| 1.1 Remove extraneous files and directories - CATALINA_HOME/webapps/examples | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.2 Disable Unused Connectors | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.5 Disable client facing Stack Traces - check for defined exception type | CIS Apache Tomcat 9 L1 v1.2.0 Middleware | Unix | CONFIGURATION MANAGEMENT |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User | CIS Apache HTTP Server 2.4 v2.3.0 L1 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'apache account is configured' | CIS Apache HTTP Server 2.2 L1 v3.6.0 | Unix | ACCESS CONTROL |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'apache account is configured' | CIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware | Unix | ACCESS CONTROL |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'apache account is configured' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | ACCESS CONTROL |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd services are running as apache user' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | ACCESS CONTROL |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd services are running as apache user' | CIS Apache HTTP Server 2.2 L1 v3.6.0 | Unix | ACCESS CONTROL |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd.conf Group = apache' | CIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware | Unix | ACCESS CONTROL |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd.conf Group = apache' | CIS Apache HTTP Server 2.2 L1 v3.6.0 | Unix | ACCESS CONTROL |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd.conf Group = apache' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | ACCESS CONTROL |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd.conf User = apache' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | ACCESS CONTROL |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd.conf User = apache' | CIS Apache HTTP Server 2.2 L1 v3.6.0 | Unix | ACCESS CONTROL |
| 3.1 Ensure the Apache Web Server Runs As a Non-Root User - 'httpd.conf User = apache' | CIS Apache HTTP Server 2.2 L1 v3.6.0 Middleware | Unix | ACCESS CONTROL |
| 3.2 Disable the Shutdown port | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.5 Restrict access to Tomcat temp directory | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 7.4 Ensure directory in context.xml is a secure location - permissions | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 9.1 Starting Tomcat with Security Manager | CIS Apache Tomcat 7 L1 v1.1.0 | Unix | CONFIGURATION MANAGEMENT |
| 9.1 Starting Tomcat with Security Manager | CIS Apache Tomcat 7 L1 v1.1.0 Middleware | Unix | CONFIGURATION MANAGEMENT |
| 9.1 Starting Tomcat with Security Manager | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.1 Ensure the LimitRequestLine directive is Set to 512 or less | CIS Apache HTTP Server 2.2 L2 v3.6.0 Middleware | Unix | CONFIGURATION MANAGEMENT |
| 10.1 Ensure the LimitRequestLine directive is Set to 512 or less | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.1 Ensure the LimitRequestLine directive is Set to 8190 or less but not 0 | CIS Apache HTTP Server 2.4 v2.3.0 L2 | Unix | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 10.8 Do not allow additional path delimiters - ALLOW_ENCODED_SLASH | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.17 Setting Security Lifecycle Listener - check for umask uncommented in startup | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL |
