UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222995 TCAT-AS-001460 SV-222995r615938_rule Medium
Description
A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of integrity and availability. By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provided high-availability.
STIG Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide 2021-06-15

Details

Check Text ( C-24667r426429_chk )
This requirement only applies to a system that is categorized as high within the Risk Management Framework (RMF).

Review the System Security Plan (SSP) or other system documentation that specifies the operational uptime requirements and RMF system categorization.

If the system is categorized as high, from the Tomcat server as a privileged user, run the following command:

sudo grep -i -A10 -B2 "Cluster" $CATALINA_BASE/conf/server.xml

If the element is commented out, or no results returned, then the system is not clustered and this is a finding.
Fix Text (F-24656r426430_fix)
From the Tomcat server as a privileged user, modify the $CATALINA_BASE/conf/server.xml file.

Uncomment the " object and configure the system into a cluster as per the Tomcat clustering documentation provided at the Tomcat website.

https://tomcat.apache.org/tomcat-9.0-doc/config/cluster.html