Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If the manager application is not in use or has been deleted from the system, this is not a finding. From the Tomcat server as an elevated user run the following command: sudo grep -i maxactivesessions $CATALINA_BASE/webapps/manager/ META-INF/context.xml If the maxActiveSesions setting is not configured according to the number of connections defined in the SSP, this is a finding.
Determine the number of authorized admins requiring simultaneous access and increase the number of allowed simultaneous sessions by a small percentage in order to address potential lockout scenarios. Document that value in the System Security Plan. Review the maxActiveSessions setting in the $CATALINA_BASE/webapps/manager/ META-INF/context.xml configuration file. Configure maxActiveSessions setting according to admin access requirements defined in the SSP. EXAMPLE: <Manager … maxActiveSessions="10" />
From the Tomcat server console, run the following command: sudo grep -i ciphers $CATALINA_BASE/conf/server.xml. Examine each <Connector/> element that is not a redirect to a secure port. Identify the ciphers that are configured on each connector and determine if any of the ciphers are not secure. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1. If insecure ciphers are configured for use, this is a finding.
As a privileged user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml and modify the <Connector/> element. Add the SSLEnabledProtocols="TLSv1.2" setting to the connector or modify the existing setting. Set SSLEnabledProtocols="TLSv1.2". Save the server.xml file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl reload-daemon
From the Tomcat server console, run the following command: sudo grep -i -A5 -B8 hstsEnable $CATALINA_BASE/conf/web.xml file. If the httpHeaderSecurity filter is commented out or if hstsEnable is not set to "true", this is a finding.
From the Tomcat server as a privileged user, edit the web.xml file: sudo nano $CATALINA_BASE/conf/web.xml file. Uncomment the existing httpHeaderSecurity filter section or create the filter section using the following code: NOTE: includeSubDomains param-value and url-pattern values may change and can vary according to local deployment requirements. <filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param> <async-supported>true</async-supported> </filter> Create or uncomment the httpHeaderSecurity filter mapping: <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
From the Tomcat server console, run the following command: sudo cat $CATALINA_BASE/conf/server.xml. Examine each <Connector/> element. For every HTTP protocol connector: Verify the SSLEnabledProtocols="TLSv1.2" flag is set on each connector. If the SSLEnabledProtocols setting is not set to TLSv1.2 or greater, this is a finding.
As a privileged user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml and modify the <Connector/> element. Add the "SSLEnabledProtocols=" flag to the connector or modify the existing flag. Set SSLEnabledProtocols="TLSv1.2". Save the server.xml file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl reload-daemon
As an elevated user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Review for all <Context> elements. If a <Valve className="org.apache.catalina.valves.AccessLogValve" .../> element is not defined within each <Context> element, this is a finding. EXAMPLE: <Context ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="application_name_log" suffix=".txt" pattern=""%h %l %t %u &quot;%r&quot; %s %b" /> ... />
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Create a <Valve> element that is nested within the <Context> element containing an AccessLogValve. EXAMPLE: <Context ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="application_name_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... /> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
From the Tomcat server console, run the following command to check the keystore: sudo keytool -list -v When prompted for the keystore password type "changeit" sans quotes. If the contents of the keystore are displayed, this is a finding.
From the Tomcat server as a privileged user, run the following command: sudo keytool -storepasswd When prompted for the keystore password, select a strong password, minimum 10 characters, mixed case alpha-numeric. Document the password and store in a secured location that is only accessible to authorized personnel.
From the Tomcat server console, run the following command: sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml If the command returns no results or if the <secure> element is not set to true, this is a finding. EXAMPLE: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>
From the Tomcat server console as a privileged user: edit the $CATALINA_BASE/conf/web.xml If the cookie-config section does not exist it must be added. Add or modify the <secure> setting and set to true. EXAMPLE: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>
From the Tomcat server console, run the following command: sudo grep -i -B10 -A1 \/cookie-config $CATALINA_BASE/conf/web.xml If the command returns no results or if the <http-only> element is not set to true, this is a finding. EXAMPLE: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>
From the Tomcat server console as a privileged user: edit the $CATALINA_BASE/conf/web.xml If the cookie-config section does not exist it must be added. Add or modify the <http-only> setting and set to true. EXAMPLE: <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config>
From the Tomcat server run the following command: sudo cat $CATALINA_BASE/conf/web.xml |grep -i -A5 -B2 defaultservlet If the "readonly" param-value for the "DefaultServlet" servlet class = "false" or does not exist, this is a finding.
From the Tomcat server console as a privileged user: Edit the $CATALINA_BASE/conf/web.xml file. If the "readonly" param-value does not exist, it must be created. Ensure the "readonly" param-value for the "DefaultServlet" servlet class = "true".
From the Tomcat server console, run the following command: sudo cat $CATALINA_BASE/conf/server.xml. Examine each <Connector/> element. For each connector, verify the secure= flag is set to "true" and the scheme= flag is set to "https" on each connector. If the secure flag is not set to "true" and/or the scheme flag is not set to "https" for each HTTP connector element, this is a finding.
From the Tomcat server as a privileged user, edit the server.xml file. sudo nano $CATALINA_BASE/conf/server.xml. Locate each <Connector/> element which is lacking a secure setting. EXAMPLE Connector: <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> Set or add scheme="https" and secure="true" for each HTTP connector element. EXAMPLE: <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true".../> Save the server.xml file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl reload-daemon
Review system documentation. Identify the tomcat systemd startup file which for STIG purposes is called "tomcat.service" and can be viewed as a link in the /etc/systemd/system/ folder. Run the following command: sudo cat /etc/systemd/system/tomcat.service |grep -i security If there is a documented and approved risk acceptance for not operating the Security Manager, the finding can be reduced to a CAT III. If the ExecStart parameter does not include the -security flag, this is a finding.
Refer to the vulnerability discussion of this requirement for additional information. Install the application in a test environment and determine the application access requirements. Test and document the Java Security Manager policy and then transfer the JSM policy to the $CATALINA_BASE/conf/catalina.properties file. If operating multiple instances of Tomcat, use $CATALINA_BASE in place of $CATALINA_HOME as per standard Tomcat practice. As an admin user on the Tomcat server, modify the /etc/systemd/system/tomcat.service file and set the "ExecStart" parameter to read: "ExecStart=/opt/tomcat/bin/startup.sh -security" sudo systemctl restart tomcat sudo systemctl daemon-reload
Review the System Security Plan and determine if the Tomcat server resides behind a proxy server or load balancer. If the Tomcat server is not behind a proxy server or load balancer, this requirement is NA. From the Tomcat server run the following command: sudo grep -i RemoteIpValve $CATALINA_BASE/conf/server.xml file. If the results are empty or if the requestAttributesEnabled setting is not configured as "True", this is a finding. sudo grep -i AccessLogValve $CATALINA_BASE/conf/server.xml file. If the requestAttributesEnabled setting is not configured as "True", this is a finding.
