASE/conf/server.xml | grep -i -C2 autodeploy \n\nIf the command returns no results, this is not a finding.\n\nReview the results for the autoDeploy parameter in each Host element. \n\n \n\nIf autoDeploy =\"true\", this is a finding.",
"description": "Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded into production. Autodeploy must be disabled in production. \n\nThis requirement is NA for test and development systems on non-production networks. For DevSecOps application environments, the ISSM may authorize autodeploy functions on a production Tomcat system if the mission need specifies it and an application security vulnerability testing and assurance regimen is included in the DevSecOps process.",
"fixid": "F-24617r426313_fix",
"fixtext": "From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.\n\nExamine each element, if the element contains autoDeploy=\"true\", modify the statement to read \", autoDeploy=\"false\".\n\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222956",
"ruleID": "SV-222956r615938_rule",
"severity": "medium",
"title": "Autodeploy must be disabled.",
"version": "TCAT-AS-000540"
},
"V-222957": {
"checkid": "C-24629r426315_chk",
"checktext": "From the Tomcat server run the following OS command:\n\nsudo cat $CATALINA_BASE/conf/server.xml |grep -i -C4 xpoweredby.\n\nIf any connector elements contain xpoweredBy=\"true\", this is a finding.",
"description": "Individual connectors can be configured to display the Tomcat server info to clients. This information can be used to identify Tomcat versions which can be useful to attackers for identifying vulnerable versions of Tomcat. Individual connectors must be checked for the xpoweredBy attribute to ensure they do not pass Tomcat server info to clients.",
"fixid": "F-24618r426316_fix",
"fixtext": "From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.\n\nExamine each element, if the element contains xpoweredBy=\"true\", modify the statement to read \", xpoweredBy=\"false\".\n\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222957",
"ruleID": "SV-222957r615938_rule",
"severity": "low",
"title": "xpoweredBy attribute must be disabled.",
"version": "TCAT-AS-000550"
},
"V-222958": {
"checkid": "C-24630r426318_chk",
"checktext": "From the Tomcat server OS type the following command:\n\nsudo ls -l $CATALINA_BASE/webapps/examples. \n\nIf the examples folder exists or contains any content, this is a finding.",
"description": "Tomcat provides example applications, documentation, and other directories in the default installation which do not serve a production use. These files must be deleted.",
"fixid": "F-24619r426319_fix",
"fixtext": "From the Tomcat server OS type the following command:\n\n sudo rm -rf $CATALINA_BASE/webapps/examples",
"iacontrols": null,
"id": "V-222958",
"ruleID": "SV-222958r615938_rule",
"severity": "low",
"title": "Example applications must be removed.",
"version": "TCAT-AS-000560"
},
"V-222959": {
"checkid": "C-24631r426321_chk",
"checktext": "From the Tomcat server OS type the following command:\n\nsudo ls -l $CATALINA_BASE/webapps/ROOT\n\nReview the index.jsp file. Also review the RELEASE-NOTES.txt file. Look for content that describes the application as being licensed by the Apache Software Foundation. Check the index.jsp for other verbiage that indicates the application is part of the Tomcat server. Alternatively, use a web browser and access the default web application and determine if the website application in the ROOT folder is provided with the Apache Tomcat server.\n\nIf the ROOT web application contains Tomcat default application content, this is a finding.",
"description": "The default ROOT web application includes the version of Tomcat that is being used, links to Tomcat documentation, examples, FAQs, and mailing lists. The default ROOT web application must be removed from a publicly accessible Tomcat instance and a more appropriate default page shown to users. It is acceptable to replace the contents of default ROOT with a new default web application.\n\nWARNING: Removing the ROOT folder without replacing the content with valid web based content will result in an error page being displayed to the browser when the browser lands on the default page.",
"fixid": "F-24620r426322_fix",
"fixtext": "WARNING: Removing the ROOT folder without replacing the content with valid web based content will result in an error page being displayed to the browser when the browser lands on the default page.\n\nFrom the Tomcat server OS:\n\nEither remove the files contained in $CATALINA_BASE/webapps/ROOT folder or replace the content of the folder with a new application that serves as the new default server application.",
"iacontrols": null,
"id": "V-222959",
"ruleID": "SV-222959r615938_rule",
"severity": "low",
"title": "Tomcat default ROOT web application must be removed.",
"version": "TCAT-AS-000570"
},
"V-222960": {
"checkid": "C-24632r426324_chk",
"checktext": "From the Tomcat server OS type the following command:\n\nsudo ls -l $CATALINA_BASE/webapps/docs.\n\nIf the docs folder exists or contains any content, this is a finding.",
"description": "Tomcat provides documentation and other directories in the default installation which do not serve a production use. These files must be deleted.",
"fixid": "F-24621r426325_fix",
"fixtext": "From the Tomcat server OS type the following command:\n\nsudo rm -rf $CATALINA_BASE/webapps/docs",
"iacontrols": null,
"id": "V-222960",
"ruleID": "SV-222960r615938_rule",
"severity": "low",
"title": "Documentation must be removed.",
"version": "TCAT-AS-000580"
},
"V-222961": {
"checkid": "C-24633r426327_chk",
"checktext": "Individual Context elements may be explicitly defined in an individual file located at /META-INF/context.xml inside the application files or in the $CATALINA_BASE/conf/context.xml file. It is not recommended to store the context element in the server.xml file as changes will require a server restart.\n\nThe $CATALINA_BASE/conf/context element information will be loaded by all web applications, the META-INF/context.xml will only be loaded by that specific application.\n\nOn the Tomcat server as a privileged user run the following commands:\n\ngrep -i privileged $CATALINA_BASE/conf/context.xml\n\nRepeat the following command for each installed application:\n\ngrep -i privileged $CATALINA_BASE/webapps/META-INF/context.xml\n\nIf the privileged context attribute is set to true, confirm the application has been approved for privileged mode by the ISSO. If the application is not approved to run in privileged mode, this is a finding.",
"description": "The privileged attribute controls if a context (application) is allowed to use container provided servlets like the Manager servlet. It is false by default and should only be changed for trusted web applications.\n\nSet to true to allow the context (application) to use container servlets, like the manager servlet. Use of the privileged attribute will change the context's parent class loader to be the Server class loader rather than the Shared class loader. Note that in a default installation, the Common class loader is used for both the Server and the Shared class loaders. Use of the privileged attribute will change the context's parent class loader to be the Server class loader rather than the Shared class loader.",
"fixid": "F-24622r426328_fix",
"fixtext": "On the Tomcat server as a privileged user, modify the relevant context.xml file and set the privileged attribute to false (privileged=false).\nA restart should not be required if the context element is not maintained in the server.xml file.\n\nIf privileged mode is required for a particular application, verify trust of application and obtain documented approval from the ISSO. Document the applications that are approved to run in privileged mode and retain approvals in the system security plan (SSP) for CCRI reviews.",
"iacontrols": null,
"id": "V-222961",
"ruleID": "SV-222961r615938_rule",
"severity": "medium",
"title": "Applications in privileged mode must be approved by the ISSO.",
"version": "TCAT-AS-000590"
},
"V-222962": {
"checkid": "C-24634r426330_chk",
"checktext": "If manager and host-manager applications have been deleted from the system, this is not a finding. \n\nFrom the Tomcat server as a privileged user, run the following commands:\n\nsudo grep -i -A8 JNDIRealm $CATALINA_BASE/conf/server.xml\n\nIf the JNDIRealm does not exist or if the JNDIRealm configuration is commented out, this is finding.",
"description": "Using the local user store on a Tomcat installation does not meet a multitude of security control requirements related to user account management. To address this risk, Tomcat must be configured to utilize an LDAP or Active Directory installation that provides a centralized user account store that is configured to meet standard DoD user account management requirements. JNDIRealm is an implementation of the Tomcat Realm interface that looks up users in an LDAP directory server accessed by a JNDI provider (typically, the standard LDAP provider that is available with the JNDI API classes). The realm supports a variety of approaches to using a directory for authentication.",
"fixid": "F-24623r426331_fix",
"fixtext": "Identify the server IP that is providing LDAP services and configure the Tomcat user roles schema within LDAP. Refer to the manager and host-manager web.xml files for application specific role information that can be used for setting up the roles for those applications. The default location for these files is: $CATALINA_BASE/webapps//WEB-INF/web.xml\n\nFrom the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.\n\nLocate the element in the server.xml file, add a nested element using the JNDIRealm className and configure the associated LDAP settings as per the LDAP server connection requirements.\n\nEXAMPLE:\nThis is for illustration purposes only. Modify the LDAP settings on a case-by-case basis as per the individual LDAP server and schema.\n\n",
"iacontrols": null,
"id": "V-222962",
"ruleID": "SV-222962r615938_rule",
"severity": "medium",
"title": "Tomcat management applications must use LDAP realm authentication.",
"version": "TCAT-AS-000600"
},
"V-222963": {
"checkid": "C-24635r426333_chk",
"checktext": "From the Tomcat server run the following command:\n\nsudo grep -I jmxremote.authenticate /etc/systemd/system/tomcat.service\nsudo ps -ef |grep -i jmxremote\n\nIf the results are blank, this is not a finding.\n\nIf the results include:\n\n-Dcom.sun.management.jmxremote.authenticate=false, this is a finding.",
"description": "Java Management Extensions (JMX) provides the means to remotely manage the Java VM. When enabling the JMX agent for remote monitoring, the user must enable authentication.",
"fixid": "F-24624r426334_fix",
"fixtext": "If using JMX for management of the Tomcat server, start the Tomcat server by adding the following command line flags to the systemd startup scripts in /etc/systemd/system/tomcat.service.\n\nEnvironment='CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true'\n\nsudo systemctl start tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222963",
"ruleID": "SV-222963r615938_rule",
"severity": "medium",
"title": "JMX authentication must be secured.",
"version": "TCAT-AS-000610"
},
"V-222964": {
"checkid": "C-24636r426336_chk",
"checktext": "JMX management is configured via the Tomcat CATALINA_OPTS environment variable setting maintained in the /etc/systemd/system/tomcat.service file for Ubuntu systemd UNIX. For other flavors of Linux, this location may vary.\n\nAs a privileged user from the Tomcat server run the following command:\n\ngrep -i jmxremote /etc/systemd/system/tomcat.service \n\nReview output, if there are no results displayed, jmxremote management extensions are not used, and this requirement is NA.\n\nIf the JMXremote setting is configured and jmxremote.ssl=\"false\", this is a finding.\n\nEXAMPLE: \n-Dcom.sun.management.jmxremote\n-Dcom.sun.management.jmxremote.authenticate=false\n-Dcom.sun.management.jmxremote.ssl=false",
"description": "Java Management Extensions (JMX) provides the means for enterprises to remotely manage the Java VM and can be used in place of the local manager application that comes with Tomcat. \n\nJMX management is configured via the Tomcat CATALINA_OPTS setting maintained in the /etc/systemd/system/tomcat.service file for Ubuntu systemd UNIX. For Linux OS flavors other than Ubuntu, use the relevant OS commands.\n\nManagement tasks such as monitoring and control of applications is accomplished via the jmxremote servlet. If authentication is disabled, an attacker only needs to know the port number in order to manage and control hosted Java applications.",
"fixid": "F-24625r426337_fix",
"fixtext": "If using JMX for management of the Tomcat server, start the Tomcat server by adding the following command line flags to the systemd startup scripts in /etc/systemd/system/tomcat.service.\n\nEnvironment='CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true'\n\nsudo systemctl start tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222964",
