STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

LockOutRealms must be used for management of Tomcat.

DISA Rule

SV-222980r615938_rule

Vulnerability Number

V-222980

Group Title

SRG-APP-000315-AS-000094

Rule Version

TCAT-AS-001020

Severity

CAT II

CCI(s)

• CCI-002314 - The information system controls remote access methods.

Weight

10

Fix Recommendation

From the Tomcat server console as a privileged user edit the $CATALINA_BASE/conf/server.xml file.

sudo nano $CATALINA_BASE/conf/server.xml file

Locate or add the LockOutRealm element. Make sure the LockOutRealm element is applied to the management application at a minimum (if the management application is in use on the system). This is done by ensuring the LockOutRealm is nested under the Engine, Host or directly within the management application Context container.

EXAMPLE:

<Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="5" lockOutTime="600">
...
</Realm>

Check Contents

From the Tomcat server console, run the following command:

sudo grep -i LockOutRealm $CATALINA_BASE/conf/server.xml.

If there are no results or if the LockOutRealm is not used for the Tomcat management application context, this is a finding.

Vulnerability Number

V-222980

Documentable

False

Rule Version

TCAT-AS-001020

Severity Override Guidance

From the Tomcat server console, run the following command:

sudo grep -i LockOutRealm $CATALINA_BASE/conf/server.xml.

If there are no results or if the LockOutRealm is not used for the Tomcat management application context, this is a finding.

Check Content Reference

M

Target Key

4094

Comments