UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

VMware vSphere 6.7 STS Tomcat Security Technical Implementation Guide


Overview

Date Finding Count (30)
2022-01-03 CAT I (High): 0 CAT II (Med): 30 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-239669 Medium The Security Token Service must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
V-239668 Medium The Security Token Service directory tree must have permissions in an "out-of-the-box" state.
V-239661 Medium The Security Token Service must not be configured with unused realms.
V-239660 Medium The Security Token Service must only run one web app.
V-239663 Medium The Security Token Service must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
V-239662 Medium The Security Token Service must be configured to limit access to internal packages.
V-239665 Medium The Security Token Service must not have the Web Distributed Authoring (WebDAV) servlet installed.
V-239664 Medium The Security Token Service must have mappings set for Java servlet pages.
V-239667 Medium The Security Token Service must not have any symbolic links in the web content directory tree.
V-239666 Medium The Security Token Service must be configured with memory leak protection.
V-239674 Medium The Security Token Service must not show directory listings.
V-239675 Medium The Security Token Service must be configured to show error pages with minimal information.
V-239672 Medium The Security Token Service must use the "setCharacterEncodingFilter" filter.
V-239655 Medium The Security Token Service must protect cookies from XSS.
V-239670 Medium The Security Token Service must limit the number of allowed connections.
V-239681 Medium The Security Token Service must set the secure flag for cookies.
V-239680 Medium The Security Token Service must disable the shutdown port.
V-239671 Medium The Security Token Service must set "URIEncoding" to UTF-8.
V-239676 Medium The Security Token Service must not enable support for TRACE requests.
V-239677 Medium The Security Token Service must have the debug option disabled.
V-239652 Medium The Security Token Service must limit the amount of time that each TCP connection is kept alive.
V-239653 Medium The Security Token Service must limit the number of concurrent connections permitted.
V-239654 Medium The Security Token Service must limit the maximum size of a POST request.
V-239673 Medium The Security Token Service must set the welcome-file node to a default web page.
V-239656 Medium The Security Token Service must record user access in a format that enables monitoring of remote access.
V-239657 Medium The Security Token Service must generate log records during Java startup and shutdown.
V-239658 Medium Security Token Service log files must only be modifiable by privileged users.
V-239659 Medium The Security Token Service application files must be verified for their integrity.
V-239678 Medium Rsyslog must be configured to monitor and ship Security Token Service log files.
V-239679 Medium The Security Token Service must be configured with the appropriate ports.