"ruleID": "SV-222964r615938_rule",
"severity": "high",
"title": "TLS must be enabled on JMX.",
"version": "TCAT-AS-000630"
},
"V-222965": {
"checkid": "C-24637r426339_chk",
"checktext": "From the Tomcat server as a privileged user, run the following commands:\n\nsudo grep -i -A8 JNDIRealm $CATALINA_BASE/conf/server.xml\n\nIf the JNDIRealm connectionURL setting is not configured to use LDAPS, if it does not exist, or is commented out, this is a finding.\n\nEXAMPLE:\nThis is an example. Substitute localhost for the LDAP server IP and configure other LDAP-related settings as well.\n\n",
"description": "JNDIRealm is an implementation of the Tomcat Realm interface. Tomcat uses the JNDIRealm to look up users in an LDAP directory server. The realm's connection to the directory is defined by the 'connectionURL' configuration attribute. This attribute is usually an LDAP URL that specifies the domain name of the directory server to connect to.\n\nThe LDAP URL does not provide encryption by default. This can lead to authentication credentials being transmitted across network connections in clear text.\n\nTo address this risk, Tomcat must be configured to use secure LDAP (LDAPS).",
"fixid": "F-24626r426340_fix",
"fixtext": "Identify the server IP that is providing LDAP services and configure the Tomcat user roles schema within LDAP. Refer to the manager and host-manager web.xml files for application specific role information that can be used for setting up the roles for those applications. The default location for these files is: $CATALINA_BASE/webapps//WEB-INF/web.xml\n\nFrom the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.\n\nLocate the element in the server.xml file, add a nested element using the JNDIRealm className and configure the associated LDAP settings as per the LDAP server connection requirements.\n\nEXAMPLE:\nThis is for illustration purposes only. The user must modify the LDAP settings on a case by case basis as per your individual LDAP server and schema.\n\n",
"iacontrols": null,
"id": "V-222965",
"ruleID": "SV-222965r615938_rule",
"severity": "high",
"title": "LDAP authentication must be secured.",
"version": "TCAT-AS-000690"
},
"V-222966": {
"checkid": "C-24638r587942_chk",
"checktext": "This is a mutual authentication requirement where both the Tomcat server and the client are required to authenticate themselves via mutual TLS. Review system security plan and other system documentation. If the system has no connections requiring mutual authentication (e.g., proxy servers or other hosts specified in the system documentation), this requirement is NA.\n\nFor the systemd Ubuntu OS, check the tomcat.service file to read the content of the JAVA_OPTS environment variable setting.\n\nsudo cat /etc/systemd/system/tomcat.service |grep -i truststore\n\nEXAMPLE output:\nset JAVA_OPTS=\"-Djavax.net.ssl.trustStore=/path/to/truststore\" \"-Djavax.net.ssl.trustStorePassword=************\"\n\nIf the variable is not set, use the default location command below. If the variable is set, use the alternate location command below and include the path and truststore file. \n\n-Default location:\nkeytool -list -cacerts -v | grep -i issuer\n\n-Alternate location:\nkeytool -list -keystore -v |grep -i issuer\n\nIf there are no CA certificates issued by a Certificate Authority (CA) that is part of the DoD PKI/PKE, this is a finding.",
"description": "Tomcat truststores are used to validate client certificates. On the Ubuntu OS, by default Tomcat uses the \"cacerts\" file as the CA trust store. The file is located in the /etc/ssl/certs/java/ folder with a link to the file in $JAVA_HOME/lib/security/cacerts. However, this location can be modified by setting the value of the javax.net.ssl.trustStore system property. Setting this property within an OS environment variable will change the location to point to a different trust store. \n\nThe Java OS environment variables in the systemd Tomcat startup file must be checked in order to identify the location of the trust store on the file system. (The STIG uses the name tomcat.service as a reference, but technically this file can be called anything).\n\nIf the property is not set, then the default location is used for the truststore.",
"fixid": "F-24627r426343_fix",
"fixtext": "Obtain and install the DoD PKI CA certificate bundles by accessing the DoD PKI office website at cyber.mil/pki-pke.\n\nImport the DoD CA certificates.",
"iacontrols": null,
"id": "V-222966",
"ruleID": "SV-222966r616155_rule",
"severity": "medium",
"title": "DoD root CA certificates must be installed in Tomcat trust store.",
"version": "TCAT-AS-000700"
},
"V-222967": {
"checkid": "C-24639r426345_chk",
"checktext": "Identify the location of the .keystore file. Refer to system documentation or review the server.xml file for a specified .keystore file location.\n\nFrom the Tomcat server console run the following command to check the server.xml file:\n\nsudo grep -i keystorefile $CATALINA_BASE/conf/server.xml\n\nExtract the location of the file from the output. \n\nExample:\n[keystorefile=/opt/tomcat/conf/]\n\nsudo ls -la [keystorefile location]\n\nIf the file permissions are not set to 640 USER:root GROUP:tomcat, this is a finding.\n\nIf the keystore file is not stored within the tomcat folder path, i.e. [/opt/tomcat/], this is a finding.",
"description": "Keystore file contains authentication information used to access application data and data resources. Access to the file must be protected.\n\nThe default location is in the .keystore file stored in the home folder of the user account used to run Tomcat although some administrators may choose to locate the file elsewhere. The location will also be specified in the server.xml file.",
"fixid": "F-24628r426346_fix",
"fixtext": "Run the following commands on the Tomcat server:\n\nsudo chmod 640 [keystorefile]\nsudo chown root [keystorefile]\nsudo chgrp tomcat [keystorefile]\n\nStore the keystore file in a secured folder within the Tomcat folder path.",
"iacontrols": null,
"id": "V-222967",
"ruleID": "SV-222967r615938_rule",
"severity": "medium",
"title": "Keystore file must be protected.",
"version": "TCAT-AS-000710"
},
"V-222968": {
"checkid": "C-24640r426348_chk",
"checktext": "From the Tomcat server console, run the following two commands to verify Tomcat server is configured to use FIPS:\n\nsudo grep -i fipsmode $CATALINA_BASE/conf/server.xml\n\nsudo grep -i fipsmode $CATALINA_BASE/logs/catalina.out\n\nIf server.xml does not contain FIPSMode=\"on\", or if catalina.out contains the error \"failed to set property[FIPSMODE] to [on]\", this is a finding.",
"description": "Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP, and then sends the results back to the requestor. Cryptographic ciphers are associated with the connector to create a secured connector. To ensure encryption strength is adequately maintained, the ciphers used must be FIPS 140-2-validated.\n\nThe FIPS-validated crypto libraries are not provided by Tomcat; they are included as part of the Java instance and the underlying Operating System. The STIG checks to ensure the FIPSMode setting is enabled for the connector and also checks the logs for FIPS errors, which indicates FIPS non-compliance at the OS or Java layers. The administrator is responsible for ensuring the OS and Java instance selected for the Tomcat installation provide and enable these FIPS modules so Tomcat can be configured to use them.\n\nSatisfies: SRG-APP-000224-AS-000152, SRG-APP-000428-AS-000265, SRG-APP-000429-AS-000157, SRG-APP-000439-AS-000274, SRG-APP-000440-AS-000167",
"fixid": "F-24629r426349_fix",
"fixtext": "In addition to configuring Tomcat, the admin must also configure the underlying OS and Java engine to use FIPS validated encryption modules. This fix instructs how to enable FIPSMode within Tomcat, the OS and Java engine must be configured to use the FIPS validated modules according to the chosen OS and Java engine.\n \nFrom the Tomcat server as a privileged user:\n\nsudo nano $CATALINA_BASE/conf/server.xml.\n\nIn the element, locate the AprLifecycleListener. Either add or modify the FIPSMode setting and set it to FIPSMode=\"on\".\n\nEXAMPLE:\n\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222968",
"ruleID": "SV-222968r615938_rule",
"severity": "high",
"title": "Tomcat must use FIPS-validated ciphers on secured connectors.",
"version": "TCAT-AS-000750"
},
"V-222969": {
"checkid": "C-24641r426351_chk",
"checktext": "Review the system security plan and network documentation. Identify the management networks that are used for system management. \n\nFrom the Tomcat server as a privileged user, run the following command:\n\nsudo grep -i jmxremote /etc/systemd/system/tomcat.service\nsudo ps -ef |grep -i jmxremote\n\nIf there are no results, the JMX process is not being used, and this is not a finding.\n\nIf output includes jmxremote information, review the -Dcom.sun.management.jmxremote.host setting. \n\nCompare the IP address associated with the JMX process with the network information in the SSP. Ensure the IP address space is dedicated for system management purposes.\n\nIf the IP address that is associated with the JMX process is not dedicated to system management usage, this is a finding.\n\nIf jmxremote is in use but the host IP address is not specified, this is a finding.",
"description": "Java Management Extensions (JMX) is used to provide programmatic access to Tomcat for management purposes. This includes monitoring and control of java applications running on Tomcat. If network access to the JMX port is not restricted, attackers can gain access to the application used to manage the system.",
"fixid": "F-24630r426352_fix",
"fixtext": "Make an operational determination regarding the use of JMX. If JMX management is decided upon, identify the management networks that are used for system management. Update the system security plan and network documentation with the information. \n\nEdit the /etc/systemd/system/tomcat.service file.\n\nAdd or modify the existing CATALINA_OPTS -Dcom.sun.management.jmxremote.host setting. Set the host parameter to an IP address that is only available on a management network.\n\nEXAMPLE:\nCATALINA_OPTS='-Dcom.sun.management.jmxremote.host=192.168.0.150'\n\nRestart Tomcat:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload\n\nVerify jmxmanagement access is restricted to the management network IP address range.",
"iacontrols": null,
"id": "V-222969",
"ruleID": "SV-222969r615938_rule",
"severity": "medium",
"title": "Access to JMX management interface must be restricted.",
"version": "TCAT-AS-000780"
},
"V-222970": {
"checkid": "C-24642r426354_chk",
"checktext": "Review system documentation (SSP) and identify the documented management networks as well as the documented client networks. If the manager application has been deleted from the system, this is not a finding. \n\nRun the following command as a privileged user:\n\nsudo grep -i -A1 \"RemoteAddrValve\\|RemoteCIDRValve\" $CATALINA_BASE/webapps/manager/META-INF/context.xml \n\nIf there are no results, then no address valves exist and this is a finding.\n\nIf the Remote Address Valve settings are commented out or not configured to restrict access to localhost or the management network, this is a finding.\n\nEXAMPLES:\n\n- RemoteAddrValve Localhost only IPV4 and IPV6 example\n\n\n- Localhost and Management network CIDR block IPV4 and IPV6 example\n",
"description": "The Tomcat manager application is used to manage the Tomcat server and the applications that run on Tomcat. By default, the manager application is only accessible via the localhost. Exposing the management application to any network interface that is available to non-administrative personnel leaves the Tomcat server vulnerable to attempts to access the management application. To mitigate this risk, the management application should only be run on the localhost or on network interfaces tied to a dedicated management network.\n\nThis setting is managed in the $CATALINA_BASE/conf/server.xml file.",
"fixid": "F-24631r426355_fix",
"fixtext": "Update system documentation (SSP) and identify the documented management networks as well as the documented client networks.\n\nAs a privileged user, edit the $CATALINA_BASE/webapps/manager/META-INF/context.xml file.\n\nConfigure the RemoteAddrValve or RemoteCIDRValve to restrict access to the management application. This can be a restriction to the localhost or to specific management networks or hosts on the management network. Choice of address or CIDR block usage is based on operational requirements.\n\nOrder is allow from, deny from. See Tomcat Valve component documentation at the Tomcat website for specific details and additional configuration options.\n\nTest the access restrictions once configured to assure compliance.\n\nEXAMPLES:\n\n- RemoteAddrValve Localhost only IPV4 and IPV6\n\n\n- Localhost and Management network CIDR block IPV4 and IPV6\n",
"iacontrols": null,
"id": "V-222970",
"ruleID": "SV-222970r615938_rule",
"severity": "medium",
"title": "Access to Tomcat manager application must be restricted.",
