Apache Tomcat Application Server 9 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000267-AS-000170
<GroupDescription></GroupDescription>Group -
Default error pages for manager application must be customized.
<VulnDiscussion>Default error pages that accompany the manager application provide educational information on how to configure user accounts ...Rule Low Severity -
SRG-APP-000267-AS-000170
<GroupDescription></GroupDescription>Group -
ErrorReportValve showReport must be set to false.
<VulnDiscussion>The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can...Rule Medium Severity -
SRG-APP-000295-AS-000263
<GroupDescription></GroupDescription>Group -
Idle timeout for the management application must be set to 10 minutes.
<VulnDiscussion>Tomcat can set idle session timeouts on a per application basis. The management application is provided with the Tomcat insta...Rule Medium Severity -
SRG-APP-000315-AS-000094
<GroupDescription></GroupDescription>Group -
LockOutRealms failureCount attribute must be set to 5 failed logins for admin users.
<VulnDiscussion>A LockOutRealm adds the ability to lock a user out after multiple failed logins. Setting the failureCount attribute to 5 will...Rule Medium Severity -
SRG-APP-000316-AS-000199
<GroupDescription></GroupDescription>Group -
LockOutRealms lockOutTime attribute must be set to 600 seconds (10 minutes) for admin users.
<VulnDiscussion>A LockOutRealm adds the ability to specify a lockout time that prevents further attempts after multiple failed logins. Settin...Rule Low Severity -
SRG-APP-000340-AS-000185
<GroupDescription></GroupDescription>Group -
Tomcat user account must be set to nologin.
<VulnDiscussion>When installing Tomcat, a user account is created on the OS. This account is used in order for Tomcat to be able to operate o...Rule Medium Severity -
SRG-APP-000340-AS-000185
<GroupDescription></GroupDescription>Group -
Tomcat user account must be a non-privileged user.
<VulnDiscussion>Use a distinct non-privileged user account for running Tomcat. If Tomcat processes are compromised and a privileged user acco...Rule Medium Severity -
SRG-APP-000343-AS-000030
<GroupDescription></GroupDescription>Group -
Application user name must be logged.
<VulnDiscussion>The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface w...Rule Low Severity -
SRG-APP-000380-AS-000088
<GroupDescription></GroupDescription>Group -
$CATALINA_HOME folder must be owned by the root user, group tomcat.
<VulnDiscussion>Tomcat file permissions must be restricted. The standard configuration is to have the folder where Tomcat is installed owned ...Rule Medium Severity -
SRG-APP-000380-AS-000088
<GroupDescription></GroupDescription>Group -
$CATALINA_BASE/conf/ folder must be owned by root, group tomcat.
<VulnDiscussion>Tomcat file permissions must be restricted. The standard configuration is to have Tomcat files contained in the conf/ folder ...Rule Medium Severity -
SRG-APP-000380-AS-000088
<GroupDescription></GroupDescription>Group -
$CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat.
<VulnDiscussion>Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group T...Rule Medium Severity -
SRG-APP-000380-AS-000088
<GroupDescription></GroupDescription>Group -
$CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat.
<VulnDiscussion>Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group T...Rule Low Severity -
SRG-APP-000380-AS-000088
<GroupDescription></GroupDescription>Group -
SRG-APP-000516-AS-000237
<GroupDescription></GroupDescription>Group -
$CATALINA_BASE/temp folder permissions must be set to 750.
<VulnDiscussion>Tomcat's file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with the g...Rule Low Severity -
SRG-APP-000380-AS-000088
<GroupDescription></GroupDescription>Group -
$CATALINA_BASE/work/ folder must be owned by tomcat user, group tomcat.
<VulnDiscussion>Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group T...Rule Medium Severity -
SRG-APP-000391-AS-000239
<GroupDescription></GroupDescription>Group -
Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.
<VulnDiscussion>Password authentication does not provide sufficient security control when accessing a management interface. DOD has specified...Rule Medium Severity -
SRG-APP-000427-AS-000264
<GroupDescription></GroupDescription>Group -
Certificates in the trust store must be issued/signed by an approved CA.
<VulnDiscussion>Use of self-signed certificates creates a lack of integrity and invalidates the certificate based authentication trust model....Rule Medium Severity -
SRG-APP-000435-AS-000069
<GroupDescription></GroupDescription>Group -
The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster.
<VulnDiscussion>A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed o...Rule Medium Severity -
SRG-APP-000435-AS-000163
<GroupDescription></GroupDescription>Group -
Tomcat server must be patched for security vulnerabilities.
<VulnDiscussion>Tomcat is constantly being updated to address newly discovered vulnerabilities, some of which include denial-of-service attac...Rule Medium Severity -
SRG-APP-000495-AS-000220
<GroupDescription></GroupDescription>Group -
AccessLogValve must be configured for Catalina engine.
<VulnDiscussion>The <Engine> container represents the entire request processing machinery associated with a particular Catalina Service...Rule Medium Severity -
SRG-APP-000504-AS-000229
<GroupDescription></GroupDescription>Group -
Changes to $CATALINA_HOME/bin/ folder must be logged.
<VulnDiscussion>The $CATALINA_HOME/bin folder contains startup and control scripts for the Tomcat Catalina server. To provide forensic eviden...Rule Medium Severity -
SRG-APP-000504-AS-000229
<GroupDescription></GroupDescription>Group -
Changes to $CATALINA_BASE/conf/ folder must be logged.
<VulnDiscussion>The $CATALINA_BASE/conf folder contains configuration files for the Tomcat Catalina server. To provide forensic evidence in t...Rule Medium Severity -
SRG-APP-000504-AS-000229
<GroupDescription></GroupDescription>Group -
Changes to $CATALINA_HOME/lib/ folder must be logged.
<VulnDiscussion>The $CATALINA_HOME/lib folder contains library files for the Tomcat Catalina server. These are in the form of java archive (j...Rule Medium Severity -
SRG-APP-000514-AS-000137
<GroupDescription></GroupDescription>Group -
Application servers must use NIST-approved or NSA-approved key management technology and processes.
<VulnDiscussion>Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certifica...Rule Low Severity -
SRG-APP-000516-AS-000237
<GroupDescription></GroupDescription>Group -
STRICT_SERVLET_COMPLIANCE must be set to true.
<VulnDiscussion>Strict Servlet Compliance forces Tomcat to adhere to standards specifications including but not limited to RFC2109. RFC2109 s...Rule Low Severity -
SRG-APP-000516-AS-000237
<GroupDescription></GroupDescription>Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.