Apache Tomcat Application Sever 9 STIG

Apache Tomcat Application Sever 9 Security Technical Implementation Guide

ID Vuln ID Title Cat Status
TCAT-AS-000110 V-222936 The Java Security Manager must be enabled. Cat II
TCAT-AS-000550 V-222957 xpoweredBy attribute must be disabled. Cat III
TCAT-AS-000920 V-222975 ErrorReportValve showServerInfo must be set to false. Cat II
TCAT-AS-001731 V-223010 The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure. Cat II
TCAT-AS-001460 V-222995 The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster. Cat II
TCAT-AS-000070 V-222932 Cookies must have secure flag set. Cat II
TCAT-AS-000450 V-222949 Tomcat user UMASK must be set to 0027. Cat II
TCAT-AS-001270 V-222990 $CATALINA_BASE/temp folder permissions must be set to 750. Cat III
TCAT-AS-001020 V-222980 LockOutRealms must be used for management of Tomcat. Cat II
TCAT-AS-001660 V-223002 STRICT_SERVLET_COMPLIANCE must be set to true. Cat III
TCAT-AS-000030 V-222928 HTTP Strict Transport Security (HSTS) must be enabled. Cat III
TCAT-AS-000371 V-222946 $CATALINA_BASE/conf folder permissions must be set to 750. Cat II
TCAT-AS-001430 V-222994 Certificates in the trust store must be issued/signed by an approved CA. Cat II
TCAT-AS-001320 V-222993 Multifactor certificate-based tokens (CAC) must be used when accessing the management interface. Cat II
TCAT-AS-000390 V-222948 $CATALINA_HOME/bin folder permissions must be set to 750. Cat II

Print

Display this benchmark in a printer-friendly format for off-line reference. This display does not include any commands.
Print

Version Changes

If there are multiple versions of this benchmark, Xylok can display the differences between any changes in the checks.
Changes