"version": "TCAT-AS-000790"
},
"V-222971": {
"checkid": "C-24643r426357_chk",
"checktext": "Review system security plan and/or system architecture documentation and interview the system admin. Identify any proxy servers or load balancers that provide services for the Tomcat server. If there are no load balancers or proxies in use, this is not a finding.\n\nIf there is a documented risk acceptance for not mutually authenticating proxy or load balancer connections due to operational issues, or RMF system categorization this is not a finding.\n\nUsing the aforementioned documentation, identify each Tomcat IP address that is served by a load balancer or proxy. \n\nFrom the Tomcat server as a privileged user, review the $CATALINA_BASE/conf/server.xml file. Review each element for the address setting and the clientAuth setting.\n\nsudo grep -i -B1 -A5 connector $CATALINA_BASE/conf/server.xml\n\nIf a connector has a configured IP address that is proxied or load balanced and the clientAuth setting is not \"true\", this is a finding.",
"description": "Tomcat servers are often placed behind a proxy when exposed to both trusted and untrusted networks. This is done for security and performance reasons. Tomcat does provide an HTTP server that can be configured to make hosted applications available to clients directly. However, this HTTP server has performance limitations and is not intended to be used on an enterprise scale. Exposing this service to untrusted networks also violates the layered security model and creates elevated risk of attack. To address these issues, a proxy or load balancer can be placed in front of the Tomcat server. To ensure the proxied connection is not spoofed, SSL mutual authentication must be employed between Tomcat and the proxy.\n\nNot all Tomcat systems will have an RMF system categorization that warrants mutual authentication protections. The site must determine if mutual authentication is warranted based on their system RMF categorization and data protection requirements. If the site determines that MA is not a requirement, they can document a risk acceptance for not mutually authenticating proxy or load balancer connections due to operational issues, or when the RMF system categorization does not warrant the added level of protection.",
"fixid": "F-24632r426358_fix",
"fixtext": "From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. \n\nModify each element where the IP address is behind a proxy or load balancer.\n\nSet clientAuth=\"true\" then identify the applications that are associated with the connector and edit the associated web.xml files. Assure the is set to CLIENT-CERT.",
"iacontrols": null,
"id": "V-222971",
"ruleID": "SV-222971r615938_rule",
"severity": "medium",
"title": "Tomcat servers must mutually authenticate proxy or load balancer connections.",
"version": "TCAT-AS-000800"
},
"V-222973": {
"checkid": "C-24645r426363_chk",
"checktext": "From the Tomcat server as a privileged user, run the following command:\n\nsudo grep -i recycle_facades /etc/systemd/system/tomcat.service\n\nIf there are no results, or if the org.apache.catalina.connector. RECYCLE_FACADES is not =\"true\", this is a finding.",
"description": "If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a bug in an application might expose data from one request to another. This setting is configured using environment variable settings. For Linux OS flavors other than Ubuntu, use the relevant OS commands. For Ubuntu, this setting can be managed in the /etc/systemd/system/tomcat.service file via the CATALINA_OPTS variable. This setting is defined in the file and referenced during tomcat startup in order to load tomcat environment variables.\n\nTechnically, the tomcat.service referenced in the check and fix could be called a different name; but for STIG purposes and to provide a standard setting that can be referred to and obviously is used for Tomcat, tomcat.service was chosen.",
"fixid": "F-24634r426364_fix",
"fixtext": "From the Tomcat server as a privileged user:\n\nedit the /etc/systemd/system/tomcat.service file and either add or edit the org.apache.catalina.connector. RECYCLE_FACADES setting.\n\nSet the org.apache.catalina.connector. RECYCLE_FACADES=true. \n\nEXAMPLE:\nEnvironment='CATALINA_OPTS -Dorg.apache.catalina.connector. RECYCLE_FACADES=true'\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222973",
"ruleID": "SV-222973r615938_rule",
"severity": "low",
"title": "Tomcat must be configured to limit data exposure between applications.",
"version": "TCAT-AS-000820"
},
"V-222974": {
"checkid": "C-24646r426366_chk",
"checktext": "Review System Security Plan (SSP) documentation determine if the Tomcat server is part of an application server cluster. Also identify Tomcat network interfaces and the proxy/load balancer that front-ends the cluster.\n\nFrom the Tomcat server as a privileged user, run the following command:\n\nsudo grep -i -A2 -B2 \"Cluster\" $CATALINA_BASE/conf/server.xml\n\nIf the element is commented out, or there are no results returned, this requirement is NA.\n\nIf a cluster is in use, run the following command as a privileged user:\n\ngrep -i EncryptInterceptor $CATALINA_BASE/conf/server.xml file. \n\nIf the Tomcat server is clustered and the EncryptionInterceptor is not in use or if the cluster traffic is not on a private network or VLAN, this is a finding.",
"description": "Operating a Tomcat cluster on an untrusted network creates potential for unauthorized persons to view or manipulate cluster session traffic. When operating a Tomcat cluster, care must be taken to isolate the cluster traffic from untrusted sources. Options include using a private VLAN, VPN, or IPSEC tunnel or by encrypting cluster traffic by using the EncryptInterceptor. The EncryptInterceptor adds encryption to the channel messages carrying session data between Tomcat cluster nodes.\n\nPlace the element inside either the container or the container.\n\nPlacing it in the engine means supporting clustering in all virtual hosts of Tomcat and sharing the messaging component. When the user places the inside the element, the cluster will append the host name of each session manager to the manager's name so that two contexts with the same name (but sitting inside two different hosts) will be distinguishable.",
"fixid": "F-24635r426367_fix",
"fixtext": "Update the System Security Plan (SSP) and document the network interface, their related IP addresses, and which interfaces transport Tomcat cluster traffic. Also document which interface is multi-cast enabled if using the McastService membership class versus Static. \n\nTo obtain the information needed for the SSP:\nsudo grep -i -A3 \"\" value.\n\nReview the OS routing tables. Identify and document which interface is configured to route the Tomcat class D IP multicast traffic. \n\nsudo netstat -r \n\nEND of Documentation instructions.\n\nFrom the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.\n\nsudo nano $CATALINA_BASE/conf/server.xml\n\nLocate the element nested within the element.\n\nAdd the to the server.xml and save the file.\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\n\nNOTE:\nThe EncryptInterceptor adds encryption to the channel messages carrying session data between nodes. This feature was added in Tomcat 9.0.13. If using the TcpFailureDetector interceptor, the EncryptInterceptor must be inserted into the interceptor chain BEFORE the TcpFailureDetector. When validating cluster members, TcpFailureDetector writes channel data directly to the other members without using the remainder of the interceptor chain, but on the receiving side, the message still goes through the chain (in reverse). Because of this asymmetry, the EncryptInterceptor must execute before the TcpFailureDetector on the sender and after it on the receiver; otherwise, message corruption will occur.",
"iacontrols": null,
"id": "V-222974",
"ruleID": "SV-222974r615938_rule",
"severity": "medium",
"title": "Clusters must operate on a trusted network.",
"version": "TCAT-AS-000860"
},
"V-222975": {
"checkid": "C-24647r426369_chk",
"checktext": "As an elevated user on the Tomcat server run the following command:\n\nsudo grep -i ErrorReportValve $CATALINA_BASE/conf/server.xml file.\n\nIf the ErrorReportValve element is not defined and showServerInfo set to \"false\", this is a finding.\n\nEXAMPLE:\n\n ...\n \n ...\n",
"description": "The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return pre-defined static HTML pages for specific status codes and/or exception types. Disabling showServerInfo will only return the HTTP status code and remove all CSS from the default non-error related HTTP responses.",
"fixid": "F-24636r426370_fix",
"fixtext": "As a privileged user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nCreate or modify an ErrorReportValve element nested beneath each element.\n\nEXAMPLE:\n\n...\n\n...\n\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222975",
"ruleID": "SV-222975r615938_rule",
"severity": "medium",
"title": "ErrorReportValve showServerInfo must be set to false.",
"version": "TCAT-AS-000920"
},
"V-222976": {
"checkid": "C-24648r426372_chk",
"checktext": "From the Tomcat server console, run the following command:\n\nsudo cat $CATALINA_BASE/webapps/manager/WEB-INF/jsp/401.jsp \n\nRepeat for the 402.jsp and 403.jsp files.\n\nThe default error files contain sample passwords and user accounts.\n\nIf the error files contained in this folder are not customized and sample information removed, this is a finding.",
"description": "Default error pages that accompany the manager application provide educational information on how to configure user accounts and groups for accessing the manager application. These error pages provide responses to 401 (Unauthorized), 403 (Forbidden), and 404 (Not Found) JSP error codes and should not exist on production systems.",
"fixid": "F-24637r426373_fix",
"fixtext": "From the Tomcat server as a privileged user:\n\nsudo cd $CATALINA_BASE/webapps/manager/WEB-INF/jsp/\n\nUse a file editor like nano or vi and edit the 401, 402, and 403 jsp files. Remove account information and make the files reflect generic error information that assists users but does not provide sample data to users.\n\nSave the file and restart Tomcat:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222976",
"ruleID": "SV-222976r615938_rule",
"severity": "low",
"title": "Default error pages for manager application must be customized.",
"version": "TCAT-AS-000930"
},
"V-222977": {
"checkid": "C-24649r426375_chk",
"checktext": "As an elevated user on the Tomcat server run the following command:\n\nsudo grep -i ErrorReportValve $CATALINA_BASE/conf/server.xml file.\n\nIf the ErrorReportValve element is not defined and showReport set to \"false\", this is a finding.\n\nEXAMPLE:\n\n ...\n \n ...\n",
"description": "The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return pre-defined static HTML pages for specific status codes and/or exception types. Disabling showReport will result in no error message or stack trace being send to the client. This setting can be tailored on a per-application basis within each application specific web.xml.",
"fixid": "F-24638r426376_fix",
"fixtext": "As a privileged user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nCreate or modify an ErrorReportValve element nested beneath each element.\n\nEXAMPLE:\n\n...\n\n\n\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222977",
"ruleID": "SV-222977r615938_rule",
"severity": "medium",
"title": "ErrorReportValve showReport must be set to false.",
"version": "TCAT-AS-000940"
},
"V-222978": {
"checkid": "C-24650r426378_chk",
"checktext": "From the Tomcat server, cd to the $CATALINA_HOME/bin folder. Run the version.sh command and identify the following information that is provided:\nServer version:\nServer built:\nServer number:\n\nEXAMPLE:\nServer version: Apache Tomcat\nServer built: July 4 2019 14:20:06 UTC\nServer number: 9.0.22.0\n\nIf additional version information is required, refer to the Apache Tomcat version 9 change log on the Apache Tomcat website for historical version information. Google \"Apache Tomcat 9 changelog\".\n\nIf server.info=\"Apache Tomcat\" or server.number=the valid Tomcat version, this is a finding.",
"description": "A first order of attack is to identify vulnerable servers and services. Removing version information that would otherwise be provided when a client requests version data or receives an error message can limit automated attack attempts. Remove or replace the version string from HTTP error messages by repacking $CATALINA_HOME/server/lib/catalina.jar with an updated ServerInfo.properties file. This will modify the server information that is provided in error and warning responses.",
"fixid": "F-24639r426379_fix",
