CIS Apache Tomcat 9 L1 v1.1.0 Middleware

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Apache Tomcat 9 L1 v1.1.0 Middleware

Updated: 1/4/2023

Authority: CIS

Plugin: Unix

Revision: 1.7

Estimated Item Count: 53

File Details

Filename: CIS_Apache_Tomcat_9_L1_v1.1.0_Middleware.audit

Size: 95.9 kB

MD5: 685dcde05d6c85a072d3fbd346c07ab6
SHA256: 17f256d4029fc15d4dbab36797a87c51b5d5f84868262490a603c1f9246fc623

Audit Items

DescriptionCategories
2.5 Disable client facing Stack Traces - check for defined exception type
2.6 Turn off TRACE
3.1 Set a nondeterministic Shutdown command value
4.1 Restrict access to $CATALINA_HOME
4.2 Restrict access to $CATALINA_BASE
4.3 Restrict access to Tomcat configuration directory
4.4 Restrict access to Tomcat logs directory
4.5 Restrict access to Tomcat temp directory
4.6 Restrict access to Tomcat binaries directory
4.7 Restrict access to Tomcat web application directory
4.8 Restrict access to Tomcat catalina.properties
4.9 Restrict access to Tomcat catalina.policy
4.10 Restrict access to Tomcat context.xml
4.11 Restrict access to Tomcat logging.properties
4.12 Restrict access to Tomcat server.xml
4.13 Restrict access to Tomcat tomcat-users.xml
4.14 Restrict access to Tomcat web.xml
4.15 Restrict access to jaspic-providers.xml
6.2 Ensure SSLEnabled is set to True for Sensitive Connectors - verify SSLEnabled is set to true
6.3 Ensure scheme is set accurately
6.4 Ensure secure is set to true only for SSL-enabled Connectors - verify secure is set to true
6.5 Ensure 'sslProtocol' is Configured Correctly for Secure Connectors
7.2 Specify file handler in logging.properties files - check if java.util.logging.ConsoleHandler exists in web application
7.2 Specify file handler in logging.properties files - check if java.util.logging.ConsoleHandler exists inin default
7.2 Specify file handler in logging.properties files - check if java.util.logging.ConsoleHandler logging is enabled in default
7.2 Specify file handler in logging.properties files - check if java.util.logging.ConsoleHandler logging is enabled in web application
7.2 Specify file handler in logging.properties files - check if org.apache.juli.FileHandler exists in default
7.2 Specify file handler in logging.properties files - check if org.apache.juli.FileHandler exists in web application
7.2 Specify file handler in logging.properties files - check if org.apache.juli.FileHandler logging is enabled in default
7.2 Specify file handler in logging.properties files - check if org.apache.juli.FileHandler logging is enabled in web application
7.4 Ensure directory in context.xml is a secure location - configuration
7.4 Ensure directory in context.xml is a secure location - permissions
7.5 Ensure pattern in context.xml is correct
7.6 Ensure directory in logging.properties is a secure location - check application log directory is secure
7.6 Ensure directory in logging.properties is a secure location - check log directory location
7.6 Ensure directory in logging.properties is a secure location - check prefix application name
8.1 Restrict runtime access to sensitive packages
9.1 Starting Tomcat with Security Manager
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directory
10.2 Restrict access to the web administration application
10.4 Force SSL when accessing the manager application
10.7 Turn off session facade recycling
10.12 Do not allow symbolic linking
10.13 Do not run applications as privileged
10.14 Do not allow cross context requests
10.16 Enable memory leak listener
10.17 Setting Security Lifecycle Listener - check for config component
10.17 Setting Security Lifecycle Listener - check for umask present in startup
10.17 Setting Security Lifecycle Listener - check for umask uncommented in startup
10.18 Use the logEffectiveWebXml and metadata-complete settings for deploying applications in production - context.xml