TCAT-AS-000970 - Idle timeout for the management application must be set to 10 minutes.

Information

Tomcat can set idle session timeouts on a per application basis. The management application is provided with the Tomcat installation and is used to manage the applications that are installed on the Tomcat Server. Setting the idle timeout for the management application will kill the admin user's session after 10 minutes of inactivity. This will limit the opportunity for unauthorized persons to hijack the admin session. This setting will also affect the default timeout behavior of all hosted web applications. To adjust the individual hosted application settings that are not related to management of the system, modify the individual application web.xml file if application timeout requirements differ from the STIG.

Satisfies: SRG-APP-000389, SRG-APP-000220

Solution

From the Tomcat server as a privileged user:

To affect session timeout for all applications including the management application, edit the $CATALINA_BASE/conf/web.xml file.

To affect session timeout for the management application only, edit the $CATALINA_BASE/webapps/manager/META-INF/web.xml file.

Locate the session-timeout setting located within the session-config element.

Modify the session-timeout setting to be 10 minutes.

Save the file.

sudo systemctl restart tomcat
sudo systemctl daemon-reload

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V3R1_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-12, CAT|II, CCI|CCI-002361, CCI|CCI-004895, Rule-ID|SV-222979r985897_rule, STIG-ID|TCAT-AS-000970, STIG-Legacy|SV-111481, STIG-Legacy|V-102541, Vuln-ID|V-222979

Plugin: Unix

Control ID: 3f438e90aaff4cd51cd9189f813ce2b11e4c41fe4900058dcc82e4b10b29fe3f