Tomcat users in a management role must be approved by the ISSO.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-223006 | TCAT-AS-001700 | SV-223006r961863_rule | CCI-000366 | medium |
| Description | ||||
| Deploying applications to Tomcat requires a Tomcat user account that is in the "manager-script" role. Any user accounts in a Tomcat management role must be approved by the ISSO. | ||||
| STIG | Date | |||
| Apache Tomcat Application Server 9 Security Technical Implementation Guide | 2025-02-11 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-223006r961863_chk)
Review the Tomcat servers System Security Plan/server documentation.
Ensure that user accounts and roles with access to Tomcat management features such as the "manager-script" role are documented and approved by the ISSO.
If the ISSO has not approved of documented roles and users who have management rights to the Tomcat server, this is a finding.
Fix Text (F-24667r426463_fix)
Document the users and the roles that have been defined for use with the Tomcat server.
Ensure that all users and roles with access to Tomcat management features and capabilities are approved by the ISSO.