STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021: STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:SV-222928r616154_rule
V-222928
SRG-APP-000015-AS-000010
TCAT-AS-000030
CAT III
10
From the Tomcat server as a privileged user, edit the web.xml file:
sudo nano $CATALINA_BASE/conf/web.xml file.
Uncomment the existing httpHeaderSecurity filter section or create the filter section using the following code:
NOTE: includeSubDomains param-value and url-pattern values may change and can vary according to local deployment requirements.
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>maxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>includeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
<async-supported>true</async-supported>
</filter>
Create or uncomment the httpHeaderSecurity filter mapping:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
From the Tomcat server console, run the following command:
sudo grep -i -A5 -B8 hstsEnable $CATALINA_BASE/conf/web.xml file.
If the httpHeaderSecurity filter is commented out or if hstsEnable is not set to "true", this is a finding.
V-222928
False
TCAT-AS-000030
From the Tomcat server console, run the following command:
sudo grep -i -A5 -B8 hstsEnable $CATALINA_BASE/conf/web.xml file.
If the httpHeaderSecurity filter is commented out or if hstsEnable is not set to "true", this is a finding.
M
4094