Tomcat servers behind a proxy or load balancer must log client IP.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222937	TCAT-AS-000170	SV-222937r615938_rule		Medium

Description
When running Tomcat behind a load balancer or proxy, default behavior is for Tomcat to log the proxy or load balancer IP address as the client IP. Desired behavior is to log the actual client IP rather than the proxy IP address. The RemoteIpValve logging component instructs Tomcat to grab the HTTP header X-Forwarded-For and use that for access logging. Tomcat will identify 127.0.0.1, class A and class C RFC1918 addresses as internal proxy addresses; however, if the proxy has a routable IP or a class B private network address space (172.16.0.0/12), the user must also verify the "internalProxies setting is configured to reflect the proxy IP address.

Description

When running Tomcat behind a load balancer or proxy, default behavior is for Tomcat to log the proxy or load balancer IP address as the client IP. Desired behavior is to log the actual client IP rather than the proxy IP address. The RemoteIpValve logging component instructs Tomcat to grab the HTTP header X-Forwarded-For and use that for access logging. Tomcat will identify 127.0.0.1, class A and class C RFC1918 addresses as internal proxy addresses; however, if the proxy has a routable IP or a class B private network address space (172.16.0.0/12), the user must also verify the "internalProxies setting is configured to reflect the proxy IP address.

STIG	Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide	2020-12-11

Details

Check Text ( C-24609r426255_chk )
Review the System Security Plan and determine if the Tomcat server resides behind a proxy server or load balancer. If the Tomcat server is not behind a proxy server or load balancer, this requirement is NA. From the Tomcat server run the following command: sudo grep -i RemoteIpValve $CATALINA_BASE/conf/server.xml file. If the results are empty or if the requestAttributesEnabled setting is not configured as "True", this is a finding. sudo grep -i AccessLogValve $CATALINA_BASE/conf/server.xml file. If the requestAttributesEnabled setting is not configured as "True", this is a finding.

Check Text ( C-24609r426255_chk )

Review the System Security Plan and determine if the Tomcat server resides behind a proxy server or load balancer. If the Tomcat server is not behind a proxy server or load balancer, this requirement is NA.

From the Tomcat server run the following command:

sudo grep -i RemoteIpValve $CATALINA_BASE/conf/server.xml file.

If the results are empty or if the requestAttributesEnabled setting is not configured as "True", this is a finding.

sudo grep -i AccessLogValve $CATALINA_BASE/conf/server.xml file.

If the requestAttributesEnabled setting is not configured as "True", this is a finding.

Fix Text (F-24598r426256_fix)
From the Tomcat server as a privileged user: Edit the $CATALINA_BASE/conf/server.xml file. Only execute this first step if the proxy server is using a routable IP address or an RFC 1918 Class B address space: Add or edit the RemoteIpValve and configure the internalProxies setting to reflect the proxy addresses. Modify the AccessLogValve and configure the requestAttributesEnabled setting = "True". EXAMPLE: directory="logs" prefix="access" suffix=".log" pattern="combined" renameOnRotate="true" requestAttributesEnabled="true" /> Restart Tomcat: sudo systemctl restart tomcat sudo systemctl tomcat daemon-reload

Fix Text (F-24598r426256_fix)

From the Tomcat server as a privileged user:

Edit the $CATALINA_BASE/conf/server.xml file.

Only execute this first step if the proxy server is using a routable IP address or an RFC 1918 Class B address space: Add or edit the RemoteIpValve and configure the internalProxies setting to reflect the proxy addresses.

Modify the AccessLogValve and configure the requestAttributesEnabled setting = "True".

EXAMPLE:

directory="logs"
prefix="access"
suffix=".log"
pattern="combined"
renameOnRotate="true"
requestAttributesEnabled="true"
/>

Restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl tomcat daemon-reload