STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The Java Security Manager must be enabled.

DISA Rule

SV-222936r615938_rule

Vulnerability Number

V-222936

Group Title

SRG-APP-000033-AS-000024

Rule Version

TCAT-AS-000110

Severity

CAT II

CCI(s)

CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

Fix Recommendation

Refer to the vulnerability discussion of this requirement for additional information. Install the application in a test environment and determine the application access requirements. Test and document the Java Security Manager policy and then transfer the JSM policy to the $CATALINA_BASE/conf/catalina.properties file. If operating multiple instances of Tomcat, use $CATALINA_BASE in place of $CATALINA_HOME as per standard Tomcat practice.

As an admin user on the Tomcat server, modify the /etc/systemd/system/tomcat.service file and set the "ExecStart" parameter to read:
"ExecStart=/opt/tomcat/bin/startup.sh -security"

sudo systemctl restart tomcat
sudo systemctl daemon-reload

Check Contents

Review system documentation. Identify the tomcat systemd startup file which for STIG purposes is called "tomcat.service" and can be viewed as a link in the /etc/systemd/system/ folder.

Run the following command:
sudo cat /etc/systemd/system/tomcat.service |grep -i security

If there is a documented and approved risk acceptance for not operating the Security Manager, the finding can be reduced to a CAT III.

If the ExecStart parameter does not include the -security flag, this is a finding.

The Java Security Manager must be enabled.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments