STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Connectors must be approved by the ISSO.

DISA Rule

SV-223008r615938_rule

Vulnerability Number

V-223008

Group Title

SRG-APP-000516-AS-000237

Rule Version

TCAT-AS-001720

Severity

CAT III

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Document and obtain ISSO approval for the Connectors that are configured on the Tomcat server.

Retain the information in the SSP and present to the auditor in the event of a CCRI.

Check Contents

Review the Tomcat servers System Security Plan/server documentation.

Access the Tomcat server and review the server.xml file.

grep -i "connector port" $CATALINA_BASE/conf/server.xml

Compare the active Connectors and their associated IP ports with the Connectors documented and approved in the SSP.

If the Connectors that are configured on the Tomcat server are not approved by the ISSO and documented in the SSP, this is a finding.

Vulnerability Number

V-223008

Documentable

False

Rule Version

TCAT-AS-001720

Severity Override Guidance

Review the Tomcat servers System Security Plan/server documentation.

Access the Tomcat server and review the server.xml file.

grep -i "connector port" $CATALINA_BASE/conf/server.xml

Compare the active Connectors and their associated IP ports with the Connectors documented and approved in the SSP.

If the Connectors that are configured on the Tomcat server are not approved by the ISSO and documented in the SSP, this is a finding.

Check Content Reference

M

Target Key

4094

Comments