| V-222927 | | Secured connectors must be configured to use strong encryption ciphers. | The Tomcat <Connector> element controls the TLS protocol and the associated ciphers used. If a strong cipher is not selected, an attacker may be able ... |
| V-222929 | | TLS 1.2 must be used on secured HTTP connectors. | Using older versions of TLS introduces security vulnerabilities that exist in the older versions of the protocol. Tomcat by default will use all avail... |
| V-222930 | | AccessLogValve must be configured for each application context. | Tomcat has the ability to host multiple contexts (applications) on one physical server by using the <Host><Context> attribute. This allows the admin t... |
| V-222932 | | Cookies must have secure flag set. | It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the sett... |
| V-222933 | | Cookies must have http-only flag set. | It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the secure flag injects the sett... |
| V-222934 | | DefaultServlet must be set to readonly for PUT and DELETE. | The DefaultServlet is a servlet provided with Tomcat. It is called when no other suitable page can be displayed to the client. The DefaultServlet serv... |
| V-222935 | | Connectors must be secured. | The unencrypted HTTP protocol does not protect data from interception or alteration which can subject users to eavesdropping, tracking, and the modifi... |
| V-222936 | | The Java Security Manager must be enabled. | The Java Security Manager (JSM) is what protects the Tomcat server from trojan servlets, JSPs, JSP beans, tag libraries, or even from inadvertent mist... |
| V-222937 | | Tomcat servers behind a proxy or load balancer must log client IP. | When running Tomcat behind a load balancer or proxy, default behavior is for Tomcat to log the proxy or load balancer IP address as the client IP. Des... |
| V-222938 | | AccessLogValve must be configured per each virtual host. | Application servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component loggable... |
| V-222939 | | Date and time of events must be logged. | The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/ser... |
| V-222940 | | Remote hostname must be logged. | The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/ser... |
| V-222942 | | The first line of request must be logged. | The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/ser... |
| V-222943 | | $CATALINA_BASE/logs folder permissions must be set to 750. | Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has rea... |
| V-222944 | | Files in the $CATALINA_BASE/logs/ folder must have their permissions set to 640. | Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has rea... |
| V-222945 | | Files in the $CATALINA_BASE/conf/ folder must have their permissions set to 640. | Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has rea... |
| V-222946 | | $CATALINA_BASE/conf folder permissions must be set to 750. | Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has rea... |
| V-222947 | | Jar files in the $CATALINA_HOME/bin/ folder must have their permissions set to 640. | Tomcat's file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with the group Tomcat. While root h... |
| V-222948 | | $CATALINA_HOME/bin folder permissions must be set to 750. | Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has rea... |
| V-222949 | | Tomcat user UMASK must be set to 0027. | For Unix-based systems, umask settings affect file creation permissions. If the permissions are too loose, newly created log files and applications co... |
| V-222950 | | Stack tracing must be disabled. | Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, T... |
| V-222951 | | The shutdown port must be disabled. | Tomcat listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomc... |
| V-222952 | | Unapproved connectors must be disabled. | Connectors are how Tomcat receives requests, passes them to hosted web applications, and then sends back the results to the requestor. Tomcat provides... |
| V-222955 | | The deployXML attribute must be set to false in hosted environments. | The Host element controls deployment. Automatic deployment allows for simpler management, but also makes it easier for an attacker to deploy a malicio... |
| V-222956 | | Autodeploy must be disabled. | Tomcat allows auto-deployment of applications while Tomcat is running. This can allow untested or malicious applications to be automatically loaded in... |
| V-222961 | | Applications in privileged mode must be approved by the ISSO. | The privileged attribute controls if a context (application) is allowed to use container provided servlets like the Manager servlet. It is false by de... |
| V-222962 | | Tomcat management applications must use LDAP realm authentication. | Using the local user store on a Tomcat installation does not meet a multitude of security control requirements related to user account management. To ... |
| V-222963 | | JMX authentication must be secured. | Java Management Extensions (JMX) provides the means to remotely manage the Java VM. When enabling the JMX agent for remote monitoring, the user must e... |
| V-222966 | | DOD root CA certificates must be installed in Tomcat trust store. | Tomcat truststores are used to validate client certificates. On the Ubuntu OS, by default, Tomcat uses the "cacerts" file as the CA trust store. The f... |
| V-222967 | | Keystore file must be protected. | Keystore file contains authentication information used to access application data and data resources. Access to the file must be protected.