| AS24-U2-000650 - The Apache web server must set an absolute timeout for sessions. | DISA STIG Apache Server 2.4 Unix Site v2r6 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000650 - The Apache web server must set an absolute timeout for sessions. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000640 - The Apache web server must set an absolute timeout for sessions. | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | ACCESS CONTROL |
| AS24-W1-000640 - The Apache web server must set an absolute timeout for sessions. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | ACCESS CONTROL |
| DISA_F5_BIG-IP_ASM_v2r2.audit from DISA F5 BIG-IP Application Security Manager v2r2 STIG | DISA F5 BIG-IP Application Security Manager STIG v2r2 | F5 | |
| DISA_IBM_WebSphere_Liberty_Server_STIG_v2r2.audit from DISA IBM WebSphere Liberty Server STIG v2r2 | DISA IBM WebSphere Liberty Server STIG v2r2 | Unix | |
| DISA_IIS_6.0_Web_Server_v6r16.audit from DISA Microsoft IIS 6.0 Server v6r16 STIG | DISA STIG IIS 6.0 Server v6r16 | Windows | |
| DISA_STIG_Cloud_Linux_AlmaLinux_OS_9_v1r6.audit from DISA Cloud Linux AlmaLinux OS 9 STIG v1r6 | DISA Cloud Linux AlmaLinux OS 9 STIG v1r6 | Unix | |
| DISA_STIG_EDB_PostgreSQL_Advanced_Server_v9.6_v2r3_OS_Linux.audit from DISA EDB Postgres Advanced Server v9.6 v2r3 STIG | EDB PostgreSQL Advanced Server OS Linux Audit v2r3 | Unix | |
| DISA_STIG_EnterpriseDB_Postgres_Advanced_Server_v2r1_OS_Linux.audit from DISA EnterpriseDB Postgres Advanced Server (EPAS) v2r1 STIG | EnterpriseDB PostgreSQL Advanced Server OS Linux v2r1 | Unix | |
| DISA_STIG_IBM_WebSphere_Liberty_Server_v2r4.audit from DISA IBM WebSphere Liberty Server STIG v2r4 | DISA IBM WebSphere Liberty Server STIG v2r4 | Unix | |
| DISA_STIG_IIS_10.0_Web_Server_v2r10.audit from DISA Microsoft IIS 10.0 Server v2r10 STIG | DISA IIS 10.0 Server v2r10 | Windows | |
| DISA_STIG_IIS_10.0_Web_Server_v3r6.audit from DISA Microsoft IIS 10.0 Server v3r6 STIG | DISA IIS 10.0 Server v3r6 | Windows | |
| DISA_STIG_Microsoft_SQL_Server_2022_Instance_v1r4_Windows.audit from DISA Microsoft SQL Server 2022 Instance STIG v1r4 | DISA Microsoft SQL Server 2022 Instance STIG v1r4 Windows | Windows | |
| DISA_STIG_Microsoft_Windows_Server_2016_v2r10.audit from DISA Microsoft Windows Server 2016 STIG v2r10 | DISA Microsoft Windows Server 2016 STIG v2r10 | Windows | |
| DISA_STIG_Microsoft_Windows_Server_2019_v3r8.audit from DISA Microsoft Windows Server 2019 STIG v3r8 | DISA Microsoft Windows Server 2019 STIG v3r8 | Windows | |
| DISA_STIG_Microsoft_Windows_Server_2022_v2r8.audit from DISA Microsoft Windows Server 2022 STIG v2r8 | DISA Microsoft Windows Server 2022 STIG v2r8 | Windows | |
| DISA_STIG_Microsoft_Windows_Server_2025_v1r1.audit from DISA Microsoft Windows Server 2025 STIG v1r1 | DISA Microsoft Windows Server 2025 STIG v1r1 | Windows | |
| DISA_STIG_Oracle_HTTP_Server_12.1.3_v2r3.audit from DISA Oracle HTTP Server 12.1.3 v2r3 STIG | DISA STIG Oracle HTTP Server 12.1.3 v2r3 | Unix | |
| DISA_STIG_Oracle_WebLogic_Server_12c_Linux_v2r2_Middleware.audit from DISA Oracle WebLogic Server 12c v2r2 STIG | Oracle WebLogic Server 12c Linux v2r2 Middleware | Unix | |
| DISA_STIG_Oracle_WebLogic_Server_12c_Linux_v2r2.audit from DISA Oracle WebLogic Server 12c v2r2 STIG | Oracle WebLogic Server 12c Linux v2r2 | Unix | |
| DISA_STIG_Oracle_WebLogic_Server_12c_Windows_v2r2.audit from DISA Oracle WebLogic Server 12c v2r2 STIG | Oracle WebLogic Server 12c Windows v2r2 | Windows | |
| DISA_STIG_Red_Hat_Enterprise_Linux_9_v2r8.audit from DISA Red Hat Enterprise Linux 9 STIG v2r8 | DISA Red Hat Enterprise Linux 9 STIG v2r8 | Unix | |
| VCPF-70-000010 - Performance Charts must not be configured with unsupported realms. | DISA STIG VMware vSphere 7.0 Perfcharts Tomcat v1r1 | Unix | CONFIGURATION MANAGEMENT |
