DISA STIG Apache Tomcat Application Server 9 v2r4

Audit Details

Name: DISA STIG Apache Tomcat Application Server 9 v2r4

Updated: 5/27/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.0

Estimated Item Count: 84

File Details

Filename: DISA_STIG_Apache_Tomcat_Application_Server_9_v2r4.audit

Size: 213 kB

MD5: 87ddc7d4f87142f4d95a202f1ae68a45
SHA256: 8b9a08f5534222d7d341854964d447cc293a8666c168698713f59bde51fa1f77

Audit Items

DescriptionCategories
DISA_STIG_Apache_Tomcat_Application_Server_9_v2r4.audit from DISA Apache Tomcat Application Server 9 v2r4 STIG
TCAT-AS-000010 - The number of allowed simultaneous sessions to the manager application must be limited.

ACCESS CONTROL

TCAT-AS-000020 - Secured connectors must be configured to use strong encryption ciphers.

ACCESS CONTROL

TCAT-AS-000030 - HTTP Strict Transport Security (HSTS) must be enabled.

ACCESS CONTROL

TCAT-AS-000040 - TLS 1.2 must be used on secured HTTP connectors.

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

TCAT-AS-000050 - AccessLogValve must be configured for each application context.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

TCAT-AS-000060 - Default password for keystore must be changed.

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

TCAT-AS-000070 - Cookies must have secure flag set.

ACCESS CONTROL

TCAT-AS-000080 - Cookies must have http-only flag set.

ACCESS CONTROL

TCAT-AS-000090 - DefaultServlet must be set to readonly for PUT and DELETE.

ACCESS CONTROL

TCAT-AS-000100 - Connectors must be secured.

ACCESS CONTROL

TCAT-AS-000110 - The Java Security Manager must be enabled.

ACCESS CONTROL

TCAT-AS-000170 - Tomcat servers behind a proxy or load balancer must log client IP.

AUDIT AND ACCOUNTABILITY

TCAT-AS-000180 - AccessLogValve must be configured per each virtual host.

AUDIT AND ACCOUNTABILITY

TCAT-AS-000240 - Date and time of events must be logged.

AUDIT AND ACCOUNTABILITY

TCAT-AS-000250 - Remote hostname must be logged.

AUDIT AND ACCOUNTABILITY

TCAT-AS-000260 - HTTP status code must be logged.

AUDIT AND ACCOUNTABILITY

TCAT-AS-000270 - The first line of request must be logged.

AUDIT AND ACCOUNTABILITY

TCAT-AS-000360 - $CATALINA_BASE/logs folder permissions must be set to 750.

AUDIT AND ACCOUNTABILITY

TCAT-AS-000361 - Files in the $CATALINA_BASE/logs/ folder must have their permissions set to 640.

AUDIT AND ACCOUNTABILITY

TCAT-AS-000370 - Files in the $CATALINA_BASE/conf/ folder must have their permissions set to 640.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

TCAT-AS-000371 - $CATALINA_BASE/conf folder permissions must be set to 750.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

TCAT-AS-000380 - Jar files in the $CATALINA_HOME/bin/ folder must have their permissions set to 640.

AUDIT AND ACCOUNTABILITY

TCAT-AS-000390 - $CATALINA_HOME/bin folder permissions must be set to 750.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

TCAT-AS-000450 - Tomcat user UMASK must be set to 0027.

CONFIGURATION MANAGEMENT

TCAT-AS-000470 - Stack tracing must be disabled.

CONFIGURATION MANAGEMENT

TCAT-AS-000490 - The shutdown port must be disabled.

CONFIGURATION MANAGEMENT

TCAT-AS-000500 - Unapproved connectors must be disabled.

CONFIGURATION MANAGEMENT

TCAT-AS-000510 - DefaultServlet debug parameter must be disabled.

CONFIGURATION MANAGEMENT

TCAT-AS-000520 - DefaultServlet directory listings parameter must be disabled.

CONFIGURATION MANAGEMENT

TCAT-AS-000530 - The deployXML attribute must be set to false in hosted environments.

CONFIGURATION MANAGEMENT

TCAT-AS-000540 - Autodeploy must be disabled.

CONFIGURATION MANAGEMENT

TCAT-AS-000550 - xpoweredBy attribute must be disabled.

CONFIGURATION MANAGEMENT

TCAT-AS-000560 - Example applications must be removed.

CONFIGURATION MANAGEMENT

TCAT-AS-000570 - Tomcat default ROOT web application must be removed.

CONFIGURATION MANAGEMENT

TCAT-AS-000580 - Documentation must be removed.

CONFIGURATION MANAGEMENT

TCAT-AS-000590 - Applications in privileged mode must be approved by the ISSO.

CONFIGURATION MANAGEMENT

TCAT-AS-000600 - Tomcat management applications must use LDAP realm authentication.

IDENTIFICATION AND AUTHENTICATION

TCAT-AS-000610 - JMX authentication must be secured.

IDENTIFICATION AND AUTHENTICATION

TCAT-AS-000630 - TLS must be enabled on JMX.

IDENTIFICATION AND AUTHENTICATION

TCAT-AS-000690 - LDAP authentication must be secured.

IDENTIFICATION AND AUTHENTICATION

TCAT-AS-000700 - DoD root CA certificates must be installed in Tomcat trust store.

IDENTIFICATION AND AUTHENTICATION

TCAT-AS-000710 - Keystore file must be protected.

IDENTIFICATION AND AUTHENTICATION

TCAT-AS-000750 - Tomcat must use FIPS-validated ciphers on secured connectors.

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

TCAT-AS-000780 - Access to JMX management interface must be restricted.

SYSTEM AND COMMUNICATIONS PROTECTION

TCAT-AS-000790 - Access to Tomcat manager application must be restricted.

SYSTEM AND COMMUNICATIONS PROTECTION

TCAT-AS-000800 - Tomcat servers must mutually authenticate proxy or load balancer connections.

SYSTEM AND COMMUNICATIONS PROTECTION

TCAT-AS-000820 - Tomcat must be configured to limit data exposure between applications.

SYSTEM AND COMMUNICATIONS PROTECTION

TCAT-AS-000860 - Clusters must operate on a trusted network.

SYSTEM AND COMMUNICATIONS PROTECTION

TCAT-AS-000920 - ErrorReportValve showServerInfo must be set to false.

SYSTEM AND INFORMATION INTEGRITY