STIGQter STIGQter: STIG Summary:

VMware vSphere 6.7 STS Tomcat Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 09 Mar 2021

CheckedNameTitle
SV-239652r679028_ruleThe Security Token Service must limit the amount of time that each TCP connection is kept alive.
SV-239653r679031_ruleThe Security Token Service must limit the number of concurrent connections permitted.
SV-239654r679034_ruleThe Security Token Service must limit the maximum size of a POST request.
SV-239655r679037_ruleThe Security Token Service must protect cookies from XSS.
SV-239656r679251_ruleThe Security Token Service must record user access in a format that enables monitoring of remote access.
SV-239657r679043_ruleThe Security Token Service must generate log records during Java startup and shutdown.
SV-239658r679046_ruleSecurity Token Service log files must only be modifiable by privileged users.
SV-239659r679049_ruleThe Security Token Service application files must be verified for their integrity.
SV-239660r679052_ruleThe Security Token Service must only run one web app.
SV-239661r679055_ruleThe Security Token Service must not be configured with unused realms.
SV-239662r679058_ruleThe Security Token Service must be configured to limit access to internal packages.
SV-239663r679061_ruleThe Security Token Service must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.
SV-239664r679064_ruleThe Security Token Service must have mappings set for Java servlet pages.
SV-239665r679067_ruleThe Security Token Service must not have the Web Distributed Authoring (WebDAV) servlet installed.
SV-239666r679070_ruleThe Security Token Service must be configured with memory leak protection.
SV-239667r679073_ruleThe Security Token Service must not have any symbolic links in the web content directory tree.
SV-239668r679076_ruleThe Security Token Service directory tree must have permissions in an "out-of-the-box" state.
SV-239669r679079_ruleThe Security Token Service must fail to a known safe state if system initialization fails, shutdown fails, or aborts fail.
SV-239670r679082_ruleThe Security Token Service must limit the number of allowed connections.
SV-239671r679085_ruleThe Security Token Service must set "URIEncoding" to UTF-8.
SV-239672r679088_ruleThe Security Token Service must use the "setCharacterEncodingFilter" filter.
SV-239673r679091_ruleThe Security Token Service must set the welcome-file node to a default web page.
SV-239674r679094_ruleThe Security Token Service must not show directory listings.
SV-239675r679097_ruleThe Security Token Service must be configured to show error pages with minimal information.
SV-239676r679100_ruleThe Security Token Service must not enable support for TRACE requests.
SV-239677r679103_ruleThe Security Token Service must have the debug option disabled.
SV-239678r679106_ruleRsyslog must be configured to monitor and ship Security Token Service log files.
SV-239679r679109_ruleThe Security Token Service must be configured with the appropriate ports.
SV-239680r679112_ruleThe Security Token Service must disable the shutdown port.
SV-239681r679115_ruleThe Security Token Service must set the secure flag for cookies.