CIS Apache Tomcat 8 L2 v1.1.0

Audit Details

Name: CIS Apache Tomcat 8 L2 v1.1.0

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.7

Estimated Item Count: 38

File Details

Filename: CIS_Apache_Tomcat_8_L2_v1.1.0.audit

Size: 73.1 kB

MD5: d435a1abfed55b9744ca637d6bef10ca
SHA256: 94856ee4cb8c1317d677ce6d9dc213ae6422dbd9de83de402b6445a2a1e10819

Audit Items

DescriptionCategories
1.1 Remove extraneous files and directories - @[email protected]/conf/Catalina/localhost/host-manager.xml

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - @[email protected]/conf/Catalina/localhost/manager.xml

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - @[email protected]/server/webapps/host-manager.xml

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - @[email protected]/server/webapps/manager

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - @[email protected]/webapps/balancer

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - @[email protected]/webapps/examples

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - @[email protected]/webapps/js-examples

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - @[email protected]/webapps/ROOT/admin

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - @[email protected]/webapps/servlet-example

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - @[email protected]/webapps/tomcat-docs

CONFIGURATION MANAGEMENT

1.1 Remove extraneous files and directories - @[email protected]/webapps/webdav

CONFIGURATION MANAGEMENT

1.2 Disable Unused Connectors

SYSTEM AND INFORMATION INTEGRITY

2.1 Alter the Advertised server.info String

CONFIGURATION MANAGEMENT

2.2 Alter the Advertised server.number String

CONFIGURATION MANAGEMENT

2.3 Alter the Advertised server.built Date

CONFIGURATION MANAGEMENT

2.4 Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors

CONFIGURATION MANAGEMENT

2.7 Ensure Sever Header is Modified To Prevent Information Disclosure

CONFIGURATION MANAGEMENT

3.2 Disable the Shutdown port

SYSTEM AND INFORMATION INTEGRITY

5.1 Use secure Realms

ACCESS CONTROL

5.2 Use LockOut Realms

CONFIGURATION MANAGEMENT

6.1 Setup Client-cert Authentication

IDENTIFICATION AND AUTHENTICATION

7.1 Application specific logging

AUDIT AND ACCOUNTABILITY

7.3 Ensure className is set correctly in context.xml

AUDIT AND ACCOUNTABILITY

9.2 Disabling auto deployment of applications

CONFIGURATION MANAGEMENT

9.3 Disable deploy on startup of applications

CONFIGURATION MANAGEMENT

10.2 Restrict access to the web administration application

ACCESS CONTROL

10.3 Restrict manager application

ACCESS CONTROL

10.5 Rename the manager application - host-manager/manager.xml

CONFIGURATION MANAGEMENT

10.5 Rename the manager application - localhost/manager.xml

CONFIGURATION MANAGEMENT

10.5 Rename the manager application - webapps/manager

CONFIGURATION MANAGEMENT

10.8 Do not allow additional path delimiters - ALLOW_BACKSLASH

CONFIGURATION MANAGEMENT

10.8 Do not allow additional path delimiters - ALLOW_ENCODED_SLASH

CONFIGURATION MANAGEMENT

10.9 Do not allow custom header status messages

CONFIGURATION MANAGEMENT

10.10 Configure connectionTimeout

CONFIGURATION MANAGEMENT

10.11 Configure maxHttpHeaderSize

CONFIGURATION MANAGEMENT

10.12 Force SSL for all applications

SYSTEM AND COMMUNICATIONS PROTECTION

10.16 Do not resolve hosts on logging valves

CONFIGURATION MANAGEMENT

CIS_Apache_Tomcat_8_L2_v1.1.0.audit from CIS Apache Tomcat 8 Benchmark