STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Tomcat management applications must use LDAP realm authentication.

DISA Rule

SV-222962r615938_rule

Vulnerability Number

V-222962

Group Title

SRG-APP-000148-AS-000101

Rule Version

TCAT-AS-000600

Severity

CAT II

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Identify the server IP that is providing LDAP services and configure the Tomcat user roles schema within LDAP. Refer to the manager and host-manager web.xml files for application specific role information that can be used for setting up the roles for those applications. The default location for these files is: $CATALINA_BASE/webapps/<AppName>/WEB-INF/web.xml

From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

Locate the <Realm> element in the server.xml file, add a nested <Realm> element using the JNDIRealm className and configure the associated LDAP settings as per the LDAP server connection requirements.

EXAMPLE:
This is for illustration purposes only. Modify the LDAP settings on a case-by-case basis as per the individual LDAP server and schema.

<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldaps://localhost:686"
userPattern="uid={0},ou=people,dc=myunit,dc=mil"
roleBase="ou=groups,dc=myunit,dc=mil"
roleName="cn"
roleSearch="(uniqueMember={0})"
/>

Check Contents

If manager and host-manager applications have been deleted from the system, this is not a finding.

From the Tomcat server as a privileged user, run the following commands:

sudo grep -i -A8 JNDIRealm $CATALINA_BASE/conf/server.xml

If the JNDIRealm does not exist or if the JNDIRealm configuration is commented out, this is finding.

Vulnerability Number

V-222962

Documentable

False

Rule Version

TCAT-AS-000600

Severity Override Guidance

If manager and host-manager applications have been deleted from the system, this is not a finding.

From the Tomcat server as a privileged user, run the following commands:

sudo grep -i -A8 JNDIRealm $CATALINA_BASE/conf/server.xml

If the JNDIRealm does not exist or if the JNDIRealm configuration is commented out, this is finding.

Check Content Reference

M

Target Key

4094

Comments