"fixtext": "From the Tomcat server, cd to the $CATALINA_HOME/lib folder. As a privileged user run the following case sensitive command:\n\nsudo jar -xf catalina.jar org/apache/catalina/util/ServerInfo.properties\n\nEdit the ServerInfo.properties file.\nsudo nano org/apache/catalina/util/ServerInfo.properties\n\nChange server.info and server.number to read:\nserver.info=\nserver.number=\n\nEXAMPLE:\nserver.info=\"Standard Server\"\nserver.number=1.0.2.11\n\nSave the ServerInfo.properties file.\n\nRun the following command to update the catalina.jar file:\nsudo jar -uf catalina.jar org/apache/catalina/util/ServerInfo.properties\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo rm -rf $CATALINA_HOME/lib/org",
"iacontrols": null,
"id": "V-222978",
"ruleID": "SV-222978r615938_rule",
"severity": "low",
"title": "Tomcat server version must not be sent with warnings and errors.",
"version": "TCAT-AS-000950"
},
"V-222979": {
"checkid": "C-24651r426381_chk",
"checktext": "If the manager application has been deleted from the system, this is not a finding. \n\nFrom the Tomcat server as a privileged user, run the following commands:\n\nsudo grep -i session-timeout $CATALINA_BASE/webapps/manager/META-INF/web.xml \n\nsudo grep -i session-timeout \n$CATALINA_BASE/conf/web.xml\n\nIf the session-timeout setting is not configured to be 10 minutes in at least one of these files, this is a finding.",
"description": "Tomcat can set idle session timeouts on a per application basis. The management application is provided with the Tomcat installation and is used to manage the applications that are installed on the Tomcat Server. Setting the idle timeout for the management application will kill the admin user's session after 10 minutes of inactivity. This will limit the opportunity for unauthorized persons to hijack the admin session. This setting will also affect the default timeout behavior of all hosted web applications. To adjust the individual hosted application settings that are not related to management of the system, modify the individual application web.xml file if application timeout requirements differ from the STIG. Satisfies: SRG-APP-000389, SRG-APP-000220",
"fixid": "F-24640r622488_fix",
"fixtext": "From the Tomcat server as a privileged user:\n\nTo affect session timeout for all applications including the management application, edit the:\n$CATALINA_BASE/conf/web.xml file.\n\nTo affect session timeout for the management application only, edit the:\n$CATALINA_BASE/webapps/manager/META-INF/web.xml file. \n\nLocate the session-timeout setting located within the session-config element.\n\nModify the session-timeout setting to be 10 minutes.\n\nSave the file.\n\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222979",
"ruleID": "SV-222979r615938_rule",
"severity": "medium",
"title": "Idle timeout for management application must be set to 10 minutes.",
"version": "TCAT-AS-000970"
},
"V-222980": {
"checkid": "C-24652r426384_chk",
"checktext": "From the Tomcat server console, run the following command:\n\nsudo grep -i LockOutRealm $CATALINA_BASE/conf/server.xml. \n\nIf there are no results or if the LockOutRealm is not used for the Tomcat management application context, this is a finding.",
"description": "A LockOutRealm adds the ability to lock a user out after multiple failed logins. LockOutRealm is an implementation of the Tomcat Realm interface that extends the CombinedRealm to provide user lock out functionality if there are too many failed authentication attempts in a given period of time. A LockOutRealm is created by wrapping around a standard realm such as a JNDI Directory Realm which connects Tomcat to an LDAP Directory. \n\nA Catalina container (Engine, Host, or Context) may contain no more than one Realm element (although this one Realm may itself contain multiple nested Realms). In addition, the Realm associated with an Engine or a Host is automatically inherited by lower-level containers unless the lower level container explicitly defines its own Realm. If no Realm is configured for the Engine, an instance of the Null Realm will be configured for the Engine automatically.",
"fixid": "F-24641r426385_fix",
"fixtext": "From the Tomcat server console as a privileged user edit the $CATALINA_BASE/conf/server.xml file.\n\nsudo nano $CATALINA_BASE/conf/server.xml file\n\nLocate or add the LockOutRealm element. Make sure the LockOutRealm element is applied to the management application at a minimum (if the management application is in use on the system). This is done by ensuring the LockOutRealm is nested under the Engine, Host or directly within the management application Context container.\n\nEXAMPLE:\n\n \n...\n",
"iacontrols": null,
"id": "V-222980",
"ruleID": "SV-222980r615938_rule",
"severity": "medium",
"title": "LockOutRealms must be used for management of Tomcat.",
"version": "TCAT-AS-001020"
},
"V-222981": {
"checkid": "C-24653r426387_chk",
"checktext": "From the Tomcat server console, run the following command:\n\nsudo grep -i LockOutRealm $CATALINA_BASE/conf/server.xml. \n\nIf there are no results or if the LockOutRealm failureCount setting is not configured to 5, this is a finding.",
"description": "A LockOutRealm adds the ability to lock a user out after multiple failed logins. Setting the failureCount attribute to 5 will lock out a user account after 5 failed attempts. \n\nLockOutRealm is an implementation of the Tomcat Realm interface that extends the CombinedRealm to provide user lock out functionality if there are too many failed authentication attempts in a given period of time. A LockOutRealm is created by wrapping around a standard realm such as a JNDI Directory Realm which connects Tomcat to an LDAP Directory.\n\nA Catalina container (Engine, Host, or Context) may contain no more than one Realm element (although this one Realm may itself contain multiple nested Realms). In addition, the Realm associated with an Engine or a Host is automatically inherited by lower-level containers unless the lower level container explicitly defines its own Realm. If no Realm is configured for the Engine, an instance of the Null Realm will be configured for the Engine automatically.",
"fixid": "F-24642r426388_fix",
"fixtext": "From the Tomcat server console as a privileged user edit the $CATALINA_BASE/conf/server.xml file.\n\nsudo nano $CATALINA_BASE/conf/server.xml file\n\nLocate or add the LockOutRealm element. Set LockOutRealm failureCount=\"5\"\n\nEXAMPLE:\n \n...\n",
"iacontrols": null,
"id": "V-222981",
"ruleID": "SV-222981r615938_rule",
"severity": "medium",
"title": "LockOutRealms failureCount attribute must be set to 5 failed logins for admin users.",
"version": "TCAT-AS-001030"
},
"V-222982": {
"checkid": "C-24654r426390_chk",
"checktext": "From the Tomcat server console, run the following command:\n\nsudo grep -i LockOutRealm $CATALINA_BASE/conf/server.xml. \n\nIf there are no results or if the LockOutRealm lockOutTime setting is not configured to 600 (10 minutes), this is a finding.",
"description": "A LockOutRealm adds the ability to specify a lockout time that prevents further attempts after multiple failed logins. Setting the lockOutTime attribute to 600 will lock out a user account for 10 minutes. Further authentication failures during the lock out time will cause the lock out timer to reset to zero, effectively extending the lockout time. Valid authentication attempts during the lockout period will not succeed but will also not reset the lockout time.\n\nLockOutRealm is an implementation of the Tomcat Realm interface that extends the CombinedRealm to provide user lock out functionality if there are too many failed authentication attempts in a given period of time. A LockOutRealm is created by wrapping around a standard realm such as a JNDI Directory Realm which connects Tomcat to an LDAP Directory. \n\nA Catalina container (Engine, Host, or Context) may contain no more than one Realm element (although this one Realm may itself contain multiple nested Realms). In addition, the Realm associated with an Engine or a Host is automatically inherited by lower-level containers unless the lower level container explicitly defines its own Realm. If no Realm is configured for the Engine, an instance of the Null Realm will be configured for the Engine automatically.",
"fixid": "F-24643r426391_fix",
"fixtext": "From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.\n\nsudo nano $CATALINA_BASE/conf/server.xml file\n\nLocate or add the LockOutRealm element. Set lockOutTime=\"600\"\n\nEXAMPLE:\n \n...\n",
"iacontrols": null,
"id": "V-222982",
"ruleID": "SV-222982r615938_rule",
"severity": "low",
"title": "LockOutRealms lockOutTime attribute must be set to 600 seconds (10 minutes) for admin users.",
"version": "TCAT-AS-001040"
},
"V-222983": {
"checkid": "C-24655r426393_chk",
"checktext": "From the command line of the Tomcat server type the following command:\n\nsudo cat /etc/passwd|grep -i tomcat\n\nIf the command/shell field of the passwd file is not set to \"/usr/sbin/nologin\", this is a finding.",
"description": "When installing Tomcat, a user account is created on the OS. This account is used in order for Tomcat to be able to operate on the OS but does not require the ability to actually log in to the system. Therefore when the account is created, the account must not be provided access to a login shell or other program on the system. This is done by specifying the \"nologin\" parameter in the command/shell field of the passwd file.",
"fixid": "F-24644r426394_fix",
"fixtext": "From the Tomcat command line type the following command:\n\nsudo usermod -s /usr/sbin/nologin tomcat",
"iacontrols": null,
"id": "V-222983",
"ruleID": "SV-222983r615938_rule",
"severity": "medium",
"title": "Tomcat user account must be set to nologin.",
"version": "TCAT-AS-001050"
},
"V-222984": {
"checkid": "C-24656r426396_chk",
"checktext": "Run the following command to identify the Tomcat process UID:\nps -ef | { head -1; grep catalina; } | cut -f1 -d\" \"\n\nRun the following command to obtain the OS user ID tied to the Tomcat process:\ncat /etc/passwd|grep -i |cut -f3 -d:\n\nIf the user ID field of the passwd file is set to < 1000 or = 0, this is a finding.",
"description": "Use a distinct non-privileged user account for running Tomcat. If Tomcat processes are compromised and a privileged user account is used to operate the Tomcat server processes, the entire system becomes compromised.\n\nSample passwd file:\ntomcat:x:1001:1001::/opt/tomcat/usr/sbin/nologin\n\nThe user ID is stored in field 3 of the passwd file.",
"fixid": "F-24645r426397_fix",
"fixtext": "From the Tomcat server, create a tomcat user by adding a new non-privileged user OS account with the following command:\n \nsudo useradd tomcat\n\nEdit the systemd tomcat.service file or create one if it does not exist. Use the new \"tomcat\" user account by setting; USER=tomcat\n\nLocation of the file should be /etc/systemd/system/tomcat.service.\n\nEnable the Tomcat service:\nsudo restorecon /etc/systemd/system/tomcat.service\nsudo chmod 644 /etc/systemd/system/tomcat.service\nsudo systemctl enable tomcat.service\n\nStart Tomcat:\nsudo systemctl start tomcat",
"iacontrols": null,
"id": "V-222984",
"ruleID": "SV-222984r615938_rule",
"severity": "medium",
"title": "Tomcat user account must be a non-privileged user.",
"version": "TCAT-AS-001060"
},
"V-222985": {
"checkid": "C-24657r426399_chk",
"checktext": "As an elevated user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nReview all \"Valve\" elements.\n\nIf the pattern= statement does not include %u, this is a finding.\n\nEXAMPLE:\n\n...\n\n ...\n",
"description": "The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The %u pattern code is included in the pattern element and logs the username used to authenticate to an application. Including the username pattern in the log configuration provides useful information about the application user who is logging in, which is critical for troubleshooting and forensic investigations.",
"fixid": "F-24646r426400_fix",
"fixtext": "As a privileged user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nModify the element that is nested beneath the element. Change the AccessLogValve setting to include %u in the pattern= statement.\n\nEXAMPLE:\n\n...\n\n ...\n\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222985",
"ruleID": "SV-222985r615938_rule",
"severity": "low",
"title": "Application user name must be logged.",
"version": "TCAT-AS-001080"
},
"V-222986": {
"checkid": "C-24658r426402_chk",
"checktext": "Access the Tomcat server from the command line and execute the following OS command:\n\nsudo find $CATALINA_HOME -follow -maxdepth 0 \\( ! -user root -o ! -group tomcat \\) -ls\n\nIf no folders are displayed, this is not a finding.\n\nIf results indicate the $CATALINA_HOME folder ownership and group membership is not set to root:tomcat, this is a finding.",
"description": "Tomcat file permissions must be restricted. The standard configuration is to have the folder where Tomcat is installed owned by the root user with the group set to tomcat. The $CATALINA_HOME environment variable should be set to the location of the root directory of the \"binary\" distribution of Tomcat.",
"fixid": "F-24647r426403_fix",
"fixtext": "Run the following commands on the Tomcat server:\n\nsudo find $CATALINA_HOME -maxdepth 0 \\( ! -user root \\) | sudo xargs chown root\n\nsudo find $CATALINA_HOME -maxdepth 0 \\( ! -group tomcat \\) | sudo xargs chgrp tomcat",
