CIS Apache Tomcat 10 L1 v1.1.0 Middleware

Audit Details

Name: CIS Apache Tomcat 10 L1 v1.1.0 Middleware

Updated: 2/7/2024

Authority: CIS

Plugin: Unix

Revision: 1.0

Estimated Item Count: 53

File Details

Filename: CIS_Apache_Tomcat_10_L1_v1.1.0_Middleware.audit

Size: 134 kB

MD5: 91d3aee5ad07f97ee856f9b2b2cb1885
SHA256: c8422c78e802c5f57f4f7f7c8095a2610773ebbf516aa45c8e56c06fde57f214

Audit Items

DescriptionCategories
2.5 Disable client facing Stack Traces

SYSTEM AND INFORMATION INTEGRITY

2.6 Turn off TRACE

AUDIT AND ACCOUNTABILITY

3.1 Set a nondeterministic Shutdown command value

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

4.1 Restrict access to $CATALINA_HOME

ACCESS CONTROL, MEDIA PROTECTION

4.2 Restrict access to $CATALINA_BASE

ACCESS CONTROL, MEDIA PROTECTION

4.3 Restrict access to Tomcat configuration directory

ACCESS CONTROL, MEDIA PROTECTION

4.4 Restrict access to Tomcat logs directory

ACCESS CONTROL, MEDIA PROTECTION

4.5 Restrict access to Tomcat temp directory

ACCESS CONTROL, MEDIA PROTECTION

4.6 Restrict access to Tomcat bin directory

ACCESS CONTROL, MEDIA PROTECTION

4.7 Restrict access to Tomcat web application directory

ACCESS CONTROL, MEDIA PROTECTION

4.8 Restrict access to Tomcat catalina.properties

ACCESS CONTROL, MEDIA PROTECTION

4.9 Restrict access to Tomcat catalina.policy

ACCESS CONTROL, MEDIA PROTECTION

4.10 Restrict access to Tomcat context.xml

ACCESS CONTROL, MEDIA PROTECTION

4.11 Restrict access to Tomcat logging.properties

ACCESS CONTROL, MEDIA PROTECTION

4.12 Restrict access to Tomcat server.xml

ACCESS CONTROL, MEDIA PROTECTION

4.13 Restrict access to Tomcat tomcat-users.xml

ACCESS CONTROL, MEDIA PROTECTION

4.14 Restrict access to Tomcat web.xml

ACCESS CONTROL, MEDIA PROTECTION

4.15 Restrict access to jaspic-providers.xml

ACCESS CONTROL, MEDIA PROTECTION

6.2 Ensure SSLEnabled is set to True for Sensitive Connectors

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

6.3 Ensure scheme is set accurately

CONFIGURATION MANAGEMENT

6.4 Ensure secure is set to true only for SSL-enabled Connectors

SYSTEM AND COMMUNICATIONS PROTECTION

6.5 Ensure 'sslProtocol' is Configured Correctly for Secure Connectors

SYSTEM AND COMMUNICATIONS PROTECTION

7.2 Specify file handler in logging.properties files - check if java.util.logging.ConsoleHandler exists in web application

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties files - check if java.util.logging.ConsoleHandler exists inin default

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties files - check if java.util.logging.ConsoleHandler logging is enabled in default

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties files - check if java.util.logging.ConsoleHandler logging is enabled in web application

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties files - check if org.apache.juli.FileHandler exists in default

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties files - check if org.apache.juli.FileHandler exists in web application

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties files - check if org.apache.juli.FileHandler logging is enabled in default

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties files - check if org.apache.juli.FileHandler logging is enabled in web application

AUDIT AND ACCOUNTABILITY

7.4 Ensure directory in context.xml is a secure location - configuration

ACCESS CONTROL, MEDIA PROTECTION

7.4 Ensure directory in context.xml is a secure location - permissions

ACCESS CONTROL, MEDIA PROTECTION

7.5 Ensure pattern in context.xml is correct

AUDIT AND ACCOUNTABILITY

7.6 Ensure directory in logging.properties is a secure location - check application log directory is secure

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

7.6 Ensure directory in logging.properties is a secure location - check log directory location

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

7.6 Ensure directory in logging.properties is a secure location - check prefix application name

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

8.1 Restrict runtime access to sensitive packages

ACCESS CONTROL, MEDIA PROTECTION

9.1 Starting Tomcat with Security Manager

CONFIGURATION MANAGEMENT

10.1 Ensure Web content directory is on a separate partition from the Tomcat system files

CONFIGURATION MANAGEMENT, MAINTENANCE

10.2 Restrict access to the web administration application

ACCESS CONTROL

10.4 Force SSL when accessing the manager application via HTTP

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

10.7 Turn off session facade recycling

CONFIGURATION MANAGEMENT

10.12 Do not allow symbolic linking

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

10.13 Do not run applications as privileged

ACCESS CONTROL

10.14 Do not allow cross context requests

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

10.16 Enable memory leak listener

CONFIGURATION MANAGEMENT

10.17 Setting Security Lifecycle Listener - check for config component

ACCESS CONTROL

10.17 Setting Security Lifecycle Listener - check for umask present in startup

ACCESS CONTROL

10.17 Setting Security Lifecycle Listener - check for umask uncommented in startup

ACCESS CONTROL

10.18 Use the logEffectiveWebXml and metadata-complete settings for deploying applications in production - context.xml

AUDIT AND ACCOUNTABILITY