10.3 Restrict manager application

Information

Limit access to the manager application to only those with a required need.
Review $CATALINA_BASE/conf/[enginename]/[hostname]/manager.xml to ascertain that the RemoteAddrValve option is uncommented and configured to only allow access to systems required to connect.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

For the manager application, edit $CATALINA_BASE/conf/[enginename]/[hostname]/manager.xml, and add the second line:
<Context path="/manager" docBase="${catalina.home}/webapps/manager" debug="0" privileged="true">
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127.0.0.1"/>
<!-- Link to the user database we will get roles from -->
<ResourceLink name="users" global="UserDatabase" type="org.apache.catalina.UserDatabase"/>
</Context>
Add hosts, comma separated, which are allowed to access the admin application.
Note: The RemoteAddrValve property expects a regular expression, therefore periods and other regular expression meta-characters must be escaped.

See Also

https://workbench.cisecurity.org/files/266