I - Mission Critical Public
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000516-AS-000237
Group -
ALLOW_BACKSLASH must be set to false.
When Tomcat is installed behind a proxy configured to only allow access to certain Tomcat contexts (web applications), an HTTP request containing "/\../" may allow attackers to work around the prox...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
ENFORCE_ENCODING_IN_GET_WRITER must be set to true.
Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 when the characters are safe for ISO-885...Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
Tomcat users in a management role must be approved by the ISSO.
Deploying applications to Tomcat requires a Tomcat user account that is in the "manager-script" role. Any user accounts in a Tomcat management role must be approved by the ISSO.Rule Medium Severity -
SRG-APP-000516-AS-000237
Group -
Hosted applications must be documented in the system security plan.
The ISSM/ISSO must be cognizant of all applications operating on the Tomcat server, and must address any security implications associated with the operation of the applications. If unknown/undocum...Rule Low Severity -
SRG-APP-000516-AS-000237
Group -
Connectors must be approved by the ISSO.
Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP and then sends back the results to the requestor. A port and a protocol are t...Rule Low Severity -
SRG-APP-000516-AS-000237
Group -
Connector address attribute must be set.
Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP, and then sends back the results to the requestor. The "address" attribute sp...Rule Low Severity -
SRG-APP-000108-AS-000067
Group -
The application server must alert the system administrator (SA) and information system security offer (ISSO), at a minimum, in the event of a log processing failure.
Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident. When log processing fails, the events during the failure...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.