UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Autodeploy must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222956 TCAT-AS-000540 SV-222956r879587_rule Medium
Description
Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded into production. Autodeploy must be disabled in production. This requirement is NA for test and development systems on non-production networks. For DevSecOps application environments, the ISSM may authorize autodeploy functions on a production Tomcat system if the mission need specifies it and an application security vulnerability testing and assurance regimen is included in the DevSecOps process.
STIG Date
Apache Tomcat Application Server 9 Security Technical Implementation Guide 2023-06-05

Details

Check Text ( C-24628r426312_chk )
If the SSP associated with the Host contains ISSM documented approvals for AutoDeploy, this is not a finding.

From the Tomcat server run the following OS command:

sudo cat $CATALINA_BASE/conf/server.xml | grep -i -C2 autodeploy

If the command returns no results, this is not a finding.

Review the results for the autoDeploy parameter in each Host element.



If autoDeploy ="true", this is a finding.
Fix Text (F-24617r426313_fix)
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

Examine each element, if the element contains autoDeploy="true", modify the statement to read ", autoDeploy="false".

sudo systemctl restart tomcat
sudo systemctl daemon-reload