Skip to content

Apache Tomcat Application Server 9 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000380-AS-000088

    <GroupDescription></GroupDescription>
    Group
  • $CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat.

    &lt;VulnDiscussion&gt;Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group T...
    Rule Medium Severity
  • SRG-APP-000380-AS-000088

    <GroupDescription></GroupDescription>
    Group
  • $CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat.

    &lt;VulnDiscussion&gt;Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group T...
    Rule Low Severity
  • SRG-APP-000380-AS-000088

    <GroupDescription></GroupDescription>
    Group
  • $CATALINA_BASE/temp folder permissions must be set to 750.

    &lt;VulnDiscussion&gt;Tomcat's file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with the g...
    Rule Low Severity
  • SRG-APP-000380-AS-000088

    <GroupDescription></GroupDescription>
    Group
  • $CATALINA_BASE/work/ folder must be owned by tomcat user, group tomcat.

    &lt;VulnDiscussion&gt;Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group T...
    Rule Medium Severity
  • SRG-APP-000391-AS-000239

    <GroupDescription></GroupDescription>
    Group
  • Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

    &lt;VulnDiscussion&gt;Password authentication does not provide sufficient security control when accessing a management interface. DoD has specified...
    Rule Medium Severity
  • SRG-APP-000427-AS-000264

    <GroupDescription></GroupDescription>
    Group
  • Certificates in the trust store must be issued/signed by an approved CA.

    &lt;VulnDiscussion&gt;Use of self-signed certificates creates a lack of integrity and invalidates the certificate based authentication trust model....
    Rule Medium Severity
  • SRG-APP-000435-AS-000069

    <GroupDescription></GroupDescription>
    Group
  • The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster.

    &lt;VulnDiscussion&gt;A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed o...
    Rule Medium Severity
  • SRG-APP-000435-AS-000163

    <GroupDescription></GroupDescription>
    Group
  • Tomcat server must be patched for security vulnerabilities.

    &lt;VulnDiscussion&gt;Tomcat is constantly being updated to address newly discovered vulnerabilities, some of which include denial-of-service attac...
    Rule Medium Severity
  • SRG-APP-000495-AS-000220

    <GroupDescription></GroupDescription>
    Group
  • AccessLogValve must be configured for Catalina engine.

    &lt;VulnDiscussion&gt;The &lt;Engine&gt; container represents the entire request processing machinery associated with a particular Catalina Service...
    Rule Medium Severity
  • SRG-APP-000504-AS-000229

    <GroupDescription></GroupDescription>
    Group
  • Changes to $CATALINA_HOME/bin/ folder must be logged.

    &lt;VulnDiscussion&gt;The $CATALINA_HOME/bin folder contains startup and control scripts for the Tomcat Catalina server. To provide forensic eviden...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules