CIS Apache Tomcat 7 L2 v1.1.0 Middleware

Audit Details

Name: CIS Apache Tomcat 7 L2 v1.1.0 Middleware

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.5

Estimated Item Count: 39

File Details

Filename: CIS_Apache_Tomcat_7_L2_v1.1.0_Middleware.audit

Size: 58.1 kB

MD5: d0a183d216ad25c25435423b4f8bbc5a
SHA256: 645166232fd843ecc26aa6698c62841547d9322a9ce76ce3979f46e17f717318

Audit Items

DescriptionCategories
1.1 Remove extraneous files and directories (CONFIG_DIR/Catalina/localhost/host-manager.xml)

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories (CONFIG_DIR/Catalina/localhost/manager.xml)

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories (SERVER_DIR/webapps/host-manager.xml)

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories (SERVER_DIR/webapps/manager)

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories (WEBAPP_DIR/balancer)

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories (WEBAPP_DIR/examples)

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories (WEBAPP_DIR/js-examples)

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories (WEBAPP_DIR/ROOT/admin)

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories (WEBAPP_DIR/servlet-example)

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories (WEBAPP_DIR/tomcat-docs)

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories (WEBAPP_DIR/webdav)

CONFIGURATION MANAGEMENT

1.2 Disable Unused Connectors

SYSTEM AND INFORMATION INTEGRITY

2.1 Alter the Advertised server.info String

SYSTEM AND COMMUNICATIONS PROTECTION

2.2 Alter the Advertised server.number String

SYSTEM AND COMMUNICATIONS PROTECTION

2.3 Alter the Advertised server.built Date

SYSTEM AND COMMUNICATIONS PROTECTION

2.4 Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors

SYSTEM AND COMMUNICATIONS PROTECTION

3.2 Disable the Shutdown port

CONFIGURATION MANAGEMENT

5.1 Use secure Realms

CONFIGURATION MANAGEMENT

5.2 Use LockOut Realms

ACCESS CONTROL

6.1 Setup Client-cert Authentication
7.1 Application specific logging
7.3 Ensure className is set correctly in context.xml
7.7 Configure log file size limit (verify java.util.logging.FileHandler.limit is present)

AUDIT AND ACCOUNTABILITY

7.7 Configure log file size limit (verify java.util.logging.FileHandler.limit is smaller than disk partition)

AUDIT AND ACCOUNTABILITY

9.2 Disabling auto deployment of applications

CONFIGURATION MANAGEMENT

9.3 Disable deploy on startup of applications

CONFIGURATION MANAGEMENT

10.2 Restrict access to the web administration

ACCESS CONTROL

10.3 Restrict manager application
10.5 Rename the manager application (host-manager/manager.xml)

CONFIGURATION MANAGEMENT

10.5 Rename the manager application (localhost/manager.xml)

CONFIGURATION MANAGEMENT

10.5 Rename the manager application (webapps/manager)

CONFIGURATION MANAGEMENT

10.8 Do not allow additional path delimiters (ALLOW_BACKSLASH)

SYSTEM AND INFORMATION INTEGRITY

10.8 Do not allow additional path delimiters (ALLOW_ENCODED_SLASH)

SYSTEM AND INFORMATION INTEGRITY

10.9 Do not allow custom header status messages

CONFIGURATION MANAGEMENT

10.10 Configure connectionTimeout

ACCESS CONTROL

10.11 Configure maxHttpHeaderSize

SYSTEM AND COMMUNICATIONS PROTECTION

10.12 Force SSL for all applications

SYSTEM AND COMMUNICATIONS PROTECTION

10.17 Do not resolve hosts on logging valves

CONFIGURATION MANAGEMENT

CIS_Apache_Tomcat_7_L2_v1.1.0_Middleware.audit from CIS Apach Tomcat 7 Benchmark