STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Autodeploy must be disabled.

DISA Rule

SV-222956r615938_rule

Vulnerability Number

V-222956

Group Title

SRG-APP-000141-AS-000095

Rule Version

TCAT-AS-000540

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

Examine each <Host> </Host> element, if the element contains autoDeploy="true", modify the statement to read ", autoDeploy="false".

sudo systemctl restart tomcat
sudo systemctl daemon-reload

Check Contents

If the SSP associated with the Host contains ISSM documented approvals for AutoDeploy, this is not a finding.

From the Tomcat server run the following OS command:

sudo cat $CATALINA_BASE/conf/server.xml | grep -i -C2 autodeploy

If the command returns no results, this is not a finding.

Review the results for the autoDeploy parameter in each Host element.

<Host name="YOUR HOST NAME" appbase="webapps" unpackWARs="true" autoDeploy="false">

If autoDeploy ="true", this is a finding.

Vulnerability Number

V-222956

Documentable

False

Rule Version

TCAT-AS-000540

Severity Override Guidance

If the SSP associated with the Host contains ISSM documented approvals for AutoDeploy, this is not a finding.

From the Tomcat server run the following OS command:

sudo cat $CATALINA_BASE/conf/server.xml | grep -i -C2 autodeploy

If the command returns no results, this is not a finding.

Review the results for the autoDeploy parameter in each Host element.

<Host name="YOUR HOST NAME" appbase="webapps" unpackWARs="true" autoDeploy="false">

If autoDeploy ="true", this is a finding.

Check Content Reference

M

Target Key

4094

Comments