Apache Tomcat Application Server 9 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000033-AS-000024
Group -
SRG-APP-000033-AS-000024
Group -
The Java Security Manager must be enabled.
The Java Security Manager (JSM) is what protects the Tomcat server from trojan servlets, JSPs, JSP beans, tag libraries, or even from inadvertent mistakes. The JSM works the same way a client's web...Rule Medium Severity -
SRG-APP-000089-AS-000050
Group -
SRG-APP-000090-AS-000051
Group -
AccessLogValve must be configured per each virtual host.
Application servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component loggable events. The application server must be configu...Rule Medium Severity -
SRG-APP-000096-AS-000059
Group -
Date and time of events must be logged.
The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The %t pattern code...Rule Medium Severity -
SRG-APP-000097-AS-000060
Group -
Remote hostname must be logged.
The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The %h pattern code...Rule Medium Severity -
SRG-APP-000097-AS-000060
Group -
HTTP status code must be logged.
The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The %s pattern code...Rule Low Severity -
SRG-APP-000097-AS-000060
Group -
SRG-APP-000118-AS-000078
Group -
$CATALINA_BASE/logs folder permissions must be set to 750.
Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permiss...Rule Medium Severity -
SRG-APP-000118-AS-000078
Group -
Files in the $CATALINA_BASE/logs/ folder must have their permissions set to 640.
Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permiss...Rule Medium Severity -
SRG-APP-000119-AS-000079
Group -
SRG-APP-000119-AS-000079
Group -
$CATALINA_BASE/conf folder permissions must be set to 750.
Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permiss...Rule Medium Severity -
SRG-APP-000121-AS-000081
Group -
SRG-APP-000133-AS-000092
Group -
Tomcat user UMASK must be set to 0027.
For Unix-based systems, umask settings affect file creation permissions. If the permissions are too loose, newly created log files and applications could be accessible to unauthorized users via the...Rule Medium Severity -
SRG-APP-000141-AS-000095
Group -
Stack tracing must be disabled.
Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, Tomcat will provide this call stack information ...Rule Medium Severity -
SRG-APP-000141-AS-000095
Group -
The shutdown port must be disabled.
Tomcat listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed...Rule Medium Severity -
SRG-APP-000141-AS-000095
Group -
SRG-APP-000141-AS-000095
Group -
SRG-APP-000141-AS-000095
Group -
SRG-APP-000141-AS-000095
Group -
DefaultServlet directory listings parameter must be disabled.
The DefaultServlet serves static resources as well as directory listings. It is declared globally in $CATALINA_BASE/conf/web.xml and by default is configured with the directory "listings" parameter...Rule Low Severity -
SRG-APP-000141-AS-000095
Group -
SRG-APP-000141-AS-000095
Group -
Autodeploy must be disabled.
Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded into production. Autodeploy must be disabled in p...Rule Medium Severity -
SRG-APP-000141-AS-000095
Group -
xpoweredBy attribute must be disabled.
Individual connectors can be configured to display the Tomcat server info to clients. This information can be used to identify Tomcat versions which can be useful to attackers for identifying vulne...Rule Low Severity -
SRG-APP-000141-AS-000095
Group -
SRG-APP-000141-AS-000095
Group -
Documentation must be removed.
Tomcat provides documentation and other directories in the default installation which do not serve a production use. These files must be deleted.Rule Low Severity -
SRG-APP-000142-AS-000014
Group -
SRG-APP-000148-AS-000101
Group -
Tomcat management applications must use LDAP realm authentication.
Using the local user store on a Tomcat installation does not meet a multitude of security control requirements related to user account management. To address this risk, Tomcat must be configured to...Rule Medium Severity -
SRG-APP-000149-AS-000102
Group -
JMX authentication must be secured.
Java Management Extensions (JMX) provides the means to remotely manage the Java VM. When enabling the JMX agent for remote monitoring, the user must enable authentication.Rule Medium Severity -
SRG-APP-000153-AS-000104
Group -
SRG-APP-000316-AS-000199
Group -
SRG-APP-000172-AS-000121
Group -
LDAP authentication must be secured.
JNDIRealm is an implementation of the Tomcat Realm interface. Tomcat uses the JNDIRealm to look up users in an LDAP directory server. The realm's connection to the directory is defined by the 'con...Rule High Severity -
SRG-APP-000175-AS-000124
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.