Autodeploy must be disabled.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-222956	SRG-APP-000141-AS-000095	TCAT-AS-000540	SV-222956r960963_rule	2025-02-11	3

Description
Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded into production. Autodeploy must be disabled in production. This requirement is NA for test and development systems on non-production networks. For DevSecOps application environments, the ISSM may authorize autodeploy functions on a production Tomcat system if the mission need specifies it and an application security vulnerability testing and assurance regimen is included in the DevSecOps process.

Description

Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded into production. Autodeploy must be disabled in production. This requirement is NA for test and development systems on non-production networks. For DevSecOps application environments, the ISSM may authorize autodeploy functions on a production Tomcat system if the mission need specifies it and an application security vulnerability testing and assurance regimen is included in the DevSecOps process.

ℹ️ Check
If the SSP associated with the Host contains ISSM-documented approvals for AutoDeploy, this is not a finding. From the Tomcat server, run the following OS command: sudo cat $CATALINA_BASE/conf/server.xml \| grep -i -C2 autodeploy If the command returns no results, this is not a finding. Review the results for the autoDeploy parameter in each Host element. <Host name="YOUR HOST NAME" appbase="webapps" unpackWARs="true" autoDeploy="false"> If autoDeploy ="true" or if autoDeploy is not set, this is a finding.

ℹ️ Check

If the SSP associated with the Host contains ISSM-documented approvals for AutoDeploy, this is not a finding. From the Tomcat server, run the following OS command: sudo cat $CATALINA_BASE/conf/server.xml | grep -i -C2 autodeploy If the command returns no results, this is not a finding. Review the results for the autoDeploy parameter in each Host element. <Host name="YOUR HOST NAME" appbase="webapps" unpackWARs="true" autoDeploy="false"> If autoDeploy ="true" or if autoDeploy is not set, this is a finding.

✔️ Fix
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. Examine each <Host> </Host> element, if the element contains autoDeploy="true", modify the statement to read ", autoDeploy="false". sudo systemctl restart tomcat sudo systemctl daemon-reload