STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021: STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:SV-222971r615938_rule
V-222971
SRG-APP-000219-AS-000147
TCAT-AS-000800
CAT II
10
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.
Modify each <Connector> element where the IP address is behind a proxy or load balancer.
Set clientAuth="true" then identify the applications that are associated with the connector and edit the associated web.xml files. Assure the <auth-method> is set to CLIENT-CERT.
Review system security plan and/or system architecture documentation and interview the system admin. Identify any proxy servers or load balancers that provide services for the Tomcat server. If there are no load balancers or proxies in use, this is not a finding.
If there is a documented risk acceptance for not mutually authenticating proxy or load balancer connections due to operational issues, or RMF system categorization this is not a finding.
Using the aforementioned documentation, identify each Tomcat IP address that is served by a load balancer or proxy.
From the Tomcat server as a privileged user, review the $CATALINA_BASE/conf/server.xml file. Review each <Connector> element for the address setting and the clientAuth setting.
sudo grep -i -B1 -A5 connector $CATALINA_BASE/conf/server.xml
If a connector has a configured IP address that is proxied or load balanced and the clientAuth setting is not "true", this is a finding.
V-222971
False
TCAT-AS-000800
Review system security plan and/or system architecture documentation and interview the system admin. Identify any proxy servers or load balancers that provide services for the Tomcat server. If there are no load balancers or proxies in use, this is not a finding.
If there is a documented risk acceptance for not mutually authenticating proxy or load balancer connections due to operational issues, or RMF system categorization this is not a finding.
Using the aforementioned documentation, identify each Tomcat IP address that is served by a load balancer or proxy.
From the Tomcat server as a privileged user, review the $CATALINA_BASE/conf/server.xml file. Review each <Connector> element for the address setting and the clientAuth setting.
sudo grep -i -B1 -A5 connector $CATALINA_BASE/conf/server.xml
If a connector has a configured IP address that is proxied or load balanced and the clientAuth setting is not "true", this is a finding.
M
4094