"iacontrols": null,
"id": "V-222986",
"ruleID": "SV-222986r615938_rule",
"severity": "medium",
"title": "$CATALINA_HOME folder must be owned by the root user, group tomcat.",
"version": "TCAT-AS-001200"
},
"V-222987": {
"checkid": "C-24659r426405_chk",
"checktext": "Access the Tomcat server from the command line and execute the following OS command:\n\nsudo find $CATALINA_BASE/conf -follow -maxdepth 0 \\( ! -user root -o ! -group tomcat \\) -ls\n\nIf ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the group permissions are set in accordance with the risk acceptance. Ownership must not be changed.\n\nIf no folders are displayed, this is not a finding.\n\nIf results indicate the $CATALINA_BASE/conf folder ownership and group membership is not set to root:tomcat, this is a finding.",
"description": "Tomcat file permissions must be restricted. The standard configuration is to have Tomcat files contained in the conf/ folder as members of the \"tomcat\" group. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions. Note that running Tomcat in a Docker environment can impact how file permissions and user ownership settings are applied. Due to associated Docker configuration complexities, the STIG is scoped for standalone rather than virtual Docker deployments.\n\nIf the ISSM determines the operational need to allow application admins access to change the Tomcat configuration outweighs the risk of limiting that access, then they can change the group membership to accommodate. Ownership must not be changed. The ISSM should take the exposure of the system to high risk networks into account.",
"fixid": "F-24648r426406_fix",
"fixtext": "If operational/application requirements specify different group file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance. Ownership must not be changed. \n\nRun the following commands on the Tomcat server:\n\nsudo find $CATALINA_BASE/conf -maxdepth 0 \\( ! -user root \\) | sudo xargs chown root\n\nsudo find $CATALINA_BASE/conf -maxdepth 0 \\( ! -group tomcat \\) | sudo xargs chgrp tomcat",
"iacontrols": null,
"id": "V-222987",
"ruleID": "SV-222987r754842_rule",
"severity": "medium",
"title": "$CATALINA_BASE/conf/ folder must be owned by root, group tomcat.",
"version": "TCAT-AS-001220"
},
"V-222988": {
"checkid": "C-24660r426408_chk",
"checktext": "Access the Tomcat server from the command line and execute the following OS command:\n\nsudo find $CATALINA_BASE/logs -follow -maxdepth 0 \\( ! -user tomcat -o ! -group tomcat \\) -ls\n\nIf ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance.\n\nIf no folders are displayed, this is not a finding.\n\nIf results indicate the $CATALINA_BASE/logs folder ownership and group membership is not set to tomcat:tomcat, this is a finding.",
"description": "Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions.",
"fixid": "F-24649r426409_fix",
"fixtext": "If operational/application requirements specify different group file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance.\n\nRun the following commands on the Tomcat server:\n\nsudo find $CATALINA_BASE/logs -maxdepth 0 \\( ! -user tomcat \\) | sudo xargs chown tomcat\n\nsudo find $CATALINA_BASE/logs -maxdepth 0 \\( ! -group tomcat \\) | sudo xargs chgrp tomcat",
"iacontrols": null,
"id": "V-222988",
"ruleID": "SV-222988r754843_rule",
"severity": "medium",
"title": "$CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat.",
"version": "TCAT-AS-001250"
},
"V-222989": {
"checkid": "C-24661r426411_chk",
"checktext": "Access the Tomcat server from the command line and execute the following OS command:\n\nsudo find $CATALINA_BASE/temp -follow -maxdepth 0 \\( ! -user tomcat -o ! -group tomcat \\) -ls\n\nIf ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance.\n\nIf no folders are displayed, this is not a finding.\n\nIf results indicate the $CATALINA_BASE/temp folder ownership and group membership is not set to tomcat:tomcat, this is a finding.",
"description": "Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions.\n\nIf operational needs require application administrators to be able to change application configurations, the group permissions can be modified to allow specific application admins the access they require with an ISSM risk acceptance. Ownership may not change. The exposure of the system to high risk networks should always be taken into account.",
"fixid": "F-24650r426412_fix",
"fixtext": "If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance.\n\nRun the following commands on the Tomcat server:\n\nsudo find $CATALINA_BASE/temp -maxdepth 0 \\( ! -user tomcat \\) | sudo xargs chown tomcat\n\nsudo find $CATALINA_BASE/temp -maxdepth 0 \\( ! -group tomcat \\) | sudo xargs chgrp tomcat",
"iacontrols": null,
"id": "V-222989",
"ruleID": "SV-222989r754844_rule",
"severity": "low",
"title": "$CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat.",
"version": "TCAT-AS-001260"
},
"V-222990": {
"checkid": "C-24662r426414_chk",
"checktext": "Access the Tomcat server from the command line and execute the following OS command:\n\nsudo find $CATALINA_BASE/temp -follow -maxdepth 0 -type d \\( \\! -perm 750 \\) -ls\n\nIf ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance.\n\nIf no folders are displayed, this is not a finding.\n\nIf results indicate the $CATALINA_BASE/temp folder permissions are not set to 750, this is a finding.",
"description": "Tomcat's file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with the group Tomcat. While root has read/write privileges, tomcat group only has read and world has no permissions. The exceptions are the logs, temp and work directory that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions.\n\nIf operational needs require application administrators to be able to change application configurations, the group permissions can be modified to allow specific application admins the access they require with an ISSM risk acceptance. Ownership may not change.",
"fixid": "F-24651r426415_fix",
"fixtext": "If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance.\n\nRun the following commands on the Tomcat server:\n\nsudo find $CATALINA_BASE/temp -follow -maxdepth 0 -type d -print0 | sudo xargs chmod 750 $CATALINA_BASE/temp",
"iacontrols": null,
"id": "V-222990",
"ruleID": "SV-222990r754845_rule",
"severity": "low",
"title": "$CATALINA_BASE/temp folder permissions must be set to 750.",
"version": "TCAT-AS-001270"
},
"V-222991": {
"checkid": "C-24663r426417_chk",
"checktext": "Access the Tomcat server from the command line and execute the following OS command:\n\nsudo find $CATALINA_BASE/work -follow -maxdepth 0 \\( ! -user tomcat -o ! -group tomcat \\) -ls\n\nIf ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance.\n\nIf no folders are displayed, this is not a finding.\n\nIf results indicate the $CATALINA_BASE/work folder ownership and group membership is not set to tomcat:tomcat, this is a finding.",
"description": "Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions.\n\nIf operational needs require application administrators to be able to change application configurations, the group permissions can be modified to allow specific application admins the access they require with an ISSM risk acceptance. Ownership may not change.",
"fixid": "F-24652r426418_fix",
"fixtext": "If operational/application requirements specify different group file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance.\n\nRun the following commands on the Tomcat server:\n\nsudo find $CATALINA_BASE/work -maxdepth 0 \\( ! -user tomcat \\) | sudo xargs chown tomcat\n\nsudo find $CATALINA_BASE/work -maxdepth 0 \\( ! -group tomcat \\) | sudo xargs chgrp tomcat",
"iacontrols": null,
"id": "V-222991",
"ruleID": "SV-222991r754846_rule",
"severity": "medium",
"title": "$CATALINA_BASE/work/ folder must be owned by tomcat user, group tomcat.",
"version": "TCAT-AS-001280"
},
"V-222993": {
"checkid": "C-24665r426423_chk",
"checktext": "If the manager application has been deleted from the Tomcat server, this is not a finding. From the Tomcat server as a privileged user, issue the following command:\n\nsudo grep -i auth-method $CATALINA_BASE/webapps/manager/WEB-INF/web.xml\n\nIf the for the web manager application is not set to CLIENT-CERT, this is a finding.",
"description": "Password authentication does not provide sufficient security control when accessing a management interface. DoD has specified that the CAC will be used when authenticating and passwords will only be used when CAC authentication is not a plausible solution. Tomcat provides the ability to do certificate based authentication and client authentication; therefore, the Tomcat server must be configured to use CAC.\n\nSatisfies: SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248",
"fixid": "F-24654r426424_fix",
"fixtext": "From the Tomcat server as a privileged user, edit the $CATALINA_BASE/webapps/manager/WEB-INF/web.xml file and modify the auth-method for the manager application security constraint.\n\nsudo nano $CATALINA_BASE/webapps/manager/WEB-INF/web.xml\n\nLocate contained within the section, modify to specify CLIENT-CERT. \n\nEXAMPLE:\nCLIENT-CERT\n\nIn addition, the connector used for accessing the manager application must be configured to require client authentication by setting clientAuth=\"true\" and the manager application roles must be configured in the LDAP server.\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat",
"iacontrols": null,
"id": "V-222993",
"ruleID": "SV-222993r615938_rule",
"severity": "medium",
"title": "Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.",
"version": "TCAT-AS-001320"
},
"V-222994": {
"checkid": "C-24666r426426_chk",
"checktext": "For the systemd Ubuntu OS, check the tomcat.service file to read the content of the JAVA_OPTS environment variable setting.\n\nsudo cat /etc/systemd/system/tomcat.service |grep -i truststore\n\nEXAMPLE output:\nset JAVA_OPTS=\"-Djavax.net.ssl.trustStore=/path/to/truststore\" \"-Djavax.net.ssl.trustStorePassword=************\"\n\nIf the variable is not set, use the default location command below. If the variable is set, use the alternate location command below and include the path and truststore file. \n\n-Default location:\nkeytool -list -cacerts -v | grep -i issuer\n\n-Alternate location:\nkeytool -list -keystore -v |grep -i issuer\n\nIf there are no CA certificates issued by a Certificate Authority (CA) that is part of the DoD PKI/PKE, this is a finding.",
"description": "Use of self-signed certificates creates a lack of integrity and invalidates the certificate based authentication trust model. Certificates used by production systems must be issued/signed by a trusted Root CA and cannot be self-signed. For systems that communicate with industry partners, the DoD ECA program supports the issuance of DoD-approved certificates to industry partners. For information on the DoD ECA program, refer to the DoD PKI office. Links to their site are available on https://public.cyber.mil.",
"fixid": "F-24655r426427_fix",
"fixtext": "Obtain and install the DoD PKI CA certificate bundles by accessing the DoD PKI office website at https://cyber.mil/pki-pke.\n\nDownload the certificate bundles and then use certificate management utilities such as keytool or openssl to import the DoD CA certificates into the trust store.",
"iacontrols": null,
"id": "V-222994",
"ruleID": "SV-222994r615938_rule",
"severity": "medium",
"title": "Certificates in the trust store must be issued/signed by an approved CA.",
"version": "TCAT-AS-001430"
},
"V-222995": {
"checkid": "C-24667r426429_chk",
"checktext": "This requirement only applies to a system that is categorized as high within the Risk Management Framework (RMF).\n\nReview the System Security Plan (SSP) or other system documentation that specifies the operational uptime requirements and RMF system categorization.\n\nIf the system is categorized as high, from the Tomcat server as a privileged user, run the following command:\n\nsudo grep -i -A10 -B2 \"Cluster\" $CATALINA_BASE/conf/server.xml\n\nIf the element is commented out, or no results returned, then the system is not clustered and this is a finding.",
"description": "A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provided high-availability.",
"fixid": "F-24656r426430_fix",
"fixtext": "From the Tomcat server as a privileged user, modify the $CATALINA_BASE/conf/server.xml file.\n\nUncomment the \" object and configure the system into a cluster as per the Tomcat clustering documentation provided at the Tomcat website.\n\nhttps://tomcat.apache.org/tomcat-9.0-doc/config/cluster.html",
"iacontrols": null,
"id": "V-222995",
"ruleID": "SV-222995r615938_rule",
"severity": "medium",
"title": "The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster.",
"version": "TCAT-AS-001460"
},
"V-222996": {
"checkid": "C-24668r814095_chk",
