| 2.1 Alter the Advertised server.info String | CIS Apache Tomcat 8 L2 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-000010 - The number of allowed simultaneous sessions to the manager application must be limited. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | ACCESS CONTROL |
| TCAT-AS-000240 - Date and time of events must be logged. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| TCAT-AS-000250 - Remote hostname must be logged. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| TCAT-AS-000361 - Files in the $CATALINA_BASE/logs/ folder must have their permissions set to 640. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| TCAT-AS-000370 - Files in the $CATALINA_BASE/conf/ folder must have their permissions set to 640. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| TCAT-AS-000371 - $CATALINA_BASE/conf folder permissions must be set to 750. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| TCAT-AS-000380 - Jar files in the $CATALINA_HOME/bin/ folder must have their permissions set to 640. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| TCAT-AS-000390 - $CATALINA_HOME/bin folder permissions must be set to 750. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| TCAT-AS-000490 - The shutdown port must be disabled. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-000500 - Unapproved connectors must be disabled. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-000520 - DefaultServlet directory listings parameter must be disabled. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-000530 - The deployXML attribute must be set to false in hosted environments. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-000550 - xpoweredBy attribute must be disabled. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-000570 - Tomcat default ROOT web application must be removed. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-000590 - Applications in privileged mode must be approved by the ISSO. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-000690 - LDAP authentication must be secured. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | IDENTIFICATION AND AUTHENTICATION |
| TCAT-AS-000710 - Keystore file must be protected. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | IDENTIFICATION AND AUTHENTICATION |
| TCAT-AS-000750 - Tomcat must use FIPS-validated ciphers on secured connectors. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| TCAT-AS-000780 - Access to JMX management interface must be restricted. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| TCAT-AS-000790 - Access to Tomcat manager application must be restricted. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| TCAT-AS-000800 - Tomcat servers must mutually authenticate proxy or load balancer connections. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| TCAT-AS-000820 - Tomcat must be configured to limit data exposure between applications. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| TCAT-AS-000860 - Clusters must operate on a trusted network. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| TCAT-AS-000920 - ErrorReportValve showServerInfo must be set to false. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | SYSTEM AND INFORMATION INTEGRITY |
| TCAT-AS-000930 - Default error pages for manager application must be customized. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | SYSTEM AND INFORMATION INTEGRITY |
| TCAT-AS-000940 - ErrorReportValve showReport must be set to false. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | SYSTEM AND INFORMATION INTEGRITY |
| TCAT-AS-001020 - LockOutRealms must be used for management of Tomcat. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | ACCESS CONTROL |
| TCAT-AS-001030 - LockOutRealms failureCount attribute must be set to 5 failed logins for admin users. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | ACCESS CONTROL |
| TCAT-AS-001040 - LockOutRealms lockOutTime attribute must be set to 600 seconds (10 minutes) for admin users. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | ACCESS CONTROL |
| TCAT-AS-001050 - Tomcat user account must be set to nologin. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | ACCESS CONTROL |
| TCAT-AS-001200 - $CATALINA_HOME folder must be owned by the root user, group tomcat. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001220 - $CATALINA_BASE/conf/ folder must be owned by root, group tomcat. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001250 - $CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001260 - $CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001270 - $CATALINA_BASE/temp folder permissions must be set to 750. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001280 - $CATALINA_BASE/work/ folder must be owned by tomcat user, group tomcat. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001460 - The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| TCAT-AS-001470 - Tomcat server must be patched for security vulnerabilities. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| TCAT-AS-001560 - AccessLogValve must be configured for Catalina engine. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| TCAT-AS-001590 - Changes to $CATALINA_HOME/bin/ folder must be logged. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| TCAT-AS-001592 - Changes to $CATALINA_HOME/lib/ folder must be logged. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| TCAT-AS-001660 - STRICT_SERVLET_COMPLIANCE must be set to true. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001670 - RECYCLE_FACADES must be set to true. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001680 - ALLOW_BACKSLASH must be set to false. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001690 - ENFORCE_ENCODING_IN_GET_WRITER must be set to true. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001710 - Hosted applications must be documented in the system security plan. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001720 - Connectors must be approved by the ISSO. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001730 - Connector address attribute must be set. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | CONFIGURATION MANAGEMENT |
| TCAT-AS-001731 - The application server must alert the system administrator (SA) and information system security offer (ISSO), at a minimum, in the event of a log processing failure. | DISA STIG Apache Tomcat Application Server 9 v3r1 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
