| 1.1 Remove extraneous files and directories - CATALINA_HOME/server/webapps/manager | CIS Apache Tomcat 8 L2 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - CATALINA_HOME/webapps/js-examples | CIS Apache Tomcat 8 L2 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - CATALINA_HOME/webapps/ROOT | CIS Apache Tomcat 10 L2 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - CATALINA_HOME/webapps/webdav | CIS Apache Tomcat 8 L2 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (SERVER_DIR/webapps/host-manager.xml) | CIS Apache Tomcat 7 L2 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (SERVER_DIR/webapps/manager) | CIS Apache Tomcat 7 L2 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories (WEBAPP_DIR/examples) | CIS Apache Tomcat 7 L2 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.4 Ensure the Status Module Is Disabled | CIS Apache HTTP Server 2.4 v2.2.0 L1 | Unix | CONFIGURATION MANAGEMENT |
| 2.6 Turn off TRACE | CIS Apache Tomcat 10 L1 v1.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2 Restrict access to $CATALINA_BASE | CIS Apache Tomcat 7 L1 v1.1.0 | Unix | ACCESS CONTROL |
| 4.2 Restrict access to $CATALINA_BASE | CIS Apache Tomcat 8 L1 v1.1.0 | Unix | ACCESS CONTROL |
| 4.3 Restrict access to Tomcat configuration directory | CIS Apache Tomcat 7 L1 v1.1.0 | Unix | ACCESS CONTROL |
| 4.8 Restrict access to Tomcat catalina.properties | CIS Apache Tomcat 10 L1 v1.1.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.12 Restrict access to Tomcat server.xml | CIS Apache Tomcat 10 L1 v1.1.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.12 Restrict access to Tomcat server.xml | CIS Apache Tomcat 8 L1 v1.1.0 | Unix | ACCESS CONTROL |
| 6.1 Setup Client-cert Authentication | CIS Apache Tomcat 7 L2 v1.1.0 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.2 Ensure SSLEnabled is set to True for Sensitive Connectors(verify SSLEnabled is set to true) | CIS Apache Tomcat 7 L1 v1.1.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.3 Ensure scheme is set accurately | CIS Apache Tomcat 10 L1 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 6.4 Ensure secure is set to true only for SSL-enabled Connectors (verify secure is set to true) | CIS Apache Tomcat 7 L1 v1.1.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.5 Ensure SSL Protocol is set to TLS for Secure Connectors - verify sslProtocol is set to TLS | CIS Apache Tomcat 8 L1 v1.1.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.5 Ensure sslProtocol is set to TLS for Secure Connectors (verify sslProtocol is set to TLS) | CIS Apache Tomcat 7 L1 v1.1.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.2 Specify file handler in logging.properties files - check if java.util.logging.ConsoleHandler exists inin default | CIS Apache Tomcat 10 L1 v1.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 7.2 Specify file handler in logging.properties files - check if org.apache.juli.FileHandler logging is enabled in default | CIS Apache Tomcat 10 L1 v1.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 8.1 Restrict runtime access to sensitive packages | CIS Apache Tomcat 7 L1 v1.1.0 | Unix | ACCESS CONTROL |
| 9.3 Disable deploy on startup of applications | CIS Apache Tomcat 10 L2 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directory | CIS Apache Tomcat 8 L1 v1.1.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.2 Restrict access to the web administration application | CIS Apache Tomcat 10.1 v1.1.0 L1 | Unix | ACCESS CONTROL |
| 10.3 Restrict manager application | CIS Apache Tomcat 10 L2 v1.1.0 | Unix | ACCESS CONTROL |
| 10.6 Enable strict servlet Compliance | CIS Apache Tomcat 10 L2 v1.1.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.7 Turn off session facade recycling | CIS Apache Tomcat 7 L1 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.8 Do not allow additional path delimiters - ALLOW_BACKSLASH | CIS Apache Tomcat 8 L2 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.9 Do not allow custom header status messages | CIS Apache Tomcat 7 L2 v1.1.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.10 Configure connectionTimeout | CIS Apache Tomcat 7 L2 v1.1.0 | Unix | ACCESS CONTROL |
| 10.12 Do not allow symbolic linking | CIS Apache Tomcat 11 v1.0.0 L1 | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 10.12 Do not allow symbolic linking | CIS Apache Tomcat 10 L1 v1.1.0 | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 10.12 Force SSL for all applications | CIS Apache Tomcat 7 L2 v1.1.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.14 Do not allow symbolic linking | CIS Apache Tomcat 7 L1 v1.1.0 | Unix | ACCESS CONTROL |
| 10.16 Do not resolve hosts on logging valves | CIS Apache Tomcat 8 L2 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.17 Setting Security Lifecycle Listener | CIS Apache Tomcat 10.1 v1.1.0 L1 | Unix | ACCESS CONTROL |
| 10.17 Setting Security Lifecycle Listener - check for config component | CIS Apache Tomcat 10 L1 v1.1.0 | Unix | ACCESS CONTROL |
| 10.18 Setting Security Lifecycle Listener - check for config component | CIS Apache Tomcat 8 L1 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.18 Use the logEffectiveWebXml and metadata-complete settings for deploying applications in production | CIS Apache Tomcat 10 L1 v1.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 10.20 Use the logEffectiveWebXml and metadata-complete settings for deploying applications in production | CIS Apache Tomcat 7 L1 v1.1.0 | Unix | |
| 11.1 Limit HTTP Request Methods | CIS Apache Tomcat 8 L1 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 20.48 Ensure 'Permissions for the Application Event Log must prevent access by non-privileged accounts' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| AS24-U1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination. | DISA STIG Apache Server 2.4 Unix Server v3r1 Middleware | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000950 - The Apache web server must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | DISA STIG Apache Server 2.4 Unix Server v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| AS24-W1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination. | DISA STIG Apache Server 2.4 Windows Server v3r1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W2-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination. | DISA STIG Apache Server 2.4 Windows Site v2r1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCFL-67-000007 - vSphere Client must be configured to only communicate over TLS 1.2. | DISA STIG VMware vSphere 6.7 Virgo Client v1r2 | Unix | ACCESS CONTROL |
