STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

LockOutRealms lockOutTime attribute must be set to 600 seconds (10 minutes) for admin users.

DISA Rule

SV-222982r615938_rule

Vulnerability Number

V-222982

Group Title

SRG-APP-000316-AS-000199

Rule Version

TCAT-AS-001040

Severity

CAT III

CCI(s)

• CCI-002322 - The organization provides the capability to expeditiously disconnect or disable remote access to the information system within the organization-defined time period.

Weight

10

Fix Recommendation

From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

sudo nano $CATALINA_BASE/conf/server.xml file

Locate or add the LockOutRealm element. Set lockOutTime="600"

EXAMPLE:
<Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="5" lockOutTime="600">
...
</Realm>

Check Contents

From the Tomcat server console, run the following command:

sudo grep -i LockOutRealm $CATALINA_BASE/conf/server.xml.

If there are no results or if the LockOutRealm lockOutTime setting is not configured to 600 (10 minutes), this is a finding.

Vulnerability Number

V-222982

Documentable

False

Rule Version

TCAT-AS-001040

Severity Override Guidance

From the Tomcat server console, run the following command:

sudo grep -i LockOutRealm $CATALINA_BASE/conf/server.xml.

If there are no results or if the LockOutRealm lockOutTime setting is not configured to 600 (10 minutes), this is a finding.

Check Content Reference

M

Target Key

4094

Comments