7.3 Ensure className is set correctly in context.xml

Information

Ensure the className attribute is set to AccessLogValve. The className attribute determines the access log valve to be used for logging.

Rationale:

Some log valves are not suited for production and should not be used. Apache recommends org.apache.catalina.valves.AccessLogValve

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Add the following statement into the $CATALINA_HOME/webapps/<app name>/META-INF/context.xml file if it does not already exist.

<Valve
className='org.apache.catalina.valves.AccessLogValve'
directory='$CATALINA_HOME/logs/'
prefix='access_log'
fileDateFormat='yyyy-MM-dd.HH'
suffix='.log'
pattern='%t %H cookie:%{SESSIONID}c request:%{SESSIONID}r %m %U %s %q %r'
/>

Default Value:

Does not exist by default.

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv7|6.3

Plugin: Unix

Control ID: 9d65e45c61c8618e13504d82c72b52160915cbfc058a243688566941dd674b30