From the Tomcat server as a privileged user: Edit the $CATALINA_BASE/conf/server.xml file. Only execute this first step if the proxy server is using a routable IP address or an RFC 1918 Class B address space: Add or edit the RemoteIpValve and configure the internalProxies setting to reflect the proxy addresses. Modify the AccessLogValve and configure the requestAttributesEnabled setting = "True". EXAMPLE: <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="172.16.0.10|172.16.0.11" /> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="access" suffix=".log" pattern="combined" renameOnRotate="true" requestAttributesEnabled="true" /> Restart Tomcat: sudo systemctl restart tomcat sudo systemctl tomcat daemon-reload
As an elevated user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Review for all <Host> elements. If a <Valve className="org.apache.catalina.valves.AccessLogValve" .../> element is not nested within each <Host> element, this is a finding. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u &quot;%r&quot; %s %b" /> ... </Host>
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Create a <Valve> element that is nested beneath the <Host> element containing an AccessLogValve. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
As an elevated user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Review all "Valve" elements. If the pattern= statement does not include %t, this is a finding. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u &quot;%r&quot; %s %b" /> ... </Host>
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Modify the <Valve> element(s) nested within the <Host> element(s). Change the AccessLogValve setting to include %t in the pattern= statement. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
As an elevated user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Review all "Valve" elements. If the pattern= statement does not include %h, this is a finding. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u &quot;%r&quot; %s %b" /> ... </Host>
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Modify the <Valve> element(s) nested within the <Host> element(s). Change the AccessLogValve setting to include %h in the pattern= statement. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
As an elevated user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Review all "Valve" elements. If the pattern= statement does not include %s, this is a finding. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u &quot;%r&quot; %s %b" /> ... </Host>
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Modify the <Valve> element(s) nested within the <Host> element(s). Change the AccessLogValve setting to include %s in the pattern= statement. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
As an elevated user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Review all "Valve" elements. If the pattern= statement does not include &quot;%r&quot;, this is a finding. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u &quot;%r&quot; %s %b" /> ... </Host>
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Modify the <Valve> element(s) nested within the <Host> element(s). Change the AccessLogValve setting to include "%r" in the pattern= statement. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_BASE/logs -follow -maxdepth 0 -type d \( \! -perm 750 \) -ls If ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance. If no folders are displayed, this is not a finding. If results indicate the $CATALINA_BASE/logs folder permissions are not set to 750, this is a finding.
If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance. Run the following command on the Tomcat server: sudo find $CATALINA_BASE/logs -follow -maxdepth 0 -type d -print0 | sudo xargs chmod 750 $CATALINA_BASE/logs
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_BASE/logs/* -follow -maxdepth 0 -type f \( \! -perm 640 \) -ls If ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance. If no files are displayed, this is not a finding. If results indicate any of the file permissions contained in the $CATALINA_BASE/logs folder are not set to 640, this is a finding.
If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance. Run the following command on the Tomcat server: sudo find $CATALINA_BASE/logs/* -follow -maxdepth 0 -type f -print0 | sudo xargs chmod 640 $CATALINA_BASE/logs/*
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_BASE/conf/* -follow -maxdepth 0 -type f \( \! -perm 640 \) -ls If ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance. If no files are displayed, this is not a finding. If results indicate any of the file permissions contained in the $CATALINA_BASE/conf folder are not set to 640, this is a finding.
If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance. Run the following command on the Tomcat server: sudo find $CATALINA_BASE/conf/* -follow -maxdepth 0 -type f -print0 | sudo xargs chmod 640 $CATALINA_BASE/conf/*
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_BASE/conf -follow -maxdepth 0 -type d \( \! -perm 750 \) -ls If ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance. If no folders are displayed, this is not a finding. If results indicate the $CATALINA_BASE/conf folder permissions are not set to 750, this is a finding.
If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance. Run the following command on the Tomcat server: sudo find $CATALINA_BASE/conf -follow -maxdepth 0 -type d -print0 | sudo xargs chmod 750 $CATALINA_BASE/conf
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_HOME/bin/*jar -follow -maxdepth 0 -type f \( \! -perm 640 \) -ls If there are no results, or if .sh extensions are found, this is not a finding. If results indicate any of the jar file permissions contained in the $CATALINA_HOME/bin folder are not set to 640, this is a finding.
Run the following command on the Tomcat server: sudo find $CATALINA_HOME/bin/*jar -follow -maxdepth 0 -type f -print0 | sudo xargs chmod 640 $CATALINA_HOME/bin/*jar
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_HOME/bin -follow -maxdepth 0 -type d \( \! -perm 750 \) -ls If no folders are displayed, this is not a finding. If results indicate the $CATALINA_HOME/bin folder permissions are not set to 750, this is a finding.
Run the following command on the Tomcat server: sudo find $CATALINA_HOME/bin -follow -maxdepth 0 -type d -print0 | sudo xargs chmod 750 $CATALINA_HOME/bin
Reference the system documentation and make relevant changes to the following commands if the system differs: From the Tomcat server command line run the following command: sudo cat /etc/systemd/system/tomcat.service | grep -i umask If the umask is not = 0027, this is a finding.
From the Tomcat server as a privileged user: Use a file editor like nano or vi and edit the /etc/systemd/system/tomcat.service file. Change the "UMask=" setting to 0027. UMask =0027 Save the file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl daemon-reload
From the Tomcat server run the following OS command: sudo cat $CATALINA_BASE/conf/server.xml | grep -i connector Review each connector element, ensure each connector does not have an "allowTrace" setting or ensure the "allowTrace" setting is set to false. <Connector ... allowTrace="false" /> Do the same for each application by checking every $CATALINA_BASE/webapps/<APP_NAME>/WEBINF/web.xml file on the system. sudo cat $CATALINA_BASE/webapps/<APP_NAME>/WEBINF/web.xml |grep -i connector If a connector element in the server.xml file or in any of the <APP NAME>/WEBINF/web.xml files contains the "allow Trace = true" statement, this is a finding.
From the Tomcat server as a privileged user, edit the xml files containing the "allow Trace=true" statement. Remove the "allow Trace=true" statement from the affected xml configuration files and restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
From the Tomcat server run the following OS command: $ sudo grep -i shutdown $CATALINA_BASE/conf/server.xml Ensure the server shutdown port attribute in $CATALINA_BASE/conf/server.xml is set to -1. EXAMPLE: <Server port="-1" shutdown="SHUTDOWN"> If Server port not = "-1" shutdown="SHUTDOWN", this is a finding.