"checktext": "Refer to https://tomcat.apache.org/security-9.html and identify the latest secure version of Tomcat with no known vulnerabilities.\n\nAs a privileged user from the Tomcat server, run the following command:\n\nsudo $CATALINA_HOME/bin/version.sh |grep -i server\n\nCompare the version running on the system to the latest secure version of Tomcat.\n\nNote: If TCAT-AS-000950 is compliant, users may need to leverage a different management interface. There is commonly a version.bat script in CATALINA_HOME/bin that will also output the current version of Tomcat.\n\nIf the latest secure version of Tomcat is not installed, this is a finding.",
"description": "Tomcat is constantly being updated to address newly discovered vulnerabilities, some of which include denial-of-service attacks. To address this risk, the Tomcat administrator must ensure the system remains up to date on patches.\n\nSatisfies: SRG-APP-000435-AS-000163, SRG-APP-000456-AS-000266",
"fixid": "F-24657r426433_fix",
"fixtext": "Follow operational procedures for upgrading Tomcat. Download latest version of Tomcat and install in a test environment. Test applications that are running in production and follow all operations best practices when upgrading the production Tomcat application servers.\n\nUpdate the Tomcat production instance accordingly and ensure corrected builds are installed once tested and verified.",
"iacontrols": null,
"id": "V-222996",
"ruleID": "SV-222996r814096_rule",
"severity": "medium",
"title": "Tomcat server must be patched for security vulnerabilities.",
"version": "TCAT-AS-001470"
},
"V-222997": {
"checkid": "C-24669r426435_chk",
"checktext": "As an elevated user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nReview the element. Ensure one AccessLog element is nested within the Engine element. \n\nIf a element is not defined, this is a finding.\n\nEXAMPLE:\n\n ...\n \n ...\n",
"description": "The container represents the entire request processing machinery associated with a particular Catalina Service. It receives and processes all requests from one or more Connectors, and returns the completed response to the Connector for transmission back to the client. The AccessLogValve will log activity for the Catalina service.\n\nExactly one Engine element MUST be nested inside a Service element, following all of the corresponding Connector elements associated with the Service.\n\nSatisfies: SRG-APP-000495-AS-000220, SRG-APP-000381-AS-000089, SRG-APP-000499-AS-000224, SRG-APP-000504-AS-000229",
"fixid": "F-24658r426436_fix",
"fixtext": "As a privileged user on the Tomcat server:\n\nEdit the $CATALINA_BASE/conf/server.xml file.\n\nCreate a element that is nested beneath the element containing an AccessLogValve. \n\nEXAMPLE:\n\n...\n\n ...\n\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-222997",
"ruleID": "SV-222997r615938_rule",
"severity": "medium",
"title": "AccessLogValve must be configured for Catalina engine.",
"version": "TCAT-AS-001560"
},
"V-222998": {
"checkid": "C-24670r426438_chk",
"checktext": "Run the following commands From the Tomcat server as a privileged user:\n\nIdentify the home folder for the Tomcat server. \n\nsudo grep -i -- 'catalina_home\\|catalina_base' /etc/systemd/system/tomcat.service\n\nCheck the audit rules for the Tomcat folders.\n\nsudo auditctl -l $CATALINA_HOME/bin |grep -i bin\n\nIf the results do not include -w $CATALINA_HOME/bin -p wa -k tomcat, or if there are no results, this is a finding.",
"description": "The $CATALINA_HOME/bin folder contains startup and control scripts for the Tomcat Catalina server. To provide forensic evidence in the event of file tampering, changes to content in this folder must be logged. For Linux OS flavors other than Ubuntu, use the relevant OS commands. This can be done on the Ubuntu OS via the auditctl command. Using the -p wa flag set the permissions flag for a file system watch and logs file attribute and content change events into syslog.",
"fixid": "F-24659r426439_fix",
"fixtext": "From the Tomcat server as a privileged user, use the auditctl command.\n\nsudo auditctl -w $CATALINA_HOME/bin -p wa -k tomcat\n\nValidate the audit watch was created.\nsudo auditctl -l \n\nThe user should see: \n-w $CATALINA_HOME/ -p wa -k tomcat",
"iacontrols": null,
"id": "V-222998",
"ruleID": "SV-222998r615938_rule",
"severity": "medium",
"title": "Changes to $CATALINA_HOME/bin/ folder must be logged.",
"version": "TCAT-AS-001590"
},
"V-222999": {
"checkid": "C-24671r426441_chk",
"checktext": "Run the following commands From the Tomcat server as a privileged user:\n\nIdentify the home folder for the Tomcat server. \n\nsudo grep -i -- 'catalina_home\\|catalina_base' /etc/systemd/system/tomcat.service\n\nCheck the audit rules for the Tomcat folders.\n\nsudo auditctl -l $CATALINA_HOME/bin |grep -i conf\n\nIf the results do not include -w $CATALINA_BASE/conf -p wa -k tomcat, or if there are no results, this is a finding.",
"description": "The $CATALINA_BASE/conf folder contains configuration files for the Tomcat Catalina server. To provide forensic evidence in the event of file tampering, changes to contents in this folder must be logged. For Linux OS flavors other than Ubuntu, use the relevant OS commands. This can be done on the Ubuntu OS via the auditctl command. Using the -p wa flag set the permissions flag for a file system watch and logs file attribute and content change events into syslog.",
"fixid": "F-24660r426442_fix",
"fixtext": "From the Tomcat server as a privileged user, use the auditctl command.\n\nsudo auditctl -w $CATALINA_BASE/conf -p wa -k tomcat\n\nValidate the audit watch was created.\nsudo auditctl -l \n\nThe user should see: \n-w $CATALINA_HOME/ -p wa -k tomcat",
"iacontrols": null,
"id": "V-222999",
"ruleID": "SV-222999r615938_rule",
"severity": "medium",
"title": "Changes to $CATALINA_BASE/conf/ folder must be logged.",
"version": "TCAT-AS-001591"
},
"V-223000": {
"checkid": "C-24672r426444_chk",
"checktext": "Run the following commands From the Tomcat server as a privileged user:\n\nIdentify the home folder for the Tomcat server. \n\nsudo grep -i -- 'catalina_home\\|catalina_base' /etc/systemd/system/tomcat.service\n\nCheck the audit rules for the Tomcat folders\n\nsudo auditctl -l $CATALINA_HOME/bin |grep -i lib\n\nIf the results do not include -w $CATALINA_HOME/lib -p wa -k tomcat, or if there are no results, this is a finding.",
"description": "The $CATALINA_HOME/lib folder contains library files for the Tomcat Catalina server. These are in the form of java archive (jar) files. To provide forensic evidence in the event of file tampering, changes to contents in this folder must be logged. For Linux OS flavors other than Ubuntu, use the relevant OS commands. This can be done on the Ubuntu OS via the auditctl command. Using the -p wa flag set the permissions flag for a file system watch and logs file attribute and content change events into syslog.",
"fixid": "F-24661r426445_fix",
"fixtext": "From the Tomcat server as a privileged user, use the auditctl command.\n\nsudo auditctl -w $CATALINA_HOME/lib -p wa -k tomcat\n\nValidate the audit watch was created.\nsudo auditctl -l \n\nThe user should see: \n-w $CATALINA_HOME/ -p wa -k tomcat",
"iacontrols": null,
"id": "V-223000",
"ruleID": "SV-223000r615938_rule",
"severity": "medium",
"title": "Changes to $CATALINA_HOME/lib/ folder must be logged.",
"version": "TCAT-AS-001592"
},
"V-223001": {
"checkid": "C-24673r426447_chk",
"checktext": "For the systemd Ubuntu OS, check the tomcat.service file to read the content of the JAVA_OPTS environment variable setting.\n\nsudo cat /etc/systemd/system/tomcat.service |grep -i truststore\n\nEXAMPLE output:\nset JAVA_OPTS=\"-Djavax.net.ssl.trustStore=/path/to/truststore\" \"-Djavax.net.ssl.trustStorePassword=************\"\n\nIf the variable is not set, use the default location command below. If the variable is set, use the alternate location command below and include the path and truststore file. \n\n-Default location:\nkeytool -list -cacerts -v | grep -i issuer\n\n-Alternate location:\nkeytool -list -keystore -v |grep -i issuer\n\nIf there are no CA certificates issued by a Certificate Authority (CA) that is part of the DoD PKI/PKE, this is a finding.",
"description": "Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The application server must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions.",
"fixid": "F-24662r426448_fix",
"fixtext": "Obtain and install the DoD PKI CA certificate bundles by accessing the DoD PKI office website at cyber.mil/pki-pke.\n\nImport the DoD CA certificates.",
"iacontrols": null,
"id": "V-223001",
"ruleID": "SV-223001r615938_rule",
"severity": "low",
"title": "Application servers must use NIST-approved or NSA-approved key management technology and processes.",
"version": "TCAT-AS-001640"
},
"V-223002": {
"checkid": "C-24674r426450_chk",
"checktext": "If the system has an ISSM risk acceptance for operational issues that arise due to this setting, this is not a finding.\n\nFrom the Tomcat server as a privileged user, run the following command:\n\nsudo grep -i strict_servlet /etc/systemd/system/tomcat.service \n\nIf there are no results, or if the \n-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE is not set to true, this is a finding.",
"description": "Strict Servlet Compliance forces Tomcat to adhere to standards specifications including but not limited to RFC2109. RFC2109 sets the standard for HTTP session management. This setting affects several settings which primarily pertain to cookie headers, cookie values, and sessions. Cookies will be parsed for strict adherence to specifications.\n\nNote that changing a number of these default settings may break some systems, as some browsers are unable to correctly handle the cookie headers that result from a strict adherence to the specifications.\n\nThis one setting changes the default values for the following settings:\n\norg.apache.catalina.core.\nApplicationContext.GET_RESOURCE_REQUIRE_SLASH\norg.apache.catalina.core.\nApplicationDispatcher.WRAP_SAME_OBJECT\norg.apache.catalina.core.\nStandardHostValve.ACCESS_SESSION\norg.apache.catalina.session.\nStandardSession.ACTIVITY_CHECK\norg.apache.catalina.session.\nStandardSession.LAST_ACCESS_AT_START\norg.apache.tomcat.util.http.\nServerCookie.ALWAYS_ADD_EXPIRES\norg.apache.tomcat.util.http.\nServerCookie.FWD_SLASH_IS_SEPARATOR\norg.apache.tomcat.util.http.\nServerCookie.PRESERVE_COOKIE_HEADER\norg.apache.tomcat.util.http.\nServerCookie.STRICT_NAMING\nThe resourceOnlyServlets attribute of any Context element.\nThe tldValidation attribute of any Context element.\nThe useRelativeRedirects attribute of any Context element.\nThe xmlNamespaceAware attribute of any Context element.\nThe xmlValidation attribute of any Context element.",
"fixid": "F-24663r426451_fix",
"fixtext": "From the Tomcat server as a privileged user:\n\nEdit the /etc/systemd/system/tomcat.service file and either add or edit the org.apache.catalina.STRICT_SERVLET_COMPLIANCE setting.\n\nSet the org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true \n\nEXAMPLE:\n\nCATALINA_OPTS='-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true'\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-223002",
"ruleID": "SV-223002r615938_rule",
"severity": "low",
"title": "STRICT_SERVLET_COMPLIANCE must be set to true.",
"version": "TCAT-AS-001660"
},
"V-223003": {
"checkid": "C-24675r426453_chk",
"checktext": "From the Tomcat server as a privileged user, run the following command:\n\nsudo grep -i recycle_facades /etc/systemd/system/tomcat.service \n\nIf there are no results, or if the org.apache.catalina.connector. RECYCLE_FACADES is not =\"true\", this is a finding.",
"description": "If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a bug in an application might expose data from one request to another. This setting is configured using environment variable settings. For Linux OS flavors other than Ubuntu, use the relevant OS commands. For Ubuntu, this setting can be managed in the /etc/systemd/system/tomcat.service file via the CATALINA_OPTS variable. This setting is defined in the file and referenced during Tomcat startup in order to load Tomcat environment variables.\n\nTechnically, the tomcat.service referenced in the check and fix could be called a different name, for STIG purposes and to provide a standard setting that can be referred to and obviously is used for Tomcat, tomcat.service was chosen.",
"fixid": "F-24664r426454_fix",
"fixtext": "From the Tomcat server as a privileged user: \n\nEdit the /etc/systemd/system/tomcat.service file and either add or edit the org.apache.catalina.connector. RECYCLE_FACADES setting.\n\nSet the org.apache.catalina.connector. RECYCLE_FACADES=true \n\nEXAMPLE:\nEnvironment='CATALINA_OPTS -Dorg.apache.catalina.connector. RECYCLE_FACADES=true'\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-223003",
"ruleID": "SV-223003r615938_rule",
"severity": "low",
"title": "RECYCLE_FACADES must be set to true.",
"version": "TCAT-AS-001670"
},
"V-223004": {
"checkid": "C-24676r426456_chk",
