CIS Apache Tomcat 10 L2 v1.1.0 Middleware

Audit Details

Name: CIS Apache Tomcat 10 L2 v1.1.0 Middleware

Updated: 6/17/2024

Authority: CIS

Plugin: Unix

Revision: 1.2

Estimated Item Count: 30

File Details

Filename: CIS_Apache_Tomcat_10_L2_v1.1.0_Middleware.audit

Size: 62.1 kB

MD5: fe6ff4a97ce31471b6e4dc6c38370d1a
SHA256: 517743875c398677342606c7e19809b9a7912e2650fbb410fa0e4e652a847edd

Audit Items

DescriptionCategories
1.1 Remove extraneous files and directories - @APP_Config_catalogs@/webapps/examples

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - /webapps/docs

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - /webapps/host-manager

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - /webapps/manager

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - /webapps/ROOT

CONFIGURATION MANAGEMENT

1.2 Disable Unused Connectors

CONFIGURATION MANAGEMENT

2.1 Alter the Advertised server.info String

SYSTEM AND INFORMATION INTEGRITY

2.2 Alter the Advertised server.number String

SYSTEM AND INFORMATION INTEGRITY

2.3 Alter the Advertised server.built Date

SYSTEM AND INFORMATION INTEGRITY

2.4 Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors

SYSTEM AND INFORMATION INTEGRITY

2.7 Ensure Sever Header is Modified To Prevent Information Disclosure

SYSTEM AND INFORMATION INTEGRITY

3.2 Disable the Shutdown port

SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

5.1 Use secure Realms

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

5.2 Use LockOut Realms

CONFIGURATION MANAGEMENT

6.1 Setup Client-cert Authentication

IDENTIFICATION AND AUTHENTICATION

7.1 Application specific logging

AUDIT AND ACCOUNTABILITY

7.3 Ensure className is set correctly in context.xml

AUDIT AND ACCOUNTABILITY

9.2 Disabling auto deployment of applications

CONFIGURATION MANAGEMENT

9.3 Disable deploy on startup of applications

CONFIGURATION MANAGEMENT

10.3 Restrict manager application

ACCESS CONTROL

10.5 Rename the manager application - host-manager/manager.xml

CONFIGURATION MANAGEMENT

10.5 Rename the manager application - webapps/manager

CONFIGURATION MANAGEMENT

10.6 Enable strict servlet Compliance

SYSTEM AND COMMUNICATIONS PROTECTION

10.8 Do not allow additional path delimiters - ALLOW_BACKSLASH

CONFIGURATION MANAGEMENT

10.8 Do not allow additional path delimiters - ALLOW_ENCODED_SLASH

CONFIGURATION MANAGEMENT

10.9 Configure connectionTimeout

CONFIGURATION MANAGEMENT

10.10 Configure maxHttpHeaderSize

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

10.11 Force SSL for all applications

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

10.15 Do not resolve hosts on logging valves

SYSTEM AND INFORMATION INTEGRITY

CIS_Apache_Tomcat_10_L2_v1.1.0_Middleware.audit from CIS Apache Tomcat 10 Benchmark