UCF STIG Viewer Logo

VMware vSphere 6.7 STS Tomcat Security Technical Implementation Guide


Overview

Date Finding Count (30)
2022-01-03 CAT I (High): 0 CAT II (Med): 30 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Classified)

Finding ID Severity Title
V-239669 Medium The Security Token Service must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-239668 Medium The Security Token Service directory tree must have permissions in an "out-of-the-box" state.
V-239661 Medium The Security Token Service must not be configured with unused realms.
V-239660 Medium The Security Token Service must only run one web app.
V-239663 Medium The Security Token Service must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-239662 Medium The Security Token Service must be configured to limit access to internal packages.
V-239665 Medium The Security Token Service must not have the Web Distributed Authoring (WebDAV) servlet installed.
V-239664 Medium The Security Token Service must have mappings set for Java servlet pages.
V-239667 Medium The Security Token Service must not have any symbolic links in the web content directory tree.
V-239666 Medium The Security Token Service must be configured with memory leak protection.
V-239674 Medium The Security Token Service must not show directory listings.
V-239675 Medium The Security Token Service must be configured to show error pages with minimal information.
V-239672 Medium The Security Token Service must use the "setCharacterEncodingFilter" filter.
V-239655 Medium The Security Token Service must protect cookies from XSS.
V-239670 Medium The Security Token Service must limit the number of allowed connections.
V-239681 Medium The Security Token Service must set the secure flag for cookies.
V-239680 Medium The Security Token Service must disable the shutdown port.
V-239671 Medium The Security Token Service must set "URIEncoding" to UTF-8.
V-239676 Medium The Security Token Service must not enable support for TRACE requests.
V-239677 Medium The Security Token Service must have the debug option disabled.
V-239652 Medium The Security Token Service must limit the amount of time that each TCP connection is kept alive.
V-239653 Medium The Security Token Service must limit the number of concurrent connections permitted.
V-239654 Medium The Security Token Service must limit the maximum size of a POST request.
V-239673 Medium The Security Token Service must set the welcome-file node to a default web page.
V-239656 Medium The Security Token Service must record user access in a format that enables monitoring of remote access.
V-239657 Medium The Security Token Service must generate log records during Java startup and shutdown.
V-239658 Medium Security Token Service log files must only be modifiable by privileged users.
V-239659 Medium The Security Token Service application files must be verified for their integrity.
V-239678 Medium Rsyslog must be configured to monitor and ship Security Token Service log files.
V-239679 Medium The Security Token Service must be configured with the appropriate ports.