| 1.1 Remove extraneous files and directories | CONFIGURATION MANAGEMENT |
| 1.2 Disable Unused Connectors | CONFIGURATION MANAGEMENT |
| 2.1 Alter the Advertised server.info String | CONFIGURATION MANAGEMENT |
| 2.2 Alter the Advertised server.number String | CONFIGURATION MANAGEMENT |
| 2.3 Alter the Advertised server.built Date | CONFIGURATION MANAGEMENT |
| 2.4 Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors | CONFIGURATION MANAGEMENT |
| 2.7 Ensure Sever Header is Modified To Prevent Information Disclosure | CONFIGURATION MANAGEMENT |
| 3.2 Disable the Shutdown port | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1 Use secure Realms | ACCESS CONTROL, MEDIA PROTECTION |
| 5.2 Use LockOut Realms | CONFIGURATION MANAGEMENT |
| 6.1 Setup Client-cert Authentication | IDENTIFICATION AND AUTHENTICATION |
| 7.1 Application specific logging | AUDIT AND ACCOUNTABILITY |
| 7.3 Ensure className is set correctly in context.xml | AUDIT AND ACCOUNTABILITY |
| 9.1 Disabling auto deployment of applications | CONFIGURATION MANAGEMENT |
| 9.2 Disable deploy on startup of applications | CONFIGURATION MANAGEMENT |
| 10.3 Restrict manager application | ACCESS CONTROL |
| 10.5 Rename the manager application | CONFIGURATION MANAGEMENT |
| 10.6 Enable strict servlet Compliance | SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.8 Do not allow additional path delimiters | CONFIGURATION MANAGEMENT |
| 10.9 Configure connectionTimeout | CONFIGURATION MANAGEMENT |
| 10.10 Configure maxHttpHeaderSize | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.11 Force SSL for all applications | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.15 Do not resolve hosts on logging valves | SYSTEM AND INFORMATION INTEGRITY |
| CIS_Apache_Tomcat_11_v1.0.0_L2.audit from CIS Apache Tomcat 11 Benchmark v1.0.0 | |