"checktext": "If the ISSO has accepted the risk for enabling the ALLOW_BACKSLASH setting, this requirement is NA.\n\nFrom the Tomcat server as an elevated user, run the following command:\n\nsudo grep -i ALLOW_BACKSLASH $CATALINA_BASE/conf/catalina.properties\n\nsudo grep -i catalina_opts /etc/systemd/system/tomcat.service\n\nIf org.apache.catalina.connector. ALLOW_BACKSLASH=true, this is a finding.",
"description": "When Tomcat is installed behind a proxy configured to only allow access to certain Tomcat contexts (web applications), an HTTP request containing \"/\\../\" may allow attackers to work around the proxy restrictions using directory traversal attack methods. If allow_backslash is true the '\\' character will be permitted as a path delimiter. The default value for the setting is false but Tomcat should always be configured as if no proxy restricting context access was used and allow_backslash should be set to false to prevent directory traversal style attacks. This setting can create operability issues with non-compliant clients. In order to accommodate a non-compliant client, any deviation from the STIG setting must be approved by the ISSO.",
"fixid": "F-24665r426457_fix",
"fixtext": "As a privileged user on the Tomcat server:\n\nIf the finding is in the catalina.properties file, edit the $CATALINA_BASE/conf/catalina.properties file.\n\nsudo nano $CATALINA_BASE/conf/catalina.properties\n\nChange the org.apache.catalina.connector.ALLOW_BACKSLASH=true setting to =false.\n\nIf the finding is in the /etc/systemd/services/tomcat/service file, edit the file using a text editor.\n\nsudo nano /etc/systemd/services/tomcat.service\n\nLocate the \"Environment='CATALINA_OPTS=' line and change the -D.org.apache.catalina.connectorALLOW_BACKSLASH=true setting to =false.\n\nRestart Tomcat by running the following commands:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-223004",
"ruleID": "SV-223004r615938_rule",
"severity": "medium",
"title": "ALLOW_BACKSLASH must be set to false.",
"version": "TCAT-AS-001680"
},
"V-223005": {
"checkid": "C-24677r426459_chk",
"checktext": "From the Tomcat server as a privileged user, run the following command:\n\nsudo grep -i enforce_encoding /etc/systemd/system/tomcat.service \n\nIf there are no results, or if the org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER is not =\"true\", this is a finding.",
"description": "Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 when the characters are safe for ISO-8859-1. This can create the potential for a XSS attack. To defend against this, enforce_encoding_in_get_writer must be set to true.",
"fixid": "F-24666r426460_fix",
"fixtext": "From the Tomcat server as a privileged user: \n\nEdit the /etc/systemd/system/tomcat.service file, and either add or edit the org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER setting.\n\nSet the org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true \n\nEXAMPLE:\nEnvironment='CATALINA_OPTS -Dorg.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true'\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-223005",
"ruleID": "SV-223005r615938_rule",
"severity": "medium",
"title": "ENFORCE_ENCODING_IN_GET_WRITER must be set to true.",
"version": "TCAT-AS-001690"
},
"V-223006": {
"checkid": "C-24678r426462_chk",
"checktext": "Review the Tomcat servers System Security Plan/server documentation.\n\nEnsure that user accounts and roles with access to Tomcat management features such as the \"manager-script\" role are documented and approved by the ISSO.\n\nIf the ISSO has not approved of documented roles and users who have management rights to the Tomcat server, this is a finding.",
"description": "Deploying applications to Tomcat requires a Tomcat user account that is in the \"manager-script\" role. Any user accounts in a Tomcat management role must be approved by the ISSO.",
"fixid": "F-24667r426463_fix",
"fixtext": "Document the users and the roles that have been defined for use with the Tomcat server.\n\nEnsure that all users and roles with access to Tomcat management features and capabilities are approved by the ISSO.",
"iacontrols": null,
"id": "V-223006",
"ruleID": "SV-223006r615938_rule",
"severity": "medium",
"title": "Tomcat users in a management role must be approved by the ISSO.",
"version": "TCAT-AS-001700"
},
"V-223007": {
"checkid": "C-24679r426465_chk",
"checktext": "Review the Tomcat servers System Security Plan/server documentation.\n\nAccess the Tomcat server and review the $CATALINA_BASE/webapps folder.\n\nEnsure that all webapps are documented in the SSP.\n\nIf the applications that are hosted on the Tomcat server are not documented in the SSP, this is a finding.",
"description": "The ISSM/ISSO must be cognizant of all applications operating on the Tomcat server, and must address any security implications associated with the operation of the applications.\n\nIf unknown/undocumented applications are operating on the Tomcat server, these applications increase risk for the system due to not being managed, patched or monitored for unapproved activity on the system.",
"fixid": "F-24668r426466_fix",
"fixtext": "Document the applications that have an ATO on the Tomcat server.\n\nRetain the information in the SSP and present to the auditor in the event of a CCRI.",
"iacontrols": null,
"id": "V-223007",
"ruleID": "SV-223007r615938_rule",
"severity": "low",
"title": "Hosted applications must be documented in the system security plan.",
"version": "TCAT-AS-001710"
},
"V-223008": {
"checkid": "C-24680r426468_chk",
"checktext": "Review the Tomcat servers System Security Plan/server documentation.\n\nAccess the Tomcat server and review the server.xml file.\n\ngrep -i \"connector port\" $CATALINA_BASE/conf/server.xml\n\nCompare the active Connectors and their associated IP ports with the Connectors documented and approved in the SSP.\n\nIf the Connectors that are configured on the Tomcat server are not approved by the ISSO and documented in the SSP, this is a finding.",
"description": "Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP and then sends back the results to the requestor. A port and a protocol are tied to each connector. Only connectors approved by the ISSO must be installed. ISSO review will consist of validating connector protocol as being secure and required in order for the hosted application to operate. The ISSO will ensure that unnecessary or insecure connector protocols are not enabled. The ISSO will provide documented approval for each connector that will be maintained in the System Security Plan (SSP).",
"fixid": "F-24669r426469_fix",
"fixtext": "Document and obtain ISSO approval for the Connectors that are configured on the Tomcat server.\n\nRetain the information in the SSP and present to the auditor in the event of a CCRI.",
"iacontrols": null,
"id": "V-223008",
"ruleID": "SV-223008r615938_rule",
"severity": "low",
"title": "Connectors must be approved by the ISSO.",
"version": "TCAT-AS-001720"
},
"V-223009": {
"checkid": "C-24681r426471_chk",
"checktext": "Review SSP documentation for list of approved connectors and associated TCP/IP ports and interfaces.\n\nVerify the address attribute is specified for each connector and is set to the network interface specified in the SSP.\n\nExecute the following command to find configured Connectors:\n\nsudo grep -i -B1 -A5 connector $CATALINA_BASE/conf/server.xml\n\nReview results and examine the \"address=\" field for each connector.\n\nIf the connector address attribute is not specified as per the SSP, this is a finding.",
"description": "Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP, and then sends back the results to the requestor. The \"address\" attribute specifies which network interface the connector listens on. If no IP address is specified, the connector will listen on all configured interfaces. Access to the connector must be restricted to only the network interface(s) specified in the System Security Plan (SSP).",
"fixid": "F-24670r426472_fix",
"fixtext": "Ensure the address attribute for each connector and the network interfaces are specified in the SSP.\n\nEdit the following file From the Tomcat server as a privileged user:\n\n$CATALINA_BASE/conf/server.xml\n\nLocate each Connector element then edit or add the \"address=\" field for each connector and specify the appropriate network IP address. The following is an example using a random IP address:\n\nEXAMPLE:\n\n\nRestart the Tomcat server:\nsudo systemctl restart tomcat\nsudo systemctl daemon-reload",
"iacontrols": null,
"id": "V-223009",
"ruleID": "SV-223009r615938_rule",
"severity": "low",
"title": "Connector address attribute must be set.",
"version": "TCAT-AS-001730"
},
"V-223010": {
"checkid": "C-24682r426474_chk",
"checktext": "This requirement cannot be met by the Tomcat server natively and must be done at the OS. Review operating system. Ensure the OS is configured to alert the ISSO and SA in the event of an audit processing failure.\n\nThe alert notification method itself can be accomplished in a variety of ways and is not restricted to email alone. The intention is to send an alert, the method used to send the alert is not a factor of the requirement. The fix uses email but other alert methods are acceptable.\n\nIf the OS is not configured to alert the ISSO and SA in the event of an audit processing failure, this is a finding.",
"description": "Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident. When log processing fails, the events during the failure can be lost. To minimize the timeframe of the log failure, an alert needs to be sent to the SA and ISSO at a minimum.\n\nLog processing failures include, but are not limited to, failures in the application server log capturing mechanisms or log storage capacity being reached or exceeded. In some instances, it is preferred to send alarms to individuals rather than to an entire group. Application servers must be able to trigger an alarm and send an alert to, at a minimum, the SA and ISSO in the event there is an application server log processing failure.",
"fixid": "F-24671r426475_fix",
"fixtext": "Procedures for meeting this requirement will vary according to the OS. For Ubuntu Linux systems, instructions for notifying via email are provided. Other alert methods are also acceptable but are not provided here.\n\nConfigure \"auditd\" service to notify the System Administrator (SA) and Information System Security Officer (ISSO) in the event of an audit processing failure.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure that administrators are notified via email for those situations:\n\naction_mail_acct = root\n\nRestart the auditd service so the changes take effect:\n# sudo systemctl restart auditd.service",
"iacontrols": null,
"id": "V-223010",
"ruleID": "SV-223010r615938_rule",
"severity": "medium",
"title": "The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.\n\n",
"version": "TCAT-AS-001731"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-222926": "true",
"V-222927": "true",
"V-222928": "true",
"V-222929": "true",
"V-222930": "true",
"V-222931": "true",
"V-222932": "true",
"V-222933": "true",
"V-222934": "true",
"V-222935": "true",
"V-222936": "true",
"V-222937": "true",
"V-222938": "true",
"V-222939": "true",
"V-222940": "true",
"V-222941": "true",
"V-222942": "true",
"V-222943": "true",
"V-222944": "true",
"V-222945": "true",
"V-222946": "true",
"V-222947": "true",
"V-222948": "true",
"V-222949": "true",
"V-222950": "true",
"V-222951": "true",
"V-222952": "true",
"V-222953": "true",
"V-222954": "true",
"V-222955": "true",
"V-222956": "true",
"V-222957": "true",
"V-222958": "true",
"V-222959": "true",
"V-222960": "true",
"V-222961": "true",
"V-222962": "true",
"V-222963": "true",
"V-222964": "true",
"V-222965": "true",
"V-222966": "true",
"V-222967": "true",
"V-222968": "true",
"V-222969": "true",
"V-222970": "true",
"V-222971": "true",
"V-222973": "true",
"V-222974": "true",
"V-222975": "true",
"V-222976": "true",
"V-222977": "true",
"V-222978": "true",
"V-222979": "true",
"V-222980": "true",
"V-222981": "true",
"V-222982": "true",
"V-222983": "true",
"V-222984": "true",
"V-222985": "true",
"V-222986": "true",
"V-222987": "true",
"V-222988": "true",
"V-222989": "true",
"V-222990": "true",
"V-222991": "true",
"V-222993": "true",
"V-222994": "true",
"V-222995": "true",
"V-222996": "true",
"V-222997": "true",
"V-222998": "true",
"V-222999": "true",
"V-223000": "true",
"V-223001": "true",
"V-223002": "true",
"V-223003": "true",
"V-223004": "true",
"V-223005": "true",
"V-223006": "true",
"V-223007": "true",
"V-223008": "true",
"V-223009": "true",
"V-223010": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-222926": "true",
"V-222927": "true",
"V-222928": "true",
"V-222929": "true",
"V-222930": "true",
"V-222931": "true",
"V-222932": "true",
"V-222933": "true",
"V-222934": "true",
"V-222935": "true",
"V-222936": "true",
"V-222937": "true",
"V-222938": "true",
"V-222939": "true",
"V-222940": "true",
"V-222941": "true",
"V-222942": "true",
"V-222943": "true",
"V-222944": "true",
"V-222945": "true",
"V-222946": "true",
"V-222947": "true",
"V-222948": "true",
"V-222949": "true",
"V-222950": "true",
"V-222951": "true",
"V-222952": "true",
"V-222953": "true",
"V-222954": "true",
"V-222955": "true",
"V-222956": "true",
