STIGQter STIGQter: STIG Summary:

Apache Tomcat Application Sever 9 Security Technical Implementation Guide

Version: 2

Release: 2 Benchmark Date: 22 Jan 2021

SV-222926r615938_ruleThe number of allowed simultaneous sessions to the manager application must be limited.
SV-222927r615938_ruleSecured connectors must be configured to use strong encryption ciphers.
SV-222928r616154_ruleHTTP Strict Transport Security (HSTS) must be enabled.
SV-222929r615938_ruleTLS 1.2 must be used on secured HTTP connectors.
SV-222930r615938_ruleAccessLogValve must be configured for each application context.
SV-222931r615938_ruleDefault password for keystore must be changed.
SV-222932r615938_ruleCookies must have secure flag set.
SV-222933r615938_ruleCookies must have http-only flag set.
SV-222934r615938_ruleDefaultServlet must be set to readonly for PUT and DELETE.
SV-222935r615938_ruleConnectors must be secured.
SV-222936r615938_ruleThe Java Security Manager must be enabled.
SV-222937r615938_ruleTomcat servers behind a proxy or load balancer must log client IP.
SV-222938r615938_ruleAccessLogValve must be configured per each virtual host.
SV-222939r615938_ruleDate and time of events must be logged.
SV-222940r615938_ruleRemote hostname must be logged.
SV-222941r615938_ruleHTTP status code must be logged.
SV-222942r615938_ruleThe first line of request must be logged.
SV-222943r615938_rule$CATALINA_BASE/logs folder permissions must be set to 750.
SV-222944r615938_ruleFiles in the $CATALINA_BASE/logs/ folder must have their permissions set to 640.
SV-222945r615938_ruleFiles in the $CATALINA_BASE/conf/ folder must have their permissions set to 640.
SV-222946r615938_rule$CATALINA_BASE/conf folder permissions must be set to 750.
SV-222947r615938_ruleJar files in the $CATALINA_HOME/bin/ folder must have their permissions set to 640.
SV-222948r615938_rule$CATALINA_HOME/bin folder permissions must be set to 750.
SV-222949r615938_ruleTomcat user UMASK must be set to 0027.
SV-222950r615938_ruleStack tracing must be disabled.
SV-222951r615938_ruleThe shutdown port must be disabled.
SV-222952r615938_ruleUnapproved connectors must be disabled.
SV-222953r615938_ruleDefaultServlet debug parameter must be disabled.
SV-222954r615938_ruleDefaultServlet directory listings parameter must be disabled.
SV-222955r615938_ruleThe deployXML attribute must be set to false in hosted environments.
SV-222956r615938_ruleAutodeploy must be disabled.
SV-222957r615938_rulexpoweredBy attribute must be disabled.
SV-222958r615938_ruleExample applications must be removed.
SV-222959r615938_ruleTomcat default ROOT web application must be removed.
SV-222960r615938_ruleDocumentation must be removed.
SV-222961r615938_ruleApplications in privileged mode must be approved by the ISSO.
SV-222962r615938_ruleTomcat management applications must use LDAP realm authentication.
SV-222963r615938_ruleJMX authentication must be secured.
SV-222964r615938_ruleTLS must be enabled on JMX.
SV-222965r615938_ruleLDAP authentication must be secured.
SV-222966r616155_ruleDoD root CA certificates must be installed in Tomcat trust store.
SV-222967r615938_ruleKeystore file must be protected.
SV-222968r615938_ruleTomcat must use FIPS-validated ciphers on secured connectors.
SV-222969r615938_ruleAccess to JMX management interface must be restricted.
SV-222970r615938_ruleAccess to Tomcat manager application must be restricted.
SV-222971r615938_ruleTomcat servers must mutually authenticate proxy or load balancer connections.
SV-222973r615938_ruleTomcat must be configured to limit data exposure between applications.
SV-222974r615938_ruleClusters must operate on a trusted network.
SV-222975r615938_ruleErrorReportValve showServerInfo must be set to false.
SV-222976r615938_ruleDefault error pages for manager application must be customized.
SV-222977r615938_ruleErrorReportValve showReport must be set to false.
SV-222978r615938_ruleTomcat server version must not be sent with warnings and errors.
SV-222979r615938_ruleIdle timeout for management application must be set to 10 minutes.
SV-222980r615938_ruleLockOutRealms must be used for management of Tomcat.
SV-222981r615938_ruleLockOutRealms failureCount attribute must be set to 5 failed logins for admin users.
SV-222982r615938_ruleLockOutRealms lockOutTime attribute must be set to 600 seconds (10 minutes) for admin users.
SV-222983r615938_ruleTomcat user account must be set to nologin.
SV-222984r615938_ruleTomcat user account must be a non-privileged user.
SV-222985r615938_ruleApplication user name must be logged.
SV-222986r615938_rule$CATALINA_HOME folder must be owned by the root user, group tomcat.
SV-222987r615938_rule$CATALINA_BASE/conf/ folder must be owned by root, group tomcat.
SV-222988r615938_rule$CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat.
SV-222989r615938_rule$CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat.
SV-222990r615938_rule$CATALINA_BASE/temp folder permissions must be set to 750.
SV-222991r615938_rule$CATALINA_BASE/work/ folder must be owned by tomcat user, group tomcat.
SV-222993r615938_ruleMultifactor certificate-based tokens (CAC) must be used when accessing the management interface.
SV-222994r615938_ruleCertificates in the trust store must be issued/signed by an approved CA.
SV-222995r615938_ruleThe application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster.
SV-222996r615938_ruleTomcat server must be patched for security vulnerabilities.
SV-222997r615938_ruleAccessLogValve must be configured for Catalina engine.
SV-222998r615938_ruleChanges to $CATALINA_HOME/bin/ folder must be logged.
SV-222999r615938_ruleChanges to $CATALINA_BASE/conf/ folder must be logged.
SV-223000r615938_ruleChanges to $CATALINA_HOME/lib/ folder must be logged.
SV-223001r615938_ruleApplication servers must use NIST-approved or NSA-approved key management technology and processes.
SV-223002r615938_ruleSTRICT_SERVLET_COMPLIANCE must be set to true.
SV-223003r615938_ruleRECYCLE_FACADES must be set to true.
SV-223004r615938_ruleALLOW_BACKSLASH must be set to false.
SV-223005r615938_ruleENFORCE_ENCODING_IN_GET_WRITER must be set to true.
SV-223006r615938_ruleTomcat users in a management role must be approved by the ISSO.
SV-223007r615938_ruleHosted applications must be documented in the system security plan.
SV-223008r615938_ruleConnectors must be approved by the ISSO.
SV-223009r615938_ruleConnector address attribute must be set.
SV-223010r615938_ruleThe application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure.