1.1 Remove extraneous files and directories | CONFIGURATION MANAGEMENT |
1.2 Disable Unused Connectors | CONFIGURATION MANAGEMENT |
2.1 Alter the Advertised server.info String | CONFIGURATION MANAGEMENT |
2.2 Alter the Advertised server.number String | CONFIGURATION MANAGEMENT |
2.3 Alter the Advertised server.built Date | CONFIGURATION MANAGEMENT |
2.4 Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors | CONFIGURATION MANAGEMENT |
2.7 Ensure Sever Header is Modified To Prevent Information Disclosure | CONFIGURATION MANAGEMENT |
3.2 Disable the Shutdown port | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
5.1 Use secure Realms | ACCESS CONTROL, MEDIA PROTECTION |
5.2 Use LockOut Realms | CONFIGURATION MANAGEMENT |
6.1 Setup Client-cert Authentication | IDENTIFICATION AND AUTHENTICATION |
7.1 Application specific logging | AUDIT AND ACCOUNTABILITY |
7.3 Ensure className is set correctly in context.xml | AUDIT AND ACCOUNTABILITY |
9.1 Disabling auto deployment of applications | CONFIGURATION MANAGEMENT |
9.2 Disable deploy on startup of applications | CONFIGURATION MANAGEMENT |
10.3 Restrict manager application | ACCESS CONTROL |
10.5 Rename the manager application | CONFIGURATION MANAGEMENT |
10.6 Enable strict servlet Compliance | SYSTEM AND COMMUNICATIONS PROTECTION |
10.8 Do not allow additional path delimiters | CONFIGURATION MANAGEMENT |
10.9 Configure connectionTimeout | CONFIGURATION MANAGEMENT |
10.10 Configure maxHttpHeaderSize | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
10.11 Force SSL for all applications | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
10.15 Do not resolve hosts on logging valves | SYSTEM AND INFORMATION INTEGRITY |
CIS_Apache_Tomcat_10.1_v1.0.0_L2.audit from CIS Apache Tomcat 10.1 Benchmark v1.0.0 | |