Apache Tomcat Application Sever 9 STIG

Apache Tomcat Application Sever 9 Security Technical Implementation Guide

ID Vuln ID Title Cat Status
TCAT-AS-000110 V-222936 The Java Security Manager must be enabled. Cat II
TCAT-AS-000550 V-222957 xpoweredBy attribute must be disabled. Cat III
TCAT-AS-000920 V-222975 ErrorReportValve showServerInfo must be set to false. Cat II
TCAT-AS-001731 V-223010 The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure. Cat II
TCAT-AS-001460 V-222995 The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster. Cat II
TCAT-AS-000070 V-222932 Cookies must have secure flag set. Cat II
TCAT-AS-000450 V-222949 Tomcat user UMASK must be set to 0027. Cat II
TCAT-AS-001270 V-222990 $CATALINA_BASE/temp folder permissions must be set to 750. Cat III
TCAT-AS-001020 V-222980 LockOutRealms must be used for management of Tomcat. Cat II
TCAT-AS-001660 V-223002 STRICT_SERVLET_COMPLIANCE must be set to true. Cat III
TCAT-AS-000030 V-222928 HTTP Strict Transport Security (HSTS) must be enabled. Cat III
TCAT-AS-000371 V-222946 $CATALINA_BASE/conf folder permissions must be set to 750. Cat II
TCAT-AS-001430 V-222994 Certificates in the trust store must be issued/signed by an approved CA. Cat II
TCAT-AS-001320 V-222993 Multifactor certificate-based tokens (CAC) must be used when accessing the management interface. Cat II
TCAT-AS-000390 V-222948 $CATALINA_HOME/bin folder permissions must be set to 750. Cat II


Display this benchmark in a printer-friendly format for off-line reference. This display does not include any commands.

Version Changes

If there are multiple versions of this benchmark, Xylok can display the differences between any changes in the checks.