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file: set the Server port setting to -1 and restart the Tomcat server. <Server port="-1" shutdown="SHUTDOWN"> sudo systemctl restart tomcat sudo systemctl daemon-reload
Review SSP for list of approved connectors and associated TCP/IP ports. Ensure only approved connectors are present. Execute the following command on the Tomcat server to find configured Connectors: $ grep “Connector” $CATALINA_BASE/conf/server.xml Review results and verify all connectors and their associated network ports are approved in the SSP. If connectors are found but are not approved in the SSP, this is a finding.
Obtain ISSO approvals for the configured connectors and document in the SSP. Alternatively, edit the $CATALINA_BASE/conf/server.xml file, remove any unapproved connectors, and restart Tomcat: sudo systemctl restart tomcat sudo systemctl daemon-reload
From the Tomcat server run the following OS command: sudo cat $CATALINA_BASE/conf/web.xml |grep -i -A10 -B2 defaultservlet The above command will include ten lines after and two lines before the occurrence of "defaultservlet". Some systems may require that the user increase the after number (A10) in order to determine the "debug" param-value. If the "debug" param-value for the "DefaultServlet" servlet class does not = 0, this is a finding.
From the Tomcat server as a privileged user: Edit the $CATALINA_BASE/conf/web.xml file. Examine the <init-param> elements within the <Servletclass> element, if the "debug" <param-value>element is not "0"" change the "debug" <param-value> to read "0". sudo systemctl restart tomcat sudo systemctl daemon-reload
From the Tomcat server run the following OS command: sudo cat $CATALINA_BASE/conf/web.xml |grep -i -A10 -B2 defaultservlet The above command will include ten lines after and two lines before the occurrence of "defaultservlet". Some systems may require that the user increase the after number (A10) in order to determine the "listings" param-value. If the "listings" param-value for the "DefaultServlet" servlet class does not = "false", this is a finding.
From the Tomcat server as a privileged user: Edit the $CATALINA_BASE/conf/web.xml file. Examine the <init-param> elements within the <Servletclass> element, if the "listings" <param-value>element is "true" change the "listings" <param-value> to read "false". sudo systemctl restart tomcat sudo systemctl daemon-reload
If the SSP associated with the Host contains ISSM documented approvals for deployXML, this is not a finding. From the Tomcat server as a privileged user: sudo grep -i deployXML $CATALINA_BASE/conf/server.xml deployXML="false" If the deployXML="true" and there is no documented authorization to allow automatic deployment of applications, this is a finding. If no results are generated, confirm the default behavior is "false". For example: If the attribute is not set and security manager is not enabled, the default value is "true". When security manager is enabled, the default value is "false". If the default value is "true", this is a finding.
Document authorization for application auto deployment in the System Security Plan (SSP). From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. sudo nano $CATALINA_BASE/conf/server.xml Locate each <host> element in the server xml file. If the deployXML="true" ensure each host is authorized for application auto deployment and document the authorization in the system security plan. If authorization is not provided, set the deployXML="false".
If the SSP associated with the Host contains ISSM-documented approvals for AutoDeploy, this is not a finding. From the Tomcat server, run the following OS command: sudo cat $CATALINA_BASE/conf/server.xml | grep -i -C2 autodeploy If the command returns no results, this is not a finding. Review the results for the autoDeploy parameter in each Host element. <Host name="YOUR HOST NAME" appbase="webapps" unpackWARs="true" autoDeploy="false"> If autoDeploy ="true" or if autoDeploy is not set, this is a finding.
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. Examine each <Host> </Host> element, if the element contains autoDeploy="true", modify the statement to read ", autoDeploy="false". sudo systemctl restart tomcat sudo systemctl daemon-reload
From the Tomcat server run the following OS command: sudo cat $CATALINA_BASE/conf/server.xml |grep -i -C4 xpoweredby. If any connector elements contain xpoweredBy="true", this is a finding.
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. Examine each <Connector> </Connector> element, if the element contains xpoweredBy="true", modify the statement to read ", xpoweredBy="false". sudo systemctl restart tomcat sudo systemctl daemon-reload
From the Tomcat server OS type the following command: sudo ls -l $CATALINA_BASE/webapps/examples. If the examples folder exists or contains any content, this is a finding.
From the Tomcat server OS type the following command: sudo rm -rf $CATALINA_BASE/webapps/examples
From the Tomcat server OS type the following command: sudo ls -l $CATALINA_BASE/webapps/ROOT Review the index.jsp file. Also review the RELEASE-NOTES.txt file. Look for content that describes the application as being licensed by the Apache Software Foundation. Check the index.jsp for other verbiage that indicates the application is part of the Tomcat server. Alternatively, use a web browser and access the default web application and determine if the website application in the ROOT folder is provided with the Apache Tomcat server. If the ROOT web application contains Tomcat default application content, this is a finding.
WARNING: Removing the ROOT folder without replacing the content with valid web based content will result in an error page being displayed to the browser when the browser lands on the default page. From the Tomcat server OS: Either remove the files contained in $CATALINA_BASE/webapps/ROOT folder or replace the content of the folder with a new application that serves as the new default server application.
From the Tomcat server OS type the following command: sudo ls -l $CATALINA_BASE/webapps/docs. If the docs folder exists or contains any content, this is a finding.
From the Tomcat server OS type the following command: sudo rm -rf $CATALINA_BASE/webapps/docs
Individual Context elements may be explicitly defined in an individual file located at /META-INF/context.xml inside the application files or in the $CATALINA_BASE/conf/context.xml file. It is not recommended to store the context element in the server.xml file as changes will require a server restart. The $CATALINA_BASE/conf/context element information will be loaded by all web applications, the META-INF/context.xml will only be loaded by that specific application. On the Tomcat server as a privileged user run the following commands: grep -i privileged $CATALINA_BASE/conf/context.xml Repeat the following command for each installed application: grep -i privileged $CATALINA_BASE/webapps/<application name>META-INF/context.xml If the privileged context attribute is set to true, confirm the application has been approved for privileged mode by the ISSO. If the application is not approved to run in privileged mode, this is a finding.
On the Tomcat server as a privileged user, modify the relevant context.xml file and set the privileged attribute to false (privileged=false). A restart should not be required if the context element is not maintained in the server.xml file. If privileged mode is required for a particular application, verify trust of application and obtain documented approval from the ISSO. Document the applications that are approved to run in privileged mode and retain approvals in the system security plan (SSP) for CCRI reviews.
If manager and host-manager applications have been deleted from the system, this is not a finding. From the Tomcat server as a privileged user, run the following commands: sudo grep -i -A8 JNDIRealm $CATALINA_BASE/conf/server.xml If the JNDIRealm does not exist or if the JNDIRealm configuration is commented out, this is finding.
