STIGQter: STIG Summary: ISEC7 EMM Suite v6.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 23 Aug 2019:

Tomcat SSL must be restricted except for ISEC7 EMM Suite tasks.

DISA Rule

SV-106405r1_rule

Vulnerability Number

V-97301

Group Title

SRG-APP-000439

Rule Version

ISEC-06-551700

Severity

CAT II

CCI(s)

CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.

Weight

Fix Recommendation

To restrict Tomcat SSL to only ISEC7 EMM Suite tasks, run the ISEC7 integrated installer or use the following manual procedure:

To restrict SSL for all users except for agent task, the user needs to add a security constraint tag to <Drive>:\ProgramFiles\ISEC7 EMM Suite\Tomcat\conf\web.xml

Login to the ISEC7 EMM Suite server.
Navigate to <Drive>:\ProgramFiles\ISEC7 EMM Suite\Tomcat\conf\
Edit the web.xml file with Notepad.exe
Add the following entry:

<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecure</web-resource-name>

<url-pattern>/BNator/agent/*</url-pattern>
<url-pattern>/app/agent/*</url-pattern>
<url-pattern>/app/admin/agentinstaller.jnlp</url-pattern>

<url-pattern>/app/clients/*</url-pattern>
<url-pattern>/app/data/*</url-pattern>

<url-pattern>/rc/*</url-pattern>

<url-pattern>/BNator/uss/trafficinfo/*</url-pattern>
<url-pattern>/BNator/data/mds/trafficpush</url-pattern>
<url-pattern>/BNator/favorites/*</url-pattern>
<url-pattern>/app/resource/*</url-pattern>
</web-resource-collection>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Check Contents

Verify Tomcat SSL is restricted to only ISEC7 EMM Suite tasks.

Log in to the ISEC7 EMM Suite server.
Navigate to <Drive>:\ProgramFiles\ISEC7 EMM Suite\Tomcat\conf\
Edit the web.xml file with Notepad.exe
Verify the following entries are present:

<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecure</web-resource-name>

<url-pattern>/BNator/agent/*</url-pattern>
<url-pattern>/app/agent/*</url-pattern>
<url-pattern>/app/admin/agentinstaller.jnlp</url-pattern>

<url-pattern>/app/clients/*</url-pattern>
<url-pattern>/app/data/*</url-pattern>

<url-pattern>/rc/*</url-pattern>

<url-pattern>/BNator/uss/trafficinfo/*</url-pattern>
<url-pattern>/BNator/data/mds/trafficpush</url-pattern>
<url-pattern>/BNator/favorites/*</url-pattern>
<url-pattern>/app/resource/*</url-pattern>
</web-resource-collection>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

If Tomcat SSL is not restricted to only ISEC7 EMM Suite tasks, this is a finding.

Vulnerability Number

V-97301

Documentable

False

Rule Version

ISEC-06-551700

Severity Override Guidance

Check Content Reference

Target Key

3503

Tomcat SSL must be restricted except for ISEC7 EMM Suite tasks.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments