TCAT-AS-000100 - Connectors must be secured.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The unencrypted HTTP protocol does not protect data from interception or alteration which can subject users to eavesdropping, tracking, and the modification of received data. To secure an HTTP connector, both the secure and scheme flags must be set.

Solution

From the Tomcat server as a privileged user, edit the server.xml file.

sudo nano $CATALINA_BASE/conf/server.xml.

Locate each <Connector/> element which is lacking a secure setting.

EXAMPLE Connector:
<Connector port='8080' protocol='HTTP/1.1'
connectionTimeout='20000'
redirectPort='443' />

Set or add scheme='https' and secure='true' for each HTTP connector element.

EXAMPLE:
<Connector port='443' protocol='org.apache.coyote.http11.Http11NioProtocol' SSLEnabled='true'
maxThreads='150' scheme='https' secure='true'.../>

Save the server.xml file and restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl reload-daemon

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R7_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000213, Rule-ID|SV-222935r879530_rule, STIG-ID|TCAT-AS-000100, STIG-Legacy|SV-111401, STIG-Legacy|V-102453, Vuln-ID|V-222935

Plugin: Unix

Control ID: d802dbcc9abe70bf9a1977a997dbc38885b0317a3d68420c6a7e1354ae8fb08e