STIGQter STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

AccessLogValve must be configured per each virtual host.

DISA Rule

SV-222938r615938_rule

Vulnerability Number

V-222938

Group Title

SRG-APP-000090-AS-000051

Rule Version

TCAT-AS-000180

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

As a privileged user on the Tomcat server:

Edit the $CATALINA_BASE/conf/server.xml file.

Create a <Valve> element that is nested beneath the <Host> element containing an AccessLogValve.

EXAMPLE:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="false">
...
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %t %u &quot;%r&quot; %s %b" />
...
</Host>

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Check Contents

As an elevated user on the Tomcat server:

Edit the $CATALINA_BASE/conf/server.xml file.

Review for all <Host> elements.

If a <Valve className="org.apache.catalina.valves.AccessLogValve" .../> element is not nested within each <Host> element, this is a finding.

EXAMPLE:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="false">
...
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %t %u &quot;%r&quot; %s %b" />
...
</Host>

Vulnerability Number

V-222938

Documentable

False

Rule Version

TCAT-AS-000180

Severity Override Guidance

As an elevated user on the Tomcat server:

Edit the $CATALINA_BASE/conf/server.xml file.

Review for all <Host> elements.

If a <Valve className="org.apache.catalina.valves.AccessLogValve" .../> element is not nested within each <Host> element, this is a finding.

EXAMPLE:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="false">
...
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %t %u &quot;%r&quot; %s %b" />
...
</Host>

Check Content Reference

M

Target Key

4094

Comments