TCAT-AS-000270 - The first line of request must be logged.

Information

The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The "%r" pattern code is included in the pattern element and logs the first line associated with the event, namely the request method, URL path, query string, and protocol ('"' simply specifies a literal double quote). Including the pattern in the log configuration provides useful information about the time of the event which is critical for troubleshooting and forensic investigations.

Solution

As a privileged user on the Tomcat server:

Edit the $CATALINA_BASE/conf/server.xml file.

Modify the <Valve> element(s) nested within the <Host> element(s).

Change the AccessLogValve setting to include &quot;%r&quot; in the pattern= statement.

EXAMPLE:
<Host name='localhost' appBase='webapps'
unpackWARs='true' autoDeploy='false'>
...
<Valve className='org.apache.catalina.valves.AccessLogValve' directory='logs'
prefix='localhost_access_log' suffix='.txt'
pattern='%h %l %t %u &quot;%r&quot; %s %b' />
...
</Host>

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V3R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, CAT|II, CCI|CCI-000132, Rule-ID|SV-222942r960897_rule, STIG-ID|TCAT-AS-000270, STIG-Legacy|SV-111413, STIG-Legacy|V-102467, Vuln-ID|V-222942

Plugin: Unix

Control ID: 0b246722d60db04d41f41eed7b714a9205baadc097233a09d43084ab199161a5