The defau... |
| V-222969 | | Access to JMX management interface must be restricted. | Java Management Extensions (JMX) is used to provide programmatic access to Tomcat for management purposes. This includes monitoring and control of jav... |
| V-222970 | | Access to Tomcat manager application must be restricted. | The Tomcat manager application is used to manage the Tomcat server and the applications that run on Tomcat. By default, the manager application is onl... |
| V-222971 | | Tomcat servers must mutually authenticate proxy or load balancer connections. | Tomcat servers are often placed behind a proxy when exposed to both trusted and untrusted networks. This is done for security and performance reasons.... |
| V-222974 | | Clusters must operate on a trusted network. | Operating a Tomcat cluster on an untrusted network creates potential for unauthorized persons to view or manipulate cluster session traffic. When oper... |
| V-222975 | | ErrorReportValve showServerInfo must be set to false. | The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to re... |
| V-222977 | | ErrorReportValve showReport must be set to false. | The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to re... |
| V-222979 | | Idle timeout for the management application must be set to 10 minutes. | Tomcat can set idle session timeouts on a per application basis. The management application is provided with the Tomcat installation and is used to ma... |
| V-222980 | | LockOutRealms must be used for management of Tomcat. | A LockOutRealm adds the ability to lock a user out after multiple failed logins. LockOutRealm is an implementation of the Tomcat Realm interface that ... |
| V-222981 | | LockOutRealms failureCount attribute must be set to 5 failed logins for admin users. | A LockOutRealm adds the ability to lock a user out after multiple failed logins. Setting the failureCount attribute to 5 will lock out a user account ... |
| V-222983 | | Tomcat user account must be set to nologin. | When installing Tomcat, a user account is created on the OS. This account is used in order for Tomcat to be able to operate on the OS but does not req... |
| V-222984 | | Tomcat user account must be a non-privileged user. | Use a distinct non-privileged user account for running Tomcat. If Tomcat processes are compromised and a privileged user account is used to operate th... |
| V-222986 | | $CATALINA_HOME folder must be owned by the root user, group tomcat. | Tomcat file permissions must be restricted. The standard configuration is to have the folder where Tomcat is installed owned by the root user with the... |
| V-222987 | | $CATALINA_BASE/conf/ folder must be owned by root, group tomcat. | Tomcat file permissions must be restricted. The standard configuration is to have Tomcat files contained in the conf/ folder as members of the "tomcat... |
| V-222988 | | $CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat. | Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has rea... |
| V-222991 | | $CATALINA_BASE/work/ folder must be owned by tomcat user, group tomcat. | Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has rea... |
| V-222993 | | Multifactor certificate-based tokens (CAC) must be used when accessing the management interface. | Password authentication does not provide sufficient security control when accessing a management interface. DOD has specified that a CAC will be used ... |
| V-222994 | | Certificates in the trust store must be issued/signed by an approved CA. | Use of self-signed certificates creates a lack of integrity and invalidates the certificate based authentication trust model. Certificates used by pro... |
| V-222995 | | The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster. | A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces. A M... |
| V-222996 | | Tomcat server must be patched for security vulnerabilities. | Tomcat is constantly being updated to address newly discovered vulnerabilities, some of which include denial-of-service attacks. To address this risk,... |
| V-222997 | | AccessLogValve must be configured for Catalina engine. | The <Engine> container represents the entire request processing machinery associated with a particular Catalina Service. It receives and processes all... |
| V-222998 | | Changes to $CATALINA_HOME/bin/ folder must be logged. | The $CATALINA_HOME/bin folder contains startup and control scripts for the Tomcat Catalina server. To provide forensic evidence in the event of file t... |
| V-222999 | | Changes to $CATALINA_BASE/conf/ folder must be logged. | The $CATALINA_BASE/conf folder contains configuration files for the Tomcat Catalina server. To provide forensic evidence in the event of file tamperin... |
| V-223000 | | Changes to $CATALINA_HOME/lib/ folder must be logged. | The $CATALINA_HOME/lib folder contains library files for the Tomcat Catalina server. These are in the form of java archive (jar) files. To provide for... |
| V-223004 | | ALLOW_BACKSLASH must be set to false. | When Tomcat is installed behind a proxy configured to only allow access to certain Tomcat contexts (web applications), an HTTP request containing "/\.... |
| V-223005 | | ENFORCE_ENCODING_IN_GET_WRITER must be set to true. | Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as... |
