Apache Tomcat Application Server 9 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000267-AS-000170
<GroupDescription></GroupDescription>Group -
ErrorReportValve showReport must be set to false.
<VulnDiscussion>The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can...Rule Medium Severity -
SRG-APP-000295-AS-000263
<GroupDescription></GroupDescription>Group -
Idle timeout for management application must be set to 10 minutes.
<VulnDiscussion>Tomcat can set idle session timeouts on a per application basis. The management application is provided with the Tomcat insta...Rule Medium Severity -
SRG-APP-000315-AS-000094
<GroupDescription></GroupDescription>Group -
LockOutRealms must be used for management of Tomcat.
<VulnDiscussion>A LockOutRealm adds the ability to lock a user out after multiple failed logins. LockOutRealm is an implementation of the Tom...Rule Medium Severity -
SRG-APP-000316-AS-000199
<GroupDescription></GroupDescription>Group -
LockOutRealms failureCount attribute must be set to 5 failed logins for admin users.
<VulnDiscussion>A LockOutRealm adds the ability to lock a user out after multiple failed logins. Setting the failureCount attribute to 5 will...Rule Medium Severity -
SRG-APP-000316-AS-000199
<GroupDescription></GroupDescription>Group -
LockOutRealms lockOutTime attribute must be set to 600 seconds (10 minutes) for admin users.
<VulnDiscussion>A LockOutRealm adds the ability to specify a lockout time that prevents further attempts after multiple failed logins. Settin...Rule Low Severity -
SRG-APP-000340-AS-000185
<GroupDescription></GroupDescription>Group -
Tomcat user account must be set to nologin.
<VulnDiscussion>When installing Tomcat, a user account is created on the OS. This account is used in order for Tomcat to be able to operate o...Rule Medium Severity -
SRG-APP-000340-AS-000185
<GroupDescription></GroupDescription>Group -
Tomcat user account must be a non-privileged user.
<VulnDiscussion>Use a distinct non-privileged user account for running Tomcat. If Tomcat processes are compromised and a privileged user acco...Rule Medium Severity -
SRG-APP-000343-AS-000030
<GroupDescription></GroupDescription>Group -
Application user name must be logged.
<VulnDiscussion>The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface w...Rule Low Severity -
SRG-APP-000380-AS-000088
<GroupDescription></GroupDescription>Group -
$CATALINA_HOME folder must be owned by the root user, group tomcat.
<VulnDiscussion>Tomcat file permissions must be restricted. The standard configuration is to have the folder where Tomcat is installed owned ...Rule Medium Severity -
SRG-APP-000380-AS-000088
<GroupDescription></GroupDescription>Group -
$CATALINA_BASE/conf/ folder must be owned by root, group tomcat.
<VulnDiscussion>Tomcat file permissions must be restricted. The standard configuration is to have Tomcat files contained in the conf/ folder ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.