| 1.1 Remove extraneous files and directories - CATALINA_HOME/webapps/host-manager | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - CATALINA_HOME/webapps/ROOT | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 2.2 Alter the Advertised server.number String | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.1 Set a nondeterministic Shutdown command value | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL |
| 3.2 Disable the Shutdown port | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3 Restrict access to Tomcat configuration directory | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.4 Restrict access to Tomcat logs directory | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.5 Restrict access to Tomcat temp directory | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.8 Restrict access to Tomcat catalina.properties | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.9 Restrict access to Tomcat catalina.policy | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.10 Restrict access to Tomcat context.xml | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.11 Restrict access to Tomcat logging.properties | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.12 Restrict access to Tomcat server.xml | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.13 Restrict access to Tomcat tomcat-users.xml | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.14 Restrict access to Tomcat web.xml | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.2 Use LockOut Realms | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 6.2 Ensure SSLEnabled is set to True for Sensitive Connectors - verify SSLEnabled is set to true | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.5 Ensure 'sslProtocol' is Configured Correctly for Secure Connectors | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.2 Specify file handler in logging.properties files - check if org.apache.juli.FileHandler logging is enabled in web application | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 7.6 Ensure directory in logging.properties is a secure location - check application log directory is secure | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL |
| 7.6 Ensure directory in logging.properties is a secure location - check prefix application name | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL |
| 8.1 Restrict runtime access to sensitive packages | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 9.2 Disabling auto deployment of applications | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directory | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 10.2 Restrict access to the web administration application | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL |
| 10.3 Restrict manager application | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | ACCESS CONTROL |
| 10.5 Rename the manager application - webapps/manager | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.8 Do not allow additional path delimiters - ALLOW_BACKSLASH | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.9 Configure connectionTimeout | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.10 Configure maxHttpHeaderSize | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.11 Force SSL for all applications | CIS Apache Tomcat 9 L2 v1.2.0 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.12 Do not allow symbolic linking | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 10.13 Do not run applications as privileged | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL |
| 10.16 Enable memory leak listener | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | CONFIGURATION MANAGEMENT |
| 10.17 Setting Security Lifecycle Listener - check for config component | CIS Apache Tomcat 9 L1 v1.2.0 | Unix | ACCESS CONTROL |
| AS24-U2-000640 - Debugging and trace information used to diagnose the Apache web server must be disabled. | DISA STIG Apache Server 2.4 Unix Site v2r4 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| AS24-U2-000640 - Debugging and trace information used to diagnose the Apache web server must be disabled. | DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware | Unix | SYSTEM AND INFORMATION INTEGRITY |
| AS24-U2-000650 - The Apache web server must set an absolute timeout for sessions. | DISA STIG Apache Server 2.4 Unix Site v2r4 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000650 - The Apache web server must set an absolute timeout for sessions. | DISA STIG Apache Server 2.4 Unix Site v2r4 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000640 - The Apache web server must set an absolute timeout for sessions. | DISA STIG Apache Server 2.4 Windows Server v3r1 | Windows | ACCESS CONTROL |
| AS24-W1-000640 - The Apache web server must set an absolute timeout for sessions. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | ACCESS CONTROL |
| CIS_Apache_Tomcat_8_L1_v1.1.0.audit from CIS Apache Tomcat 8 Benchmark | CIS Apache Tomcat 8 L1 v1.1.0 | Unix | |
| CIS_Apache_Tomcat_8_L2_v1.1.0.audit from CIS Apache Tomcat 8 Benchmark | CIS Apache Tomcat 8 L2 v1.1.0 | Unix | |
| CIS_Apache_Tomcat_10_L1_v1.1.0.audit from CIS Apache Tomcat 10 Benchmark | CIS Apache Tomcat 10 L1 v1.1.0 | Unix | |
| CIS_Apache_Tomcat_10_L2_v1.1.0.audit from CIS Apache Tomcat 10 Benchmark | CIS Apache Tomcat 10 L2 v1.1.0 | Unix | |
| DISA_STIG_Kubernetes_v2r2.audit from DISA Kubernetes v2r2 STIG | DISA STIG Kubernetes v2r2 | Unix | |
| DISA_STIG_Mozilla_Firefox_v6r5_Linux.audit from DISA Mozilla Firefox v6r5 STIG | DISA STIG Mozilla Firefox Linux v6r5 | Unix | |
| DISA_STIG_Mozilla_Firefox_v6r5_MacOS.audit from DISA Mozilla Firefox v6r5 STIG | DISA STIG Mozilla Firefox MacOS v6r5 | Unix | |
| DISA_STIG_Mozilla_Firefox_v6r5_Windows.audit from DISA Mozilla Firefox v6r5 STIG | DISA STIG Mozilla Firefox Windows v6r5 | Windows | |
| VCPF-70-000010 - Performance Charts must not be configured with unsupported realms. | DISA STIG VMware vSphere 7.0 Perfcharts Tomcat v1r1 | Unix | CONFIGURATION MANAGEMENT |
