STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Tomcat users in a management role must be approved by the ISSO.

DISA Rule

SV-223006r615938_rule

Vulnerability Number

V-223006

Group Title

SRG-APP-000516-AS-000237

Rule Version

TCAT-AS-001700

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Document the users and the roles that have been defined for use with the Tomcat server.

Ensure that all users and roles with access to Tomcat management features and capabilities are approved by the ISSO.

Check Contents

Review the Tomcat servers System Security Plan/server documentation.

Ensure that user accounts and roles with access to Tomcat management features such as the "manager-script" role are documented and approved by the ISSO.

If the ISSO has not approved of documented roles and users who have management rights to the Tomcat server, this is a finding.

Vulnerability Number

V-223006

Documentable

False

Rule Version

TCAT-AS-001700

Severity Override Guidance

Review the Tomcat servers System Security Plan/server documentation.

Ensure that user accounts and roles with access to Tomcat management features such as the "manager-script" role are documented and approved by the ISSO.

If the ISSO has not approved of documented roles and users who have management rights to the Tomcat server, this is a finding.

Check Content Reference

M

Target Key

4094

Comments