Skip to content
Log In

Apache Tomcat Application Server 9 Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000176-AS-000125

    Group
    Show

  • Keystore file must be protected.

    Keystore file contains authentication information used to access application data and data resources. Access to the file must be protected. The default location is in the .keystore file stored in ...
    Rule Medium Severity
    Show

  • SRG-APP-000179-AS-000129

    Group
    Show

  • Tomcat must use FIPS-validated ciphers on secured connectors.

    Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP, and then sends the results back to the requestor. Cryptographic ciphers are ...
    Rule High Severity
    Show

  • SRG-APP-000211-AS-000146

    Group
    Show

  • SRG-APP-000211-AS-000146

    Group
    Show

  • SRG-APP-000219-AS-000147

    Group
    Show

  • Tomcat servers must mutually authenticate proxy or load balancer connections.

    Tomcat servers are often placed behind a proxy when exposed to both trusted and untrusted networks. This is done for security and performance reasons. Tomcat does provide an HTTP server that can b...
    Rule Medium Severity
    Show

  • SRG-APP-000223-AS-000150

    Group
    Show

  • Tomcat must be configured to limit data exposure between applications.

    If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a bug in an application might expose data from one...
    Rule Low Severity
    Show

  • SRG-APP-000225-AS-000154

    Group
    Show

  • LockOutRealms must be used for management of Tomcat.

    A LockOutRealm adds the ability to lock a user out after multiple failed logins. LockOutRealm is an implementation of the Tomcat Realm interface that extends the CombinedRealm to provide user lock ...
    Rule Medium Severity
    Show

  • SRG-APP-000266-AS-000169

    Group
    Show

  • ErrorReportValve showServerInfo must be set to false.

    The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return pre-defined static HTML pages for specific...
    Rule Medium Severity
    Show

  • SRG-APP-000267-AS-000170

    Group
    Show

  • Default error pages for manager application must be customized.

    Default error pages that accompany the manager application provide educational information on how to configure user accounts and groups for accessing the manager application. These error pages prov...
    Rule Low Severity
    Show

  • SRG-APP-000267-AS-000170

    Group
    Show

  • ErrorReportValve showReport must be set to false.

    The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return pre-defined static HTML pages for specific...
    Rule Medium Severity
    Show

  • SRG-APP-000295-AS-000263

    Group
    Show

  • SRG-APP-000315-AS-000094

    Group
    Show

  • SRG-APP-000316-AS-000199

    Group
    Show

  • SRG-APP-000340-AS-000185

    Group
    Show

  • Tomcat user account must be set to nologin.

    When installing Tomcat, a user account is created on the OS. This account is used in order for Tomcat to be able to operate on the OS but does not require the ability to actually log in to the syst...
    Rule Medium Severity
    Show

  • SRG-APP-000340-AS-000185

    Group
    Show

  • Tomcat user account must be a non-privileged user.

    Use a distinct non-privileged user account for running Tomcat. If Tomcat processes are compromised and a privileged user account is used to operate the Tomcat server processes, the entire system be...
    Rule Medium Severity
    Show

  • SRG-APP-000343-AS-000030

    Group
    Show

  • Application user name must be logged.

    The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The %u pattern code...
    Rule Low Severity
    Show

  • SRG-APP-000380-AS-000088

    Group
    Show

  • SRG-APP-000380-AS-000088

    Group
    Show

  • SRG-APP-000380-AS-000088

    Group
    Show

  • $CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat.

    Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permiss...
    Rule Medium Severity
    Show

  • SRG-APP-000380-AS-000088

    Group
    Show

  • $CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat.

    Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permiss...
    Rule Low Severity
    Show

  • SRG-APP-000380-AS-000088

    Group
    Show

  • SRG-APP-000516-AS-000237

    Group
    Show

  • SRG-APP-000380-AS-000088

    Group
    Show

  • SRG-APP-000391-AS-000239

    Group
    Show

  • Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

    Password authentication does not provide sufficient security control when accessing a management interface. DOD has specified that a CAC will be used when authenticating and passwords will only be ...
    Rule Medium Severity
    Show

  • SRG-APP-000427-AS-000264

    Group
    Show

  • Certificates in the trust store must be issued/signed by an approved CA.

    Use of self-signed certificates creates a lack of integrity and invalidates the certificate based authentication trust model. Certificates used by production systems must be issued/signed by a trus...
    Rule Medium Severity
    Show

  • SRG-APP-000435-AS-000069

    Group
    Show

  • The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster.

    A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A MAC I system must maintain the highest level of ...
    Rule Medium Severity
    Show

  • SRG-APP-000435-AS-000163

    Group
    Show

  • SRG-APP-000495-AS-000220

    Group
    Show

  • SRG-APP-000504-AS-000229

    Group
    Show

  • Changes to $CATALINA_HOME/bin/ folder must be logged.

    The $CATALINA_HOME/bin folder contains startup and control scripts for the Tomcat Catalina server. To provide forensic evidence in the event of file tampering, changes to content in this folder mus...
    Rule Medium Severity
    Show

  • SRG-APP-000504-AS-000229

    Group
    Show

  • SRG-APP-000504-AS-000229

    Group
    Show

  • Changes to $CATALINA_HOME/lib/ folder must be logged.

    The $CATALINA_HOME/lib folder contains library files for the Tomcat Catalina server. These are in the form of java archive (jar) files. To provide forensic evidence in the event of file tampering, ...
    Rule Medium Severity
    Show

  • SRG-APP-000514-AS-000137

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules