STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.

DISA Rule

SV-223010r615938_rule

Vulnerability Number

V-223010

Group Title

SRG-APP-000108-AS-000067

Rule Version

TCAT-AS-001731

Severity

CAT II

CCI(s)

• CCI-000139 - The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure.

Weight

10

Fix Recommendation

Procedures for meeting this requirement will vary according to the OS. For Ubuntu Linux systems, instructions for notifying via email are provided. Other alert methods are also acceptable but are not provided here.

Configure "auditd" service to notify the System Administrator (SA) and Information System Security Officer (ISSO) in the event of an audit processing failure.

Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations:

action_mail_acct = root

Restart the auditd service so the changes take effect:
# sudo systemctl restart auditd.service

Check Contents

This requirement cannot be met by the Tomcat server natively and must be done at the OS. Review operating system. Ensure the OS is configured to alert the ISSO and SA in the event of an audit processing failure.

The alert notification method itself can be accomplished in a variety of ways and is not restricted to email alone. The intention is to send an alert, the method used to send the alert is not a factor of the requirement. The fix uses email but other alert methods are acceptable.

If the OS is not configured to alert the ISSO and SA in the event of an audit processing failure, this is a finding.

Vulnerability Number

V-223010

Documentable

False

Rule Version

TCAT-AS-001731

Severity Override Guidance

This requirement cannot be met by the Tomcat server natively and must be done at the OS. Review operating system. Ensure the OS is configured to alert the ISSO and SA in the event of an audit processing failure.

The alert notification method itself can be accomplished in a variety of ways and is not restricted to email alone. The intention is to send an alert, the method used to send the alert is not a factor of the requirement. The fix uses email but other alert methods are acceptable.

If the OS is not configured to alert the ISSO and SA in the event of an audit processing failure, this is a finding.

Check Content Reference

M

Target Key

4094

Comments