CIS Apache Tomcat 7 L1 v1.1.0 Middleware

Audit Details

Name: CIS Apache Tomcat 7 L1 v1.1.0 Middleware

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.4

Estimated Item Count: 52

File Details

Filename: CIS_Apache_Tomcat_7_L1_v1.1.0_Middleware.audit

Size: 92.7 kB

MD5: a629dd29b60d15b4d920331123ab22d3
SHA256: c14186ef3004ab27e19900a958ff41d2bc7fdbc80bc2947e43cbea4b81759453

Audit Items

DescriptionCategories
2.5 Disable client-facing stack traces (check for defined exception type)

SYSTEM AND INFORMATION INTEGRITY

2.6 Turn off TRACE (check server.xml)

SYSTEM AND INFORMATION INTEGRITY

2.6 Turn off TRACE (check web.xml config files)

CONFIGURATION MANAGEMENT

3.1 Set a nondeterministic Shutdown command value.

CONFIGURATION MANAGEMENT

4.1 Restrict access to $CATALINA_HOME

ACCESS CONTROL

4.2 Restrict access to $CATALINA_BASE

ACCESS CONTROL

4.3 Restrict access to Tomcat configuration directory

ACCESS CONTROL

4.4 Restrict access to Tomcat logs directory

ACCESS CONTROL

4.5 Restrict access to Tomcat temp directory

ACCESS CONTROL

4.6 Restrict access to Tomcat binaries directory

ACCESS CONTROL

4.7 Restrict access to Tomcat web application directory

ACCESS CONTROL

4.8 Restrict access to Tomcat catalina.policy

ACCESS CONTROL

4.9 Restrict access to Tomcat catalina.properties

ACCESS CONTROL

4.10 Restrict access to Tomcat context.xml

ACCESS CONTROL

4.11 Restrict access to Tomcat logging.properties

ACCESS CONTROL

4.12 Restrict access to Tomcat server.xml

ACCESS CONTROL

4.13 Restrict access to Tomcat tomcat-users.xml

ACCESS CONTROL

4.14 Restrict access to Tomcat web.xml

ACCESS CONTROL

6.2 Ensure SSLEnabled is set to True for Sensitive Connectors(verify SSLEnabled is set to true)

SYSTEM AND COMMUNICATIONS PROTECTION

6.3 Ensure scheme is set accurately

SYSTEM AND COMMUNICATIONS PROTECTION

6.4 Ensure secure is set to true only for SSL-enabled Connectors (verify secure is set to true)

SYSTEM AND COMMUNICATIONS PROTECTION

6.5 Ensure sslProtocol is set to TLS for Secure Connectors (verify sslProtocol is set to TLS)

SYSTEM AND COMMUNICATIONS PROTECTION

7.2 Specify file handler in logging.properties (check if java.util.logging.ConsoleHandler exists in web application)

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties (check if java.util.logging.ConsoleHandler exists inin default)

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties (check if java.util.logging.ConsoleHandler logging is enabled in default)

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties (check if java.util.logging.ConsoleHandler logging is enabled in web application)

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties (check if org.apache.juli.FileHandler exists in default)

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties (check if org.apache.juli.FileHandler exists in web application)

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties (check if org.apache.juli.FileHandler logging is enabled in default)

AUDIT AND ACCOUNTABILITY

7.2 Specify file handler in logging.properties (check if org.apache.juli.FileHandler logging is enabled in web application)

AUDIT AND ACCOUNTABILITY

7.4 Ensure directory in context.xml is a secure location - configuration
7.4 Ensure directory in context.xml is a secure location - permissions
7.5 Ensure pattern in context.xml is correct
7.6 Ensure directory in logging.properties is a secure location (check application log directory is secure)
7.6 Ensure directory in logging.properties is a secure location (check log directory location)

AUDIT AND ACCOUNTABILITY

7.6 Ensure directory in logging.properties is a secure location (check prefix application name)

AUDIT AND ACCOUNTABILITY

8.1 Restrict runtime access to sensitive packages

ACCESS CONTROL

9.1 Starting Tomcat with Security Manager

CONFIGURATION MANAGEMENT

10.1 Ensure Web content directory is on a separate partition from the Tomcat system files (verify Web content directory)

CONFIGURATION MANAGEMENT

10.4 Force SSL when accessing the manager application

SYSTEM AND COMMUNICATIONS PROTECTION

10.6 Enable strict servlet Compliance

CONFIGURATION MANAGEMENT

10.7 Turn off session facade recycling

CONFIGURATION MANAGEMENT

10.14 Do not allow symbolic linking

ACCESS CONTROL

10.15 Do not run applications as privileged

ACCESS CONTROL

10.16 Do not allow cross context requests

CONFIGURATION MANAGEMENT

10.18 Enable memory leak listener (verify present)

SYSTEM AND INFORMATION INTEGRITY

10.19 Setting Security Lifecycle Listener (check for config component)

SYSTEM AND INFORMATION INTEGRITY

10.19 Setting Security Lifecycle Listener (check for umask present in startup)

ACCESS CONTROL

10.19 Setting Security Lifecycle Listener (check for umask uncommented in startup)

ACCESS CONTROL

10.20 Use the logEffectiveWebXml and metadata-complete settings for deploying applications in production - context.xml

CONFIGURATION MANAGEMENT