SV-222961r615938_rule
V-222961
SRG-APP-000142-AS-000014
TCAT-AS-000590
CAT II
10
On the Tomcat server as a privileged user, modify the relevant context.xml file and set the privileged attribute to false (privileged=false).
A restart should not be required if the context element is not maintained in the server.xml file.
If privileged mode is required for a particular application, verify trust of application and obtain documented approval from the ISSO. Document the applications that are approved to run in privileged mode and retain approvals in the system security plan (SSP) for CCRI reviews.
Individual Context elements may be explicitly defined in an individual file located at /META-INF/context.xml inside the application files or in the $CATALINA_BASE/conf/context.xml file. It is not recommended to store the context element in the server.xml file as changes will require a server restart.
The $CATALINA_BASE/conf/context element information will be loaded by all web applications, the META-INF/context.xml will only be loaded by that specific application.
On the Tomcat server as a privileged user run the following commands:
grep -i privileged $CATALINA_BASE/conf/context.xml
Repeat the following command for each installed application:
grep -i privileged $CATALINA_BASE/webapps/<application name>META-INF/context.xml
If the privileged context attribute is set to true, confirm the application has been approved for privileged mode by the ISSO. If the application is not approved to run in privileged mode, this is a finding.
V-222961
False
TCAT-AS-000590
Individual Context elements may be explicitly defined in an individual file located at /META-INF/context.xml inside the application files or in the $CATALINA_BASE/conf/context.xml file. It is not recommended to store the context element in the server.xml file as changes will require a server restart.
The $CATALINA_BASE/conf/context element information will be loaded by all web applications, the META-INF/context.xml will only be loaded by that specific application.
On the Tomcat server as a privileged user run the following commands:
grep -i privileged $CATALINA_BASE/conf/context.xml
Repeat the following command for each installed application:
grep -i privileged $CATALINA_BASE/webapps/<application name>META-INF/context.xml
If the privileged context attribute is set to true, confirm the application has been approved for privileged mode by the ISSO. If the application is not approved to run in privileged mode, this is a finding.
M
4094