UCF STIG Viewer Logo

Apache Tomcat Application Sever 9 Security Technical Implementation Guide


Overview

Date Finding Count (83)
2020-12-11 CAT I (High): 4 CAT II (Med): 57 CAT III (Low): 22
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-222931 High Default password for keystore must be changed.
V-222964 High TLS must be enabled on JMX.
V-222965 High LDAP authentication must be secured.
V-222968 High Tomcat must use FIPS-validated ciphers on secured connectors.
V-222984 Medium Tomcat user account must be a non-privileged user.
V-222986 Medium $CATALINA_HOME folder must be owned by the root user, group tomcat.
V-222987 Medium $CATALINA_BASE/conf/ folder must be owned by root, group tomcat.
V-222980 Medium LockOutRealms must be used for management of Tomcat.
V-222981 Medium LockOutRealms failureCount attribute must be set to 5 failed logins for admin users.
V-222983 Medium Tomcat user account must be set to nologin.
V-222939 Medium Date and time of events must be logged.
V-222988 Medium $CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat.
V-222938 Medium AccessLogValve must be configured per each virtual host.
V-222942 Medium The first line of request must be logged.
V-223010 Medium The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.
V-222943 Medium $CATALINA_BASE/logs folder permissions must be set to 750.
V-222935 Medium Connectors must be secured.
V-222934 Medium DefaultServlet must be set to readonly for PUT and DELETE.
V-222937 Medium Tomcat servers behind a proxy or load balancer must log client IP.
V-222936 Medium The Java Security Manager must be enabled.
V-222930 Medium AccessLogValve must be configured for each application context.
V-222933 Medium Cookies must have http-only flag set.
V-222932 Medium Cookies must have secure flag set.
V-222971 Medium Tomcat servers must mutually authenticate proxy or load balancer connections.
V-222970 Medium Access to Tomcat manager application must be restricted.
V-222979 Medium Idle timeout for management application must be set to 10 minutes.
V-222975 Medium ErrorReportValve showServerInfo must be set to false.
V-222974 Medium Clusters must operate on a trusted network.
V-222977 Medium ErrorReportValve showReport must be set to false.
V-222952 Medium Unapproved connectors must be disabled.
V-222951 Medium The shutdown port must be disabled.
V-222950 Medium Stack tracing must be disabled.
V-222956 Medium Autodeploy must be disabled.
V-222955 Medium The deployXML attribute must be set to false in hosted environments.
V-222945 Medium Files in the $CATALINA_BASE/conf/ folder must have their permissions set to 640.
V-222997 Medium AccessLogValve must be configured for Catalina engine.
V-222996 Medium Tomcat server must be patched for security vulnerabilities.
V-222995 Medium The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster.
V-222994 Medium Certificates in the trust store must be issued/signed by an approved CA.
V-222993 Medium Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.
V-222946 Medium $CATALINA_BASE/conf folder permissions must be set to 750.
V-222991 Medium $CATALINA_BASE/work/ folder must be owned by tomcat user, group tomcat.
V-222947 Medium Jar files in the $CATALINA_HOME/bin/ folder must have their permissions set to 640.
V-222944 Medium Files in the $CATALINA_BASE/logs/ folder must have their permissions set to 640.
V-222999 Medium Changes to $CATALINA_BASE/conf/ folder must be logged.
V-222998 Medium Changes to $CATALINA_HOME/bin/ folder must be logged.
V-223000 Medium Changes to $CATALINA_HOME/lib/ folder must be logged.
V-223006 Medium Tomcat users in a management role must be approved by the ISSO.
V-223004 Medium ALLOW_BACKSLASH must be set to false.
V-223005 Medium ENFORCE_ENCODING_IN_GET_WRITER must be set to true.
V-222927 Medium Secured connectors must be configured to use strong encryption ciphers.
V-222940 Medium Remote hostname must be logged.
V-222929 Medium TLS 1.2 must be used on secured HTTP connectors.
V-222966 Medium DoD root CA certificates must be installed in Tomcat trust store.
V-222967 Medium Keystore file must be protected.
V-222962 Medium Tomcat management applications must use LDAP realm authentication.
V-222963 Medium JMX authentication must be secured.
V-222961 Medium Applications in privileged mode must be approved by the ISSO.
V-222948 Medium $CATALINA_HOME/bin folder permissions must be set to 750.
V-222949 Medium Tomcat user UMASK must be set to 0027.
V-222969 Medium Access to JMX management interface must be restricted.
V-222985 Low Application user name must be logged.
V-222982 Low LockOutRealms lockOutTime attribute must be set to 600 seconds (10 minutes) for admin users.
V-222989 Low $CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat.
V-222973 Low Tomcat must be configured to limit data exposure between applications.
V-222976 Low Default error pages for manager application must be customized.
V-222953 Low DefaultServlet debug parameter must be disabled.
V-222957 Low xpoweredBy attribute must be disabled.
V-222954 Low DefaultServlet directory listings parameter must be disabled.
V-222941 Low HTTP status code must be logged.
V-222959 Low Tomcat default ROOT web application must be removed.
V-222958 Low Example applications must be removed.
V-222990 Low $CATALINA_BASE/temp folder permissions must be set to 750.
V-222978 Low Tomcat server version must not be sent with warnings and errors.
V-223002 Low STRICT_SERVLET_COMPLIANCE must be set to true.
V-223003 Low RECYCLE_FACADES must be set to true.
V-223001 Low Application servers must use NIST-approved or NSA-approved key management technology and processes.
V-223007 Low Hosted applications must be documented in the system security plan.
V-223008 Low Connectors must be approved by the ISSO.
V-223009 Low Connector address attribute must be set.
V-222926 Low The number of allowed simultaneous sessions to the manager application must be limited.
V-222928 Low HTTP Strict Transport Security (HSTS) must be enabled.
V-222960 Low Documentation must be removed.