| 1.1 Remove extraneous files and directories (CONFIG_DIR/Catalina/localhost/host-manager.xml) | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (CONFIG_DIR/Catalina/localhost/manager.xml) | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (SERVER_DIR/webapps/host-manager.xml) | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (SERVER_DIR/webapps/manager) | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (WEBAPP_DIR/balancer) | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (WEBAPP_DIR/examples) | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (WEBAPP_DIR/js-examples) | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (WEBAPP_DIR/ROOT/admin) | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (WEBAPP_DIR/servlet-example) | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (WEBAPP_DIR/tomcat-docs) | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (WEBAPP_DIR/webdav) | CONFIGURATION MANAGEMENT |
| 1.2 Disable Unused Connectors | CONFIGURATION MANAGEMENT |
| 2.1 Alter the Advertised server.info String | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2 Alter the Advertised server.number String | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Alter the Advertised server.built Date | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2 Disable the Shutdown port | CONFIGURATION MANAGEMENT |
| 5.1 Use secure Realms | CONFIGURATION MANAGEMENT |
| 5.2 Use LockOut Realms | ACCESS CONTROL |
| 6.1 Setup Client-cert Authentication | IDENTIFICATION AND AUTHENTICATION |
| 7.1 Application specific logging | |
| 7.3 Ensure className is set correctly in context.xml | |
| 7.7 Configure log file size limit (verify java.util.logging.FileHandler.limit is present) | AUDIT AND ACCOUNTABILITY |
| 7.7 Configure log file size limit (verify java.util.logging.FileHandler.limit is smaller than disk partition) | AUDIT AND ACCOUNTABILITY |
| 9.2 Disabling auto deployment of applications | CONFIGURATION MANAGEMENT |
| 9.3 Disable deploy on startup of applications | CONFIGURATION MANAGEMENT |
| 10.2 Restrict access to the web administration | ACCESS CONTROL |
| 10.3 Restrict manager application | |
| 10.5 Rename the manager application (host-manager/manager.xml) | CONFIGURATION MANAGEMENT |
| 10.5 Rename the manager application (localhost/manager.xml) | CONFIGURATION MANAGEMENT |
| 10.5 Rename the manager application (webapps/manager) | CONFIGURATION MANAGEMENT |
| 10.8 Do not allow additional path delimiters (ALLOW_BACKSLASH) | SYSTEM AND INFORMATION INTEGRITY |
| 10.8 Do not allow additional path delimiters (ALLOW_ENCODED_SLASH) | SYSTEM AND INFORMATION INTEGRITY |
| 10.9 Do not allow custom header status messages | SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.10 Configure connectionTimeout | ACCESS CONTROL |
| 10.11 Configure maxHttpHeaderSize | SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.12 Force SSL for all applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.17 Do not resolve hosts on logging valves | CONFIGURATION MANAGEMENT |
| CIS_Apache_Tomcat_7_L1_v1.1.0.audit Level 2 | |
