Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-223007 | TCAT-AS-001710 | SV-223007r615938_rule | Low |
Description |
---|
The ISSM/ISSO must be cognizant of all applications operating on the Tomcat server, and must address any security implications associated with the operation of the applications. If unknown/undocumented applications are operating on the Tomcat server, these applications increase risk for the system due to not being managed, patched or monitored for unapproved activity on the system. |
STIG | Date |
---|---|
Apache Tomcat Application Sever 9 Security Technical Implementation Guide | 2020-12-11 |
Check Text ( C-24679r426465_chk ) |
---|
Review the Tomcat servers System Security Plan/server documentation. Access the Tomcat server and review the $CATALINA_BASE/webapps folder. Ensure that all webapps are documented in the SSP. If the applications that are hosted on the Tomcat server are not documented in the SSP, this is a finding. |
Fix Text (F-24668r426466_fix) |
---|
Document the applications that have an ATO on the Tomcat server. Retain the information in the SSP and present to the auditor in the event of a CCRI. |