Details

Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded into production. Autodeploy must be disabled in production.

This requirement is NA for test and development systems on non-production networks. For DevSecOps application environments, the ISSM may authorize autodeploy functions on a production Tomcat system if the mission need specifies it and an application security vulnerability testing and assurance regimen is included in the DevSecOps process.

Solution

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

Examine each element, if the element contains autoDeploy=’true’, modify the statement to read ‘, autoDeploy=’false’.

sudo systemctl restart tomcat
sudo systemctl daemon-reload

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R3_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-7a.
• CAT|II
• CCI|CCI-000381
• Rule-ID|SV-222956r615938_rule
• STIG-ID|TCAT-AS-000540
• STIG-Legacy|SV-111437
• STIG-Legacy|V-102495
• Vuln-ID|V-222956

Source

• Tenable.com/audits