Identify the server IP that is providing LDAP services and configure the Tomcat user roles schema within LDAP. Refer to the manager and host-manager web.xml files for application specific role information that can be used for setting up the roles for those applications. The default location for these files is: $CATALINA_BASE/webapps/<AppName>/WEB-INF/web.xml From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. Locate the <Realm> element in the server.xml file, add a nested <Realm> element using the JNDIRealm className and configure the associated LDAP settings as per the LDAP server connection requirements. EXAMPLE: This is for illustration purposes only. Modify the LDAP settings on a case-by-case basis as per the individual LDAP server and schema. <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldaps://localhost:686" userPattern="uid={0},ou=people,dc=myunit,dc=mil" roleBase="ou=groups,dc=myunit,dc=mil" roleName="cn" roleSearch="(uniqueMember={0})" />
From the Tomcat server run the following command: sudo grep -I jmxremote.authenticate /etc/systemd/system/tomcat.service sudo ps -ef |grep -i jmxremote If the results are blank, this is not a finding. If the results include: -Dcom.sun.management.jmxremote.authenticate=false, this is a finding.
If using JMX for management of the Tomcat server, start the Tomcat server by adding the following command line flags to the systemd startup scripts in /etc/systemd/system/tomcat.service. Environment='CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true' sudo systemctl start tomcat sudo systemctl daemon-reload
JMX management is configured via the Tomcat CATALINA_OPTS environment variable setting maintained in the /etc/systemd/system/tomcat.service file for Ubuntu systemd UNIX. For other flavors of Linux, this location may vary. As a privileged user from the Tomcat server, run the following command: grep -i jmxremote /etc/systemd/system/tomcat.service Review the output. If there are no results displayed, or jmxremote management extensions are not used, this requirement is Not Applicable. If the JMXremote setting is configured and jmxremote.ssl="false", this is a finding. EXAMPLE: -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
If using JMX for management of the Tomcat server, start the Tomcat server by adding the following command line flags to the systemd startup scripts in /etc/systemd/system/tomcat.service. Environment='CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true' sudo systemctl start tomcat sudo systemctl daemon-reload
From the Tomcat server as a privileged user, run the following commands: sudo grep -i -A8 JNDIRealm $CATALINA_BASE/conf/server.xml If the JNDIRealm connectionURL setting is not configured to use LDAPS, if it does not exist, or is commented out, this is a finding. EXAMPLE: This is an example. Substitute localhost for the LDAP server IP and configure other LDAP-related settings as well. <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldaps://localhost:686" ... />
Identify the server IP that is providing LDAP services and configure the Tomcat user roles schema within LDAP. Refer to the manager and host-manager web.xml files for application specific role information that can be used for setting up the roles for those applications. The default location for these files is: $CATALINA_BASE/webapps/<AppName>/WEB-INF/web.xml From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. Locate the <Realm> element in the server.xml file, add a nested <Realm> element using the JNDIRealm className and configure the associated LDAP settings as per the LDAP server connection requirements. EXAMPLE: This is for illustration purposes only. The user must modify the LDAP settings on a case by case basis as per your individual LDAP server and schema. <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldaps://localhost:686" userPattern="uid={0},ou=people,dc=myunit,dc=mil" roleBase="ou=groups,dc=myunit,dc=mil" roleName="cn" roleSearch="(uniqueMember={0})" />
This is a mutual authentication requirement where both the Tomcat server and the client are required to authenticate themselves via mutual TLS. Review system security plan and other system documentation. If the system has no connections requiring mutual authentication (e.g., proxy servers or other hosts specified in the system documentation), this requirement is Not Applicable. For the systemd Ubuntu OS, check the tomcat.service file to read the content of the JAVA_OPTS environment variable setting. sudo cat /etc/systemd/system/tomcat.service |grep -i truststore EXAMPLE output: set JAVA_OPTS="-Djavax.net.ssl.trustStore=/path/to/truststore" "-Djavax.net.ssl.trustStorePassword=************" If the variable is not set, use the default location command below. If the variable is set, use the alternate location command below and include the path and truststore file. -Default location: keytool -list -cacerts -v | grep -i issuer -Alternate location: keytool -list -keystore <location of trust store file> -v |grep -i issuer If there are no CA certificates issued by a CA that are part of the DOD PKI/PKE, this is a finding.
Obtain and install the DOD PKI CA certificate bundles by accessing the DOD PKI office website at cyber.mil/pki-pke. Import the DOD CA certificates.
Identify the location of the .keystore file. Refer to system documentation or review the server.xml file for a specified .keystore file location. From the Tomcat server console, run the following command to check the server.xml file: sudo grep -i keystorefile $CATALINA_BASE/conf/server.xml Extract the location of the file from the output. Example: [keystorefile=/opt/tomcat/conf/<filename.jks>] sudo ls -la [keystorefile location] If the file permissions are not set to 640 USER:root GROUP:tomcat, this is a finding. If the keystore file is not stored within the tomcat folder path, i.e. [/opt/tomcat/], this is a finding.
Run the following commands on the Tomcat server: sudo chmod 640 [keystorefile] sudo chown root [keystorefile] sudo chgrp tomcat [keystorefile] Store the keystore file in a secured folder within the Tomcat folder path.
From the Tomcat server console, run the following two commands to verify Tomcat server is configured to use FIPS: sudo grep -i fipsmode $CATALINA_BASE/conf/server.xml sudo grep -i fipsmode $CATALINA_BASE/logs/catalina.out If server.xml does not contain FIPSMode="on", or if catalina.out contains the error "failed to set property[FIPSMODE] to [on]", this is a finding.
In addition to configuring Tomcat, the admin must also configure the underlying OS and Java engine to use FIPS validated encryption modules. This fix instructs how to enable FIPSMode within Tomcat, the OS and Java engine must be configured to use the FIPS validated modules according to the chosen OS and Java engine. From the Tomcat server as a privileged user: sudo nano $CATALINA_BASE/conf/server.xml. In the <Listener/> element, locate the AprLifecycleListener. Either add or modify the FIPSMode setting and set it to FIPSMode="on". EXAMPLE: <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="on" /> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Review the system security plan and network documentation. Identify the management networks that are used for system management. From the Tomcat server as a privileged user, run the following command: sudo grep -i jmxremote /etc/systemd/system/tomcat.service sudo ps -ef |grep -i jmxremote If there are no results, the JMX process is not being used, and this is not a finding. If output includes jmxremote information, review the -Dcom.sun.management.jmxremote.host setting. Compare the IP address associated with the JMX process with the network information in the SSP. Ensure the IP address space is dedicated for system management purposes. If the IP address that is associated with the JMX process is not dedicated to system management usage, this is a finding. If jmxremote is in use but the host IP address is not specified, this is a finding.
