The number of allowed simultaneous sessions to the manager application must be limited.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222926	TCAT-AS-000010	SV-222926r960735_rule		Low

Description
The manager application provides configuration access to the Tomcat server. Access to the manager application must be limited and that includes the number of sessions allowed to access the management application. A balance must be struck between the number of simultaneous connections allowed to the management application and the number of authorized admins requiring access at any given time. Determine the number of authorized admins requiring simultaneous access and increase the number of allowed simultaneous sessions by a small percentage in order to help prevent potential lockouts. Document that value in the System Security Plan (SSP).

Description

The manager application provides configuration access to the Tomcat server. Access to the manager application must be limited and that includes the number of sessions allowed to access the management application. A balance must be struck between the number of simultaneous connections allowed to the management application and the number of authorized admins requiring access at any given time. Determine the number of authorized admins requiring simultaneous access and increase the number of allowed simultaneous sessions by a small percentage in order to help prevent potential lockouts. Document that value in the System Security Plan (SSP).

STIG	Date
Apache Tomcat Application Server 9 Security Technical Implementation Guide	2024-05-23

Details

Check Text ( C-24598r426222_chk )
If the manager application is not in use or has been deleted from the system, this is not a finding. From the Tomcat server as an elevated user run the following command: sudo grep -i maxactivesessions $CATALINA_BASE/webapps/manager/ META-INF/context.xml If the maxActiveSesions setting is not configured according to the number of connections defined in the SSP, this is a finding.

Fix Text (F-24587r426223_fix)
Determine the number of authorized admins requiring simultaneous access and increase the number of allowed simultaneous sessions by a small percentage in order to address potential lockout scenarios. Document that value in the System Security Plan. Review the maxActiveSessions setting in the $CATALINA_BASE/webapps/manager/ META-INF/context.xml configuration file. Configure maxActiveSessions setting according to admin access requirements defined in the SSP. EXAMPLE:

Fix Text (F-24587r426223_fix)

Determine the number of authorized admins requiring simultaneous access and increase the number of allowed simultaneous sessions by a small percentage in order to address potential lockout scenarios. Document that value in the System Security Plan.

Review the maxActiveSessions setting in the $CATALINA_BASE/webapps/manager/ META-INF/context.xml configuration file.

Configure maxActiveSessions setting according to admin access requirements defined in the SSP.

EXAMPLE: