| 1.1 Remove extraneous files and directories - /conf/Catalina/localhost/host-manager.xml | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - /conf/Catalina/localhost/manager.xml | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - /server/webapps/host-manager.xml | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - /server/webapps/manager | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - /webapps/balancer | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - /webapps/examples | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - /webapps/js-examples | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - /webapps/ROOT/admin | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - /webapps/servlet-example | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - /webapps/tomcat-docs | CONFIGURATION MANAGEMENT |
| 1.1 Remove extraneous files and directories - /webapps/webdav | CONFIGURATION MANAGEMENT |
| 1.2 Disable Unused Connectors | SYSTEM AND INFORMATION INTEGRITY |
| 2.1 Alter the Advertised server.info String | CONFIGURATION MANAGEMENT |
| 2.2 Alter the Advertised server.number String | CONFIGURATION MANAGEMENT |
| 2.3 Alter the Advertised server.built Date | CONFIGURATION MANAGEMENT |
| 2.4 Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors | CONFIGURATION MANAGEMENT |
| 2.7 Ensure Sever Header is Modified To Prevent Information Disclosure | CONFIGURATION MANAGEMENT |
| 3.2 Disable the Shutdown port | SYSTEM AND INFORMATION INTEGRITY |
| 5.1 Use secure Realms | ACCESS CONTROL |
| 5.2 Use LockOut Realms | CONFIGURATION MANAGEMENT |
| 6.1 Setup Client-cert Authentication | IDENTIFICATION AND AUTHENTICATION |
| 7.1 Application specific logging | AUDIT AND ACCOUNTABILITY |
| 7.3 Ensure className is set correctly in context.xml | AUDIT AND ACCOUNTABILITY |
| 9.2 Disabling auto deployment of applications | CONFIGURATION MANAGEMENT |
| 9.3 Disable deploy on startup of applications | CONFIGURATION MANAGEMENT |
| 10.2 Restrict access to the web administration application | ACCESS CONTROL |
| 10.3 Restrict manager application | ACCESS CONTROL |
| 10.5 Rename the manager application - host-manager/manager.xml | CONFIGURATION MANAGEMENT |
| 10.5 Rename the manager application - localhost/manager.xml | CONFIGURATION MANAGEMENT |
| 10.5 Rename the manager application - webapps/manager | CONFIGURATION MANAGEMENT |
| 10.8 Do not allow additional path delimiters - ALLOW_BACKSLASH | CONFIGURATION MANAGEMENT |
| 10.8 Do not allow additional path delimiters - ALLOW_ENