Hosted applications must be documented in the system security plan.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| low | V-223007 | SRG-APP-000516-AS-000237 | TCAT-AS-001710 | SV-223007r961863_rule | 2025-02-11 | 3 |
| Description |
|---|
| The ISSM/ISSO must be cognizant of all applications operating on the Tomcat server, and must address any security implications associated with the operation of the applications. If unknown/undocumented applications are operating on the Tomcat server, these applications increase risk for the system due to not being managed, patched or monitored for unapproved activity on the system. |
| ℹ️ Check |
|---|
| Review the Tomcat servers System Security Plan/server documentation. Access the Tomcat server and review the $CATALINA_BASE/webapps folder. Ensure that all webapps are documented in the SSP. If the applications that are hosted on the Tomcat server are not documented in the SSP, this is a finding. |
| ✔️ Fix |
|---|
| Document the applications that have an ATO on the Tomcat server. Retain the information in the SSP and present to the auditor in the event of a CCRI. |