Make an operational determination regarding the use of JMX. If JMX management is decided upon, identify the management networks that are used for system management. Update the system security plan and network documentation with the information. Edit the /etc/systemd/system/tomcat.service file. Add or modify the existing CATALINA_OPTS -Dcom.sun.management.jmxremote.host setting. Set the host parameter to an IP address that is only available on a management network. EXAMPLE: CATALINA_OPTS='-Dcom.sun.management.jmxremote.host=192.168.0.150' Restart Tomcat: sudo systemctl restart tomcat sudo systemctl daemon-reload Verify jmxmanagement access is restricted to the management network IP address range.
Review system documentation (SSP) and identify the documented management networks as well as the documented client networks. If the manager application has been deleted from the system, this is not a finding. Run the following command as a privileged user: sudo grep -i -A1 "RemoteAddrValve\|RemoteCIDRValve" $CATALINA_BASE/webapps/manager/META-INF/context.xml If there are no results, then no address valves exist and this is a finding. If the Remote Address Valve settings are commented out or not configured to restrict access to localhost or the management network, this is a finding. EXAMPLES: - RemoteAddrValve Localhost only IPV4 and IPV6 example <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/> - Localhost and Management network CIDR block IPV4 and IPV6 example <Valve className="org.apache.catalina.valves.RemoteCIDRValve" allow="127.0.0.1, ::1",192.168.1.0/24/>
Update system documentation (SSP) and identify the documented management networks as well as the documented client networks. As a privileged user, edit the $CATALINA_BASE/webapps/manager/META-INF/context.xml file. Configure the RemoteAddrValve or RemoteCIDRValve to restrict access to the management application. This can be a restriction to the localhost or to specific management networks or hosts on the management network. Choice of address or CIDR block usage is based on operational requirements. Order is allow from, deny from. See Tomcat Valve component documentation at the Tomcat website for specific details and additional configuration options. Test the access restrictions once configured to assure compliance. EXAMPLES: - RemoteAddrValve Localhost only IPV4 and IPV6 <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1"/> - Localhost and Management network CIDR block IPV4 and IPV6 <Valve className="org.apache.catalina.valves.RemoteCIDRValve" allow="127.0.0.1, ::1",192.168.1.0/24/>
Review system security plan and/or system architecture documentation and interview the system admin. Identify any proxy servers or load balancers that provide services for the Tomcat server. If there are no load balancers or proxies in use, this is not a finding. If there is a documented risk acceptance for not mutually authenticating proxy or load balancer connections due to operational issues, or RMF system categorization this is not a finding. Using the aforementioned documentation, identify each Tomcat IP address that is served by a load balancer or proxy. From the Tomcat server as a privileged user, review the $CATALINA_BASE/conf/server.xml file. Review each <Connector> element for the address setting and the clientAuth setting. sudo grep -i -B1 -A5 connector $CATALINA_BASE/conf/server.xml If a connector has a configured IP address that is proxied or load balanced and the clientAuth setting is not "true", this is a finding.
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. Modify each <Connector> element where the IP address is behind a proxy or load balancer. Set clientAuth="true" then identify the applications that are associated with the connector and edit the associated web.xml files. Assure the <auth-method> is set to CLIENT-CERT.
From the Tomcat server as a privileged user, run the following command: sudo grep -i recycle_facades /etc/systemd/system/tomcat.service If there are no results, or if the org.apache.catalina.connector. RECYCLE_FACADES is not ="true", this is a finding.
From the Tomcat server as a privileged user: edit the /etc/systemd/system/tomcat.service file and either add or edit the org.apache.catalina.connector. RECYCLE_FACADES setting. Set the org.apache.catalina.connector. RECYCLE_FACADES=true. EXAMPLE: Environment='CATALINA_OPTS -Dorg.apache.catalina.connector. RECYCLE_FACADES=true' Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Review System Security Plan (SSP) documentation determine if the Tomcat server is part of an application server cluster. Also identify Tomcat network interfaces and the proxy/load balancer that front-ends the cluster. From the Tomcat server as a privileged user, run the following command: sudo grep -i -A2 -B2 "Cluster" $CATALINA_BASE/conf/server.xml If the <Cluster/> element is commented out, or there are no results returned, this requirement is NA. If a cluster is in use, run the following command as a privileged user: grep -i EncryptInterceptor $CATALINA_BASE/conf/server.xml file. If the Tomcat server is clustered and the EncryptionInterceptor is not in use or if the cluster traffic is not on a private network or VLAN, this is a finding.
Update the System Security Plan (SSP) and document the network interface, their related IP addresses, and which interfaces transport Tomcat cluster traffic. Also document which interface is multi-cast enabled if using the McastService membership class versus Static. To obtain the information needed for the SSP: sudo grep -i -A3 "<Membership className" $CATALINA_BASE/conf.server.xml Document the address="<ipAddress>" value. Review the OS routing tables. Identify and document which interface is configured to route the Tomcat class D IP multicast traffic. sudo netstat -r END of Documentation instructions. From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. sudo nano $CATALINA_BASE/conf/server.xml Locate the <Interceptor/> element nested within the <Channel/> element. Add the <Interceptor className="org.apache.catalina.tribes.group. interceptors.EncryptInterceptor"/> to the server.xml and save the file. Restart the Tomcat server: sudo systemctl restart tomcat NOTE: The EncryptInterceptor adds encryption to the channel messages carrying session data between nodes. This feature was added in Tomcat 9.0.13. If using the TcpFailureDetector interceptor, the EncryptInterceptor must be inserted into the interceptor chain BEFORE the TcpFailureDetector. When validating cluster members, TcpFailureDetector writes channel data directly to the other members without using the remainder of the interceptor chain, but on the receiving side, the message still goes through the chain (in reverse). Because of this asymmetry, the EncryptInterceptor must execute before the TcpFailureDetector on the sender and after it on the receiver; otherwise, message corruption will occur.
As an elevated user on the Tomcat server run the following command: sudo grep -i ErrorReportValve $CATALINA_BASE/conf/server.xml file. If the ErrorReportValve element is not defined and showServerInfo set to "false", this is a finding. EXAMPLE: <Host ...> ... <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false"/> ... </Host>
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Create or modify an ErrorReportValve <Valve> element nested beneath each <Host> element. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
From the Tomcat server console, run the following command: sudo cat $CATALINA_BASE/webapps/manager/WEB-INF/jsp/401.jsp Repeat for the 402.jsp and 403.jsp files. The default error files contain sample passwords and user accounts. If the error files contained in this folder are not customized and sample information removed, this is a finding.
