Details

Limit access to the web administration application to only those with a justified need.

Rationale:

Limiting access to the least privilege will ensure only those people with a justified need will have access to a resource. The web administration application should be limited to only administrators.

Solution

For the administration application, edit $CATALINA_HOME/conf/server.xml and uncomment the following:

Note: The RemoteAddrValve property expects a regular expression, therefore periods and other regular expression meta-characters must be escaped.

Default Value:

By default, this configuration is not present.

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2506

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-6(10)
• CSCv7|4.7

Source

• Tenable.com/audits