"V-222957": "true",
"V-222958": "true",
"V-222959": "true",
"V-222960": "true",
"V-222961": "true",
"V-222962": "true",
"V-222963": "true",
"V-222964": "true",
"V-222965": "true",
"V-222966": "true",
"V-222967": "true",
"V-222968": "true",
"V-222969": "true",
"V-222970": "true",
"V-222971": "true",
"V-222973": "true",
"V-222974": "true",
"V-222975": "true",
"V-222976": "true",
"V-222977": "true",
"V-222978": "true",
"V-222979": "true",
"V-222980": "true",
"V-222981": "true",
"V-222982": "true",
"V-222983": "true",
"V-222984": "true",
"V-222985": "true",
"V-222986": "true",
"V-222987": "true",
"V-222988": "true",
"V-222989": "true",
"V-222990": "true",
"V-222991": "true",
"V-222993": "true",
"V-222994": "true",
"V-222995": "true",
"V-222996": "true",
"V-222997": "true",
"V-222998": "true",
"V-222999": "true",
"V-223000": "true",
"V-223001": "true",
"V-223002": "true",
"V-223003": "true",
"V-223004": "true",
"V-223005": "true",
"V-223006": "true",
"V-223007": "true",
"V-223008": "true",
"V-223009": "true",
"V-223010": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-222926": "true",
"V-222927": "true",
"V-222928": "true",
"V-222929": "true",
"V-222930": "true",
"V-222931": "true",
"V-222932": "true",
"V-222933": "true",
"V-222934": "true",
"V-222935": "true",
"V-222936": "true",
"V-222937": "true",
"V-222938": "true",
"V-222939": "true",
"V-222940": "true",
"V-222941": "true",
"V-222942": "true",
"V-222943": "true",
"V-222944": "true",
"V-222945": "true",
"V-222946": "true",
"V-222947": "true",
"V-222948": "true",
"V-222949": "true",
"V-222950": "true",
"V-222951": "true",
"V-222952": "true",
"V-222953": "true",
"V-222954": "true",
"V-222955": "true",
"V-222956": "true",
"V-222957": "true",
"V-222958": "true",
"V-222959": "true",
"V-222960": "true",
"V-222961": "true",
"V-222962": "true",
"V-222963": "true",
"V-222964": "true",
"V-222965": "true",
"V-222966": "true",
"V-222967": "true",
"V-222968": "true",
"V-222969": "true",
"V-222970": "true",
"V-222971": "true",
"V-222973": "true",
"V-222974": "true",
"V-222975": "true",
"V-222976": "true",
"V-222977": "true",
"V-222978": "true",
"V-222979": "true",
"V-222980": "true",
"V-222981": "true",
"V-222982": "true",
"V-222983": "true",
"V-222984": "true",
"V-222985": "true",
"V-222986": "true",
"V-222987": "true",
"V-222988": "true",
"V-222989": "true",
"V-222990": "true",
"V-222991": "true",
"V-222993": "true",
"V-222994": "true",
"V-222995": "true",
"V-222996": "true",
"V-222997": "true",
"V-222998": "true",
"V-222999": "true",
"V-223000": "true",
"V-223001": "true",
"V-223002": "true",
"V-223003": "true",
"V-223004": "true",
"V-223005": "true",
"V-223006": "true",
"V-223007": "true",
"V-223008": "true",
"V-223009": "true",
"V-223010": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-222926": "true",
"V-222927": "true",
"V-222928": "true",
"V-222929": "true",
"V-222930": "true",
"V-222931": "true",
"V-222932": "true",
"V-222933": "true",
"V-222934": "true",
"V-222935": "true",
"V-222936": "true",
"V-222937": "true",
"V-222938": "true",
"V-222939": "true",
"V-222940": "true",
"V-222941": "true",
"V-222942": "true",
"V-222943": "true",
"V-222944": "true",
"V-222945": "true",
"V-222946": "true",
"V-222947": "true",
"V-222948": "true",
"V-222949": "true",
"V-222950": "true",
"V-222951": "true",
"V-222952": "true",
"V-222953": "true",
"V-222954": "true",
"V-222955": "true",
"V-222956": "true",
"V-222957": "true",
"V-222958": "true",
"V-222959": "true",
"V-222960": "true",
"V-222961": "true",
"V-222962": "true",
"V-222963": "true",
"V-222964": "true",
"V-222965": "true",
"V-222966": "true",
"V-222967": "true",
"V-222968": "true",
"V-222969": "true",
"V-222970": "true",
"V-222971": "true",
"V-222973": "true",
"V-222974": "true",
"V-222975": "true",
"V-222976": "true",
"V-222977": "true",
"V-222978": "true",
"V-222979": "true",
"V-222980": "true",
"V-222981": "true",
"V-222982": "true",
"V-222983": "true",
"V-222984": "true",
"V-222985": "true",
"V-222986": "true",
"V-222987": "true",
"V-222988": "true",
"V-222989": "true",
"V-222990": "true",
"V-222991": "true",
"V-222993": "true",
"V-222994": "true",
"V-222995": "true",
"V-222996": "true",
"V-222997": "true",
"V-222998": "true",
"V-222999": "true",
"V-223000": "true",
"V-223001": "true",
"V-223002": "true",
"V-223003": "true",
"V-223004": "true",
"V-223005": "true",
"V-223006": "true",
"V-223007": "true",
"V-223008": "true",
"V-223009": "true",
"V-223010": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-222926": "true",
"V-222927": "true",
"V-222928": "true",
"V-222929": "true",
"V-222930": "true",
"V-222931": "true",
"V-222932": "true",
"V-222933": "true",
"V-222934": "true",
"V-222935": "true",
"V-222936": "true",
"V-222937": "true",
"V-222938": "true",
"V-222939": "true",
"V-222940": "true",
"V-222941": "true",
"V-222942": "true",
"V-222943": "true",
"V-222944": "true",
"V-222945": "true",
"V-222946": "true",
"V-222947": "true",
"V-222948": "true",
"V-222949": "true",
"V-222950": "true",
"V-222951": "true",
"V-222952": "true",
"V-222953": "true",
"V-222954": "true",
"V-222955": "true",
"V-222956": "true",
"V-222957": "true",
"V-222958": "true",
"V-222959": "true",
"V-222960": "true",
"V-222961": "true",
"V-222962": "true",
"V-222963": "true",
"V-222964": "true",
"V-222965": "true",
"V-222966": "true",
"V-222967": "true",
"V-222968": "true",
"V-222969": "true",
"V-222970": "true",
"V-222971": "true",
"V-222973": "true",
"V-222974": "true",
"V-222975": "true",
"V-222976": "true",
"V-222977": "true",
"V-222978": "true",
"V-222979": "true",
"V-222980": "true",
"V-222981": "true",
"V-222982": "true",
"V-222983": "true",
"V-222984": "true",
"V-222985": "true",
"V-222986": "true",
"V-222987": "true",
"V-222988": "true",
"V-222989": "true",
"V-222990": "true",
"V-222991": "true",
"V-222993": "true",
"V-222994": "true",
"V-222995": "true",
"V-222996": "true",
"V-222997": "true",
"V-222998": "true",
"V-222999": "true",
"V-223000": "true",
"V-223001": "true",
"V-223002": "true",
"V-223003": "true",
"V-223004": "true",
"V-223005": "true",
"V-223006": "true",
"V-223007": "true",
"V-223008": "true",
"V-223009": "true",
"V-223010": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-222926": "true",
"V-222927": "true",
"V-222928": "true",
"V-222929": "true",
"V-222930": "true",
"V-222931": "true",
"V-222932": "true",
"V-222933": "true",
"V-222934": "true",
"V-222935": "true",
"V-222936": "true",
"V-222937": "true",
"V-222938": "true",
"V-222939": "true",
"V-222940": "true",
"V-222941": "true",
"V-222942": "true",
"V-222943": "true",
"V-222944": "true",
"V-222945": "true",
"V-222946": "true",
"V-222947": "true",
"V-222948": "true",
"V-222949": "true",
"V-222950": "true",
"V-222951": "true",
"V-222952": "true",
"V-222953": "true",
"V-222954": "true",
"V-222955": "true",
"V-222956": "true",
"V-222957": "true",
"V-222958": "true",
"V-222959": "true",
"V-222960": "true",
"V-222961": "true",
"V-222962": "true",
"V-222963": "true",
"V-222964": "true",
"V-222965": "true",
"V-222966": "true",
"V-222967": "true",
"V-222968": "true",
"V-222969": "true",
"V-222970": "true",
"V-222971": "true",
"V-222973": "true",
"V-222974": "true",
"V-222975": "true",
"V-222976": "true",
"V-222977": "true",
"V-222978": "true",
"V-222979": "true",
"V-222980": "true",
"V-222981": "true",
"V-222982": "true",
"V-222983": "true",
"V-222984": "true",
"V-222985": "true",
"V-222986": "true",
"V-222987": "true",
"V-222988": "true",
"V-222989": "true",
"V-222990": "true",
"V-222991": "true",
"V-222993": "true",
"V-222994": "true",
"V-222995": "true",
"V-222996": "true",
"V-222997": "true",
"V-222998": "true",
"V-222999": "true",
"V-223000": "true",
"V-223001": "true",
"V-223002": "true",
"V-223003": "true",
"V-223004": "true",
"V-223005": "true",
"V-223006": "true",
"V-223007": "true",
"V-223008": "true",
"V-223009": "true",
"V-223010": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-222926": "true",
"V-222927": "true",
"V-222928": "true",
"V-222929": "true",
"V-222930": "true",
"V-222931": "true",
"V-222932": "true",
"V-222933": "true",
"V-222934": "true",
"V-222935": "true",
"V-222936": "true",
"V-222937": "true",
"V-222938": "true",
"V-222939": "true",
"V-222940": "true",
"V-222941": "true",
"V-222942": "true",
"V-222943": "true",
"V-222944": "true",
"V-222945": "true",
"V-222946": "true",
"V-222947": "true",
"V-222948": "true",
"V-222949": "true",
"V-222950": "true",
"V-222951": "true",
"V-222952": "true",
"V-222953": "true",
"V-222954": "true",
"V-222955": "true",
"V-222956": "true",
"V-222957": "true",
"V-222958": "true",
"V-222959": "true",
"V-222960": "true",
"V-222961": "true",
"V-222962": "true",
"V-222963": "true",
"V-222964": "true",
"V-222965": "true",
"V-222966": "true",
"V-222967": "true",
"V-222968": "true",
"V-222969": "true",
"V-222970": "true",
"V-222971": "true",
"V-222973": "true",
"V-222974": "true",
"V-222975": "true",
"V-222976": "true",
"V-222977": "true",
"V-222978": "true",
"V-222979": "true",
"V-222980": "true",
"V-222981": "true",
"V-222982": "true",
"V-222983": "true",
"V-222984": "true",
"V-222985": "true",
"V-222986": "true",
"V-222987": "true",
"V-222988": "true",
"V-222989": "true",
"V-222990": "true",
"V-222991": "true",
"V-222993": "true",
"V-222994": "true",
"V-222995": "true",
"V-222996": "true",
"V-222997": "true",
"V-222998": "true",
"V-222999": "true",
"V-223000": "true",
"V-223001": "true",
"V-223002": "true",
"V-223003": "true",
"V-223004": "true",
"V-223005": "true",
"V-223006": "true",
"V-223007": "true",
"V-223008": "true",
"V-223009": "true",
"V-223010": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-222926": "true",
"V-222927": "true",
"V-222928": "true",
"V-222929": "true",
"V-222930": "true",
"V-222931": "true",
"V-222932": "true",
"V-222933": "true",
"V-222934": "true",
"V-222935": "true",
"V-222936": "true",
"V-222937": "true",
"V-222938": "true",
"V-222939": "true",
"V-222940": "true",
"V-222941": "true",
"V-222942": "true",
"V-222943": "true",
"V-222944": "true",
"V-222945": "true",
"V-222946": "true",
"V-222947": "true",
"V-222948": "true",
"V-222949": "true",
"V-222950": "true",
"V-222951": "true",
"V-222952": "true",
"V-222953": "true",
"V-222954": "true",
"V-222955": "true",
"V-222956": "true",
"V-222957": "true",
"V-222958": "true",
"V-222959": "true",
"V-222960": "true",
"V-222961": "true",
"V-222962": "true",
"V-222963": "true",
"V-222964": "true",
"V-222965": "true",
"V-222966": "true",
"V-222967": "true",
"V-222968": "true",
"V-222969": "true",
"V-222970": "true",
"V-222971": "true",
"V-222973": "true",
"V-222974": "true",
"V-222975": "true",
"V-222976": "true",
"V-222977": "true",
"V-222978": "true",
"V-222979": "true",
"V-222980": "true",
"V-222981": "true",
"V-222982": "true",
"V-222983": "true",
"V-222984": "true",
"V-222985": "true",
"V-222986": "true",
"V-222987": "true",
"V-222988": "true",
"V-222989": "true",
"V-222990": "true",
"V-222991": "true",
"V-222993": "true",
"V-222994": "true",
"V-222995": "true",
"V-222996": "true",
"V-222997": "true",
"V-222998": "true",
"V-222999": "true",
"V-223000": "true",
"V-223001": "true",
"V-223002": "true",
"V-223003": "true",
"V-223004": "true",
"V-223005": "true",
"V-223006": "true",
"V-223007": "true",
"V-223008": "true",
"V-223009": "true",
"V-223010": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-222926": "true",
"V-222927": "true",
"V-222928": "true",
"V-222929": "true",
"V-222930": "true",
"V-222931": "true",
"V-222932": "true",
"V-222933": "true",
"V-222934": "true",
"V-222935": "true",
"V-222936": "true",
"V-222937": "true",
"V-222938": "true",
"V-222939": "true",
"V-222940": "true",
"V-222941": "true",
"V-222942": "true",
"V-222943": "true",
"V-222944": "true",
"V-222945": "true",
"V-222946": "true",
"V-222947": "true",
"V-222948": "true",
"V-222949": "true",
"V-222950": "true",
"V-222951": "true",
"V-222952": "true",
"V-222953": "true",
"V-222954": "true",
"V-222955": "true",
"V-222956": "true",
"V-222957": "true",
"V-222958": "true",
"V-222959": "true",
"V-222960": "true",
"V-222961": "true",
"V-222962": "true",
"V-222963": "true",
"V-222964": "true",
"V-222965": "true",
"V-222966": "true",
"V-222967": "true",
"V-222968": "true",
"V-222969": "true",
"V-222970": "true",
"V-222971": "true",
"V-222973": "true",
"V-222974": "true",
"V-222975": "true",
"V-222976": "true",
"V-222977": "true",
"V-222978": "true",
"V-222979": "true",
"V-222980": "true",
"V-222981": "true",
"V-222982": "true",
"V-222983": "true",
"V-222984": "true",
"V-222985": "true",
"V-222986": "true",
"V-222987": "true",
"V-222988": "true",
"V-222989": "true",
"V-222990": "true",
"V-222991": "true",
"V-222993": "true",
"V-222994": "true",
"V-222995": "true",
"V-222996": "true",
"V-222997": "true",
"V-222998": "true",
"V-222999": "true",
"V-223000": "true",
"V-223001": "true",
"V-223002": "true",
"V-223003": "true",
"V-223004": "true",
"V-223005": "true",
"V-223006": "true",
"V-223007": "true",
"V-223008": "true",
"V-223009": "true",
"V-223010": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "apache_tomcat_application_sever_9",
"title": "Apache Tomcat Application Sever 9 Security Technical Implementation Guide",
"version": "2"
}
}