STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Apache Tomcat Application Server 9 Security Technical Implementation Guide

V-223006

CAT II (Medium)

Tomcat users in a management role must be approved by the ISSO.

Rule ID

SV-223006r961863_rule

STIG

Apache Tomcat Application Server 9 Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-000366

Discussion

Deploying applications to Tomcat requires a Tomcat user account that is in the "manager-script" role. Any user accounts in a Tomcat management role must be approved by the ISSO.

Check Content

Review the Tomcat servers System Security Plan/server documentation.

Ensure that user accounts and roles with access to Tomcat management features such as the "manager-script" role are documented and approved by the ISSO.

If the ISSO has not approved of documented roles and users who have management rights to the Tomcat server, this is a finding.

Fix Text

Document the users and the roles that have been defined for use with the Tomcat server.

Ensure that all users and roles with access to Tomcat management features and capabilities are approved by the ISSO.