| V-223006 | | Tomcat users in a management role must be approved by the ISSO. | Deploying applications to Tomcat requires a Tomcat user account that is in the "manager-script" role. Any user accounts in a Tomcat management role mu... |
| V-223010 | | The application server must alert the system administrator (SA) and information system security offer (ISSO), at a minimum, in the event of a log processing failure. | Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident. When log ... |
| V-222926 | | The number of allowed simultaneous sessions to the manager application must be limited. | The manager application provides configuration access to the Tomcat server. Access to the manager application must be limited and that includes the nu... |
| V-222928 | | HTTP Strict Transport Security (HSTS) must be enabled. | HTTP Strict Transport Security (HSTS) instructs web browsers to only use secure connections for all future requests when communicating with a website.... |
| V-222941 | | HTTP status code must be logged. | The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/ser... |
| V-222953 | | DefaultServlet debug parameter must be disabled. | The DefaultServlet serves static resources as well as serves the directory listings (if directory listings are enabled). It is declared globally in $C... |
| V-222954 | | DefaultServlet directory listings parameter must be disabled. | The DefaultServlet serves static resources as well as directory listings. It is declared globally in $CATALINA_BASE/conf/web.xml and by default is con... |
| V-222957 | | xpoweredBy attribute must be disabled. | Individual connectors can be configured to display the Tomcat server info to clients. This information can be used to identify Tomcat versions which c... |
| V-222958 | | Example applications must be removed. | Tomcat provides example applications, documentation, and other directories in the default installation which do not serve a production use. These file... |
| V-222959 | | Tomcat default ROOT web application must be removed. | The default ROOT web application includes the version of Tomcat that is being used, links to Tomcat documentation, examples, FAQs, and mailing lists. ... |
| V-222960 | | Documentation must be removed. | Tomcat provides documentation and other directories in the default installation which do not serve a production use. These files must be deleted.... |
| V-222973 | | Tomcat must be configured to limit data exposure between applications. | If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a b... |
| V-222976 | | Default error pages for manager application must be customized. | Default error pages that accompany the manager application provide educational information on how to configure user accounts and groups for accessing ... |
| V-222982 | | LockOutRealms lockOutTime attribute must be set to 600 seconds (10 minutes) for admin users. | A LockOutRealm adds the ability to specify a lockout time that prevents further attempts after multiple failed logins. Setting the lockOutTime attribu... |
| V-222985 | | Application user name must be logged. | The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/ser... |
| V-222989 | | $CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat. | Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has rea... |
| V-222990 | | $CATALINA_BASE/temp folder permissions must be set to 750. | Tomcat's file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with the group Tomcat. While root h... |
| V-223001 | | Application servers must use NIST-approved or NSA-approved key management technology and processes. | Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business... |
| V-223002 | | STRICT_SERVLET_COMPLIANCE must be set to true. | Strict Servlet Compliance forces Tomcat to adhere to standards specifications including but not limited to RFC2109. RFC2109 sets the standard for HTTP... |
| V-223003 | | RECYCLE_FACADES must be set to true. | If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a b... |
| V-223007 | | Hosted applications must be documented in the system security plan. | The ISSM/ISSO must be cognizant of all applications operating on the Tomcat server, and must address any security implications associated with the ope... |
| V-223008 | | Connectors must be approved by the ISSO. | Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP and then sends back the result... |
| V-223009 | | Connector address attribute must be set. | Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP, and then sends back the resul... |
| V-222931 | | Default password for keystore must be changed. | Tomcat currently operates only on JKS, PKCS11, or PKCS12 format keystores. The JKS format is Java's standard "Java KeyStore" format, and is the format... |
| V-222964 | | TLS must be enabled on JMX. | Java Management Extensions (JMX) provides the means for enterprises to remotely manage the Java VM and can be used in place of the local manager appli... |
| V-222965 | | LDAP authentication must be secured. | JNDIRealm is an implementation of the Tomcat Realm interface. Tomcat uses the JNDIRealm to look up users in an LDAP directory server. The realm's con... |
| V-222968 | | Tomcat must use FIPS-validated ciphers on secured connectors. | Connectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP, and then sends the results ba... |
