10.3 Restrict manager application

Information

Limit access to the manager application to only those with a justified need.

Rationale:

Limiting access to the least privilege will ensure only those people with a justified need will have access to a resource The manager application should be limited to only administrators.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

For the manager application, edit $CATALINA_HOME/conf/<enginename>/<hostname>/manager.xml, and add the bolded line:

<Context path='/manager' docBase='${catalina.home}/webapps/manager' debug='0' privileged='true'>
<Valve className='org.apache.catalina.valves.RemoteAddrValve' allow='127.0.0.1'/>
<!-- Link to the user database we will get roles from -->
<ResourceLink name='users' global='UserDatabase'
type='org.apache.catalina.UserDatabase'/>
</Context>

Add hosts, comma separated, which are allowed to access the admin application.

Note: The RemoteAddrValve property expects a regular expression, therefore periods and other regular expression meta-characters must be escaped.

Default Value:

By default this setting is not present

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html

https://tomcat.apache.org/tomcat-8.0-doc/manager-howto.html

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10), CSCv7|4.7

Plugin: Unix

Control ID: 91d1ef914596d1143034f09633fb8c2323e69b116fe9cf9eabee3191f2c26172