| 1.1 Remove extraneous files and directories - CATALINA_HOME/webapps/docs | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - CATALINA_HOME/webapps/examples | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - CATALINA_HOME/webapps/host-manager | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - CATALINA_HOME/webapps/manager | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - CATALINA_HOME/webapps/ROOT | CONFIGURATION MANAGEMENT |
| 1.2 Disable Unused Connectors | CONFIGURATION MANAGEMENT |
| 2.1 Alter the Advertised server.info String | CONFIGURATION MANAGEMENT |
| 2.2 Alter the Advertised server.number String | CONFIGURATION MANAGEMENT |
| 2.3 Alter the Advertised server.built Date | CONFIGURATION MANAGEMENT |
| 2.4 Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors | CONFIGURATION MANAGEMENT |
| 2.7 Ensure Sever Header is Modified To Prevent Information Disclosure | CONFIGURATION MANAGEMENT |
| 3.2 Disable the Shutdown port | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1 Use secure Realms | ACCESS CONTROL |
| 5.2 Use LockOut Realms | CONFIGURATION MANAGEMENT |
| 6.1 Setup Client-cert Authentication | IDENTIFICATION AND AUTHENTICATION |
| 7.1 Application specific logging | AUDIT AND ACCOUNTABILITY |
| 7.3 Ensure className is set correctly in context.xml | AUDIT AND ACCOUNTABILITY |
| 9.2 Disabling auto deployment of applications | CONFIGURATION MANAGEMENT |
| 9.3 Disable deploy on startup of applications | CONFIGURATION MANAGEMENT |
| 10.3 Restrict manager application | ACCESS CONTROL |
| 10.5 Rename the manager application - host-manager/manager.xml | CONFIGURATION MANAGEMENT |
| 10.5 Rename the manager application - webapps/manager | CONFIGURATION MANAGEMENT |
| 10.6 Enable strict servlet Compliance | SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.8 Do not allow additional path delimiters - ALLOW_BACKSLASH | CONFIGURATION MANAGEMENT |
| 10.8 Do not allow additional path delimiters - ALLOW_ENCODED_SLASH | CONFIGURATION MANAGEMENT |
| 10.9 Configure connectionTimeout | CONFIGURATION MANAGEMENT |
| 10.10 Configure maxHttpHeaderSize | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.11 Force SSL for all applications | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.15 Do not resolve hosts on logging valves | SYSTEM AND INFORMATION INTEGRITY |
| CIS_Apache_Tomcat_9_L2_v1.2.0.audit from CIS Apache Tomcat 9 Benchmark | |