From the Tomcat server as a privileged user: sudo cd $CATALINA_BASE/webapps/manager/WEB-INF/jsp/ Use a file editor like nano or vi and edit the 401, 402, and 403 jsp files. Remove account information and make the files reflect generic error information that assists users but does not provide sample data to users. Save the file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl daemon-reload
As an elevated user on the Tomcat server run the following command: sudo grep -i ErrorReportValve $CATALINA_BASE/conf/server.xml file. If the ErrorReportValve element is not defined and showReport set to "false", this is a finding. EXAMPLE: <Host ...> ... <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false"/> ... </Host>
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Create or modify an ErrorReportValve <Valve> element nested beneath each <Host> element. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" /> </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
If the manager application has been deleted from the system, this is not a finding. From the Tomcat server as a privileged user, run the following commands: sudo grep -i session-timeout $CATALINA_BASE/webapps/manager/META-INF/web.xml sudo grep -i session-timeout $CATALINA_BASE/conf/web.xml If the session-timeout setting is not configured to be 10 minutes in at least one of these files, this is a finding.
From the Tomcat server as a privileged user: To affect session timeout for all applications including the management application, edit the $CATALINA_BASE/conf/web.xml file. To affect session timeout for the management application only, edit the $CATALINA_BASE/webapps/manager/META-INF/web.xml file. Locate the session-timeout setting located within the session-config element. Modify the session-timeout setting to be 10 minutes. Save the file. sudo systemctl restart tomcat sudo systemctl daemon-reload
From the Tomcat server console, run the following command: sudo grep -i LockOutRealm $CATALINA_BASE/conf/server.xml. If there are no results or if the LockOutRealm is not used for the Tomcat management application context, this is a finding.
From the Tomcat server console as a privileged user edit the $CATALINA_BASE/conf/server.xml file. sudo nano $CATALINA_BASE/conf/server.xml file Locate or add the LockOutRealm element. Make sure the LockOutRealm element is applied to the management application at a minimum (if the management application is in use on the system). This is done by ensuring the LockOutRealm is nested under the Engine, Host or directly within the management application Context container. EXAMPLE: <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="5" lockOutTime="600"> ... </Realm>
From the Tomcat server console, run the following command: sudo grep -i LockOutRealm $CATALINA_BASE/conf/server.xml. If there are no results or if the LockOutRealm failureCount setting is not configured to 5, this is a finding.
From the Tomcat server console as a privileged user edit the $CATALINA_BASE/conf/server.xml file. sudo nano $CATALINA_BASE/conf/server.xml file Locate or add the LockOutRealm element. Set LockOutRealm failureCount="5" EXAMPLE: <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="5" lockOutTime="600"> ... </Realm>
From the Tomcat server console, run the following command: sudo grep -i LockOutRealm $CATALINA_BASE/conf/server.xml. If there are no results or if the LockOutRealm lockOutTime setting is not configured to 600 (10 minutes), this is a finding.
From the Tomcat server console as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. sudo nano $CATALINA_BASE/conf/server.xml file Locate or add the LockOutRealm element. Set lockOutTime="600" EXAMPLE: <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="5" lockOutTime="600"> ... </Realm>
From the command line of the Tomcat server type the following command: sudo cat /etc/passwd|grep -i tomcat If the command/shell field of the passwd file is not set to "/usr/sbin/nologin", this is a finding.
From the Tomcat command line type the following command: sudo usermod -s /usr/sbin/nologin tomcat
Run the following command to identify the Tomcat process UID: ps -ef | { head -1; grep catalina; } | cut -f1 -d" " Run the following command to obtain the OS user ID tied to the Tomcat process: cat /etc/passwd|grep -i <UID>|cut -f3 -d: Unless operationally necessary, the Tomcat process should not be tied to a privileged OS user ID. Depending on the operating system, privileged OS user IDs will typically be assigned user ID values <500 or <1000. If the Tomcat process is running as a privileged user and is not documented and approved, this is a finding. If the user ID field of the passwd file is set to 0, this is a finding.
From the Tomcat server, create a tomcat user by adding a new non-privileged user OS account with the following command: sudo useradd tomcat Edit the systemd tomcat.service file or create one if it does not exist. Use the new "tomcat" user account by setting; USER=tomcat Location of the file should be /etc/systemd/system/tomcat.service. Enable the Tomcat service: sudo restorecon /etc/systemd/system/tomcat.service sudo chmod 644 /etc/systemd/system/tomcat.service sudo systemctl enable tomcat.service Start Tomcat: sudo systemctl start tomcat
As an elevated user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Review all "Valve" elements. If the pattern= statement does not include %u, this is a finding. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u &quot;%r&quot; %s %b" /> ... </Host>
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Modify the <Valve> element that is nested beneath the <Host> element. Change the AccessLogValve setting to include %u in the pattern= statement. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_HOME -follow -maxdepth 0 \( ! -user root -o ! -group tomcat \) -ls If no folders are displayed, this is not a finding. If results indicate the $CATALINA_HOME folder ownership and group membership is not set to root:tomcat, this is a finding.
Run the following commands on the Tomcat server: sudo find $CATALINA_HOME -maxdepth 0 \( ! -user root \) | sudo xargs chown root sudo find $CATALINA_HOME -maxdepth 0 \( ! -group tomcat \) | sudo xargs chgrp tomcat
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_BASE/conf -follow -maxdepth 0 \( ! -user root -o ! -group tomcat \) -ls If ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the group permissions are set in accordance with the risk acceptance. Ownership must not be changed. If no folders are displayed, this is not a finding. If results indicate the $CATALINA_BASE/conf folder ownership and group membership is not set to root:tomcat, this is a finding.
If operational/application requirements specify different group file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance. Ownership must not be changed. Run the following commands on the Tomcat server: sudo find $CATALINA_BASE/conf -maxdepth 0 \( ! -user root \) | sudo xargs chown root sudo find $CATALINA_BASE/conf -maxdepth 0 \( ! -group tomcat \) | sudo xargs chgrp tomcat
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_BASE/logs -follow -maxdepth 0 \( ! -user tomcat -o ! -group tomcat \) -ls If ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance. If no folders are displayed, this is not a finding. If results indicate the $CATALINA_BASE/logs folder ownership and group membership is not set to tomcat:tomcat, this is a finding.
If operational/application requirements specify different group file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance. Run the following commands on the Tomcat server: sudo find $CATALINA_BASE/logs -maxdepth 0 \( ! -user tomcat \) | sudo xargs chown tomcat sudo find $CATALINA_BASE/logs -maxdepth 0 \( ! -group tomcat \) | sudo xargs chgrp tomcat
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_BASE/temp -follow -maxdepth 0 \( ! -user tomcat -o ! -group tomcat \) -ls If ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance. If no folders are displayed, this is not a finding. If results indicate the $CATALINA_BASE/temp folder ownership and group membership is not set to tomcat:tomcat, this is a finding.
If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance. Run the following commands on the Tomcat server: sudo find $CATALINA_BASE/temp -maxdepth 0 \( ! -user tomcat \) | sudo xargs chown tomcat sudo find $CATALINA_BASE/temp -maxdepth 0 \( ! -group tomcat \) | sudo xargs chgrp tomcat
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_BASE/temp -follow -maxdepth 0 -type d \( \! -perm 750 \) -ls If ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance. If no folders are displayed, this is not a finding. If results indicate the $CATALINA_BASE/temp folder permissions are not set to 750, this is a finding.
If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance. Run the following commands on the Tomcat server: sudo find $CATALINA_BASE/temp -follow -maxdepth 0 -type d -print0 | sudo xargs chmod 750 $CATALINA_BASE/temp
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_BASE/work -follow -maxdepth 0 \( ! -user tomcat -o ! -group tomcat \) -ls If ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance. If no folders are displayed, this is not a finding. If results indicate the $CATALINA_BASE/work folder ownership and group membership is not set to tomcat:tomcat, this is a finding.
If operational/application requirements specify different group file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance. Run the following commands on the Tomcat server: sudo find $CATALINA_BASE/work -maxdepth 0 \( ! -user tomcat \) | sudo xargs chown tomcat sudo find $CATALINA_BASE/work -maxdepth 0 \( ! -group tomcat \) | sudo xargs chgrp tomcat
If the manager application has been deleted from the Tomcat server, this is not a finding. From the Tomcat server as a privileged user, issue the following command: sudo grep -i auth-method $CATALINA_BASE/webapps/manager/WEB-INF/web.xml If the <Auth-Method> for the web manager application is not set to CLIENT-CERT, this is a finding.
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/webapps/manager/WEB-INF/web.xml file and modify the auth-method for the manager application security constraint. sudo nano $CATALINA_BASE/webapps/manager/WEB-INF/web.xml Locate <auth-method> contained within the <login-config> section, modify <auth-method> to specify CLIENT-CERT. EXAMPLE: <auth-method>CLIENT-CERT</auth-method> In addition, the connector used for accessing the manager application must be configured to require client authentication by setting clientAuth="true" and the manager application roles must be configured in the LDAP server. Restart the Tomcat server: sudo systemctl restart tomcat
For the systemd Ubuntu OS, check the tomcat.service file to read the content of the JAVA_OPTS environment variable setting. sudo cat /etc/systemd/system/tomcat.service |grep -i truststore EXAMPLE output: set JAVA_OPTS="-Djavax.net.ssl.trustStore=/path/to/truststore" "-Djavax.net.ssl.trustStorePassword=************" If the variable is not set, use the default location command below. If the variable is set, use the alternate location command below and include the path and truststore file. -Default location: keytool -list -cacerts -v | grep -i issuer -Alternate location: keytool -list -keystore <location of trust store file> -v |grep -i issuer If there are no CA certificates issued by a Certificate Authority (CA) that is part of the DoD PKI/PKE, this is a finding.
Obtain and install the DoD PKI CA certificate bundles by accessing the DoD PKI office website at https://cyber.mil/pki-pke. Download the certificate bundles and then use certificate management utilities such as keytool or openssl to import the DoD CA certificates into the trust store.
This requirement only applies to a system that is categorized as high within the Risk Management Framework (RMF). Review the System Security Plan (SSP) or other system documentation that specifies the operational uptime requirements and RMF system categorization. If the system is categorized as high, from the Tomcat server as a privileged user, run the following command: sudo grep -i -A10 -B2 "Cluster" $CATALINA_BASE/conf/server.xml If the <Cluster/> element is commented out, or no results returned, then the system is not clustered and this is a finding.
From the Tomcat server as a privileged user, modify the $CATALINA_BASE/conf/server.xml file. Uncomment the "<Cluster/> object and configure the system into a cluster as per the Tomcat clustering documentation provided at the Tomcat website. https://tomcat.apache.org/tomcat-9.0-doc/config/cluster.html
Refer to https://tomcat.apache.org/security-9.html and identify the latest secure version of Tomcat with no known vulnerabilities. As a privileged user from the Tomcat server, run the following command: sudo $CATALINA_HOME/bin/version.sh |grep -i server Compare the version running on the system to the latest secure version of Tomcat. Note: If TCAT-AS-000950 is compliant, users may need to leverage a different management interface. There is commonly a version.bat script in CATALINA_HOME/bin that will also output the current version of Tomcat. If the latest secure version of Tomcat is not installed, this is a finding.
Follow operational procedures for upgrading Tomcat. Download latest version of Tomcat and install in a test environment. Test applications that are running in production and follow all operations best practices when upgrading the production Tomcat application servers. Update the Tomcat production instance accordingly and ensure corrected builds are installed once tested and verified.
As an elevated user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml file. Review the <Engine> element. Ensure one AccessLog <Valve> element is nested within the engine element. If a <Valve className="org.apache.catalina.valves.AccessLogValve" .../> element is not defined, this is a finding. EXAMPLE: <Engine name="Standalone" ...> ... <Valve className="org.apache.catalina.valves.AccessLogValve" prefix="catalina_access_log" suffix=".txt" pattern="common"/> ... </Engine>
As a privileged user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml file. Create a <Valve> element that is nested beneath the <Host> element containing an AccessLogValve. EXAMPLE: <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> ... <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %t %u "%r" %s %b" /> ... </Host> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Run the following commands From the Tomcat server as a privileged user: Identify the home folder for the Tomcat server. sudo grep -i -- 'catalina_home\|catalina_base' /etc/systemd/system/tomcat.service Check the audit rules for the Tomcat folders. sudo auditctl -l $CATALINA_HOME/bin |grep -i bin If the results do not include -w $CATALINA_HOME/bin -p wa -k tomcat, or if there are no results, this is a finding.
From the Tomcat server as a privileged user, use the auditctl command. sudo auditctl -w $CATALINA_HOME/bin -p wa -k tomcat Validate the audit watch was created. sudo auditctl -l The user should see: -w $CATALINA_HOME/ -p wa -k tomcat
Run the following commands From the Tomcat server as a privileged user: Identify the home folder for the Tomcat server. sudo grep -i -- 'catalina_home\|catalina_base' /etc/systemd/system/tomcat.service Check the audit rules for the Tomcat folders. sudo auditctl -l $CATALINA_HOME/bin |grep -i conf If the results do not include -w $CATALINA_BASE/conf -p wa -k tomcat, or if there are no results, this is a finding.
From the Tomcat server as a privileged user, use the auditctl command. sudo auditctl -w $CATALINA_BASE/conf -p wa -k tomcat Validate the audit watch was created. sudo auditctl -l The user should see: -w $CATALINA_HOME/ -p wa -k tomcat
Run the following commands From the Tomcat server as a privileged user: Identify the home folder for the Tomcat server. sudo grep -i -- 'catalina_home\|catalina_base' /etc/systemd/system/tomcat.service Check the audit rules for the Tomcat folders sudo auditctl -l $CATALINA_HOME/bin |grep -i lib If the results do not include -w $CATALINA_HOME/lib -p wa -k tomcat, or if there are no results, this is a finding.
From the Tomcat server as a privileged user, use the auditctl command. sudo auditctl -w $CATALINA_HOME/lib -p wa -k tomcat Validate the audit watch was created. sudo auditctl -l The user should see: -w $CATALINA_HOME/ -p wa -k tomcat
For the systemd Ubuntu OS, check the tomcat.service file to read the content of the JAVA_OPTS environment variable setting. sudo cat /etc/systemd/system/tomcat.service |grep -i truststore EXAMPLE output: set JAVA_OPTS="-Djavax.net.ssl.trustStore=/path/to/truststore" "-Djavax.net.ssl.trustStorePassword=************" If the variable is not set, use the default location command below. If the variable is set, use the alternate location command below and include the path and truststore file. -Default location: keytool -list -cacerts -v | grep -i issuer -Alternate location: keytool -list -keystore <location of trust store file> -v |grep -i issuer If there are no CA certificates issued by a Certificate Authority (CA) that is part of the DoD PKI/PKE, this is a finding.
Obtain and install the DoD PKI CA certificate bundles by accessing the DoD PKI office website at cyber.mil/pki-pke. Import the DoD CA certificates.
If the system has an ISSM risk acceptance for operational issues that arise due to this setting, this is not a finding. From the Tomcat server as a privileged user, run the following command: sudo grep -i strict_servlet /etc/systemd/system/tomcat.service If there are no results, or if the -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE is not set to true, this is a finding.
From the Tomcat server as a privileged user: Edit the /etc/systemd/system/tomcat.service file and either add or edit the org.apache.catalina.STRICT_SERVLET_COMPLIANCE setting. Set the org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true EXAMPLE: CATALINA_OPTS='-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true' Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
From the Tomcat server as a privileged user, run the following command: sudo grep -i recycle_facades /etc/systemd/system/tomcat.service If there are no results, or if the org.apache.catalina.connector. RECYCLE_FACADES is not ="true", this is a finding.
From the Tomcat server as a privileged user: Edit the /etc/systemd/system/tomcat.service file and either add or edit the org.apache.catalina.connector. RECYCLE_FACADES setting. Set the org.apache.catalina.connector. RECYCLE_FACADES=true EXAMPLE: Environment='CATALINA_OPTS -Dorg.apache.catalina.connector. RECYCLE_FACADES=true' Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
If the ISSO has accepted the risk for enabling the ALLOW_BACKSLASH setting, this requirement is NA. From the Tomcat server as an elevated user, run the following command: sudo grep -i ALLOW_BACKSLASH $CATALINA_BASE/conf/catalina.properties sudo grep -i catalina_opts /etc/systemd/system/tomcat.service If org.apache.catalina.connector. ALLOW_BACKSLASH=true, this is a finding.
As a privileged user on the Tomcat server: If the finding is in the catalina.properties file, edit the $CATALINA_BASE/conf/catalina.properties file. sudo nano $CATALINA_BASE/conf/catalina.properties Change the org.apache.catalina.connector.ALLOW_BACKSLASH=true setting to =false. If the finding is in the /etc/systemd/services/tomcat/service file, edit the file using a text editor. sudo nano /etc/systemd/services/tomcat.service Locate the "Environment='CATALINA_OPTS=' line and change the -D.org.apache.catalina.connectorALLOW_BACKSLASH=true setting to =false. Restart Tomcat by running the following commands: sudo systemctl restart tomcat sudo systemctl daemon-reload
From the Tomcat server as a privileged user, run the following command: sudo grep -i enforce_encoding /etc/systemd/system/tomcat.service If there are no results, or if the org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER is not ="true", this is a finding.
From the Tomcat server as a privileged user: Edit the /etc/systemd/system/tomcat.service file, and either add or edit the org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER setting. Set the org.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true EXAMPLE: Environment='CATALINA_OPTS -Dorg.apache.catalina.connector.response.ENFORCE_ENCODING_IN_GET_WRITER=true' Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Review the Tomcat servers System Security Plan/server documentation. Ensure that user accounts and roles with access to Tomcat management features such as the "manager-script" role are documented and approved by the ISSO. If the ISSO has not approved of documented roles and users who have management rights to the Tomcat server, this is a finding.
Document the users and the roles that have been defined for use with the Tomcat server. Ensure that all users and roles with access to Tomcat management features and capabilities are approved by the ISSO.
Review the Tomcat servers System Security Plan/server documentation. Access the Tomcat server and review the $CATALINA_BASE/webapps folder. Ensure that all webapps are documented in the SSP. If the applications that are hosted on the Tomcat server are not documented in the SSP, this is a finding.
Document the applications that have an ATO on the Tomcat server. Retain the information in the SSP and present to the auditor in the event of a CCRI.
Review the Tomcat servers System Security Plan/server documentation. Access the Tomcat server and review the server.xml file. grep -i "connector port" $CATALINA_BASE/conf/server.xml Compare the active Connectors and their associated IP ports with the Connectors documented and approved in the SSP. If the Connectors that are configured on the Tomcat server are not approved by the ISSO and documented in the SSP, this is a finding.
Document and obtain ISSO approval for the Connectors that are configured on the Tomcat server. Retain the information in the SSP and present to the auditor in the event of a CCRI.
Review SSP documentation for list of approved connectors and associated TCP/IP ports and interfaces. Verify the address attribute is specified for each connector and is set to the network interface specified in the SSP. Execute the following command to find configured Connectors: sudo grep -i -B1 -A5 connector $CATALINA_BASE/conf/server.xml Review results and examine the "address=" field for each connector. If the connector address attribute is not specified as per the SSP, this is a finding.
Ensure the address attribute for each connector and the network interfaces are specified in the SSP. Edit the following file From the Tomcat server as a privileged user: $CATALINA_BASE/conf/server.xml Locate each Connector element then edit or add the "address=" field for each connector and specify the appropriate network IP address. The following is an example using a random IP address: EXAMPLE: <Connector port="8443" address="192.168.0.145" ... /> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
This requirement cannot be met by the Tomcat server natively and must be done at the OS. Review the operating system. Ensure the OS is configured to alert the ISSO and SA in the event of an audit processing failure. The alert notification method itself can be accomplished in a variety of ways and is not restricted to email alone. The intention is to send an alert; the method used to send the alert is not a factor of the requirement. The fix uses email but other alert methods are acceptable. If the OS is not configured to alert the ISSO and SA in the event of an audit processing failure, this is a finding.
Procedures for meeting this requirement will vary according to the OS. For Ubuntu Linux systems, instructions for notifying via email are provided. Other alert methods are also acceptable but are not provided here. Configure "auditd" service to notify the SA and ISSO in the event of an audit processing failure. Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root Restart the auditd service so the changes take effect: # sudo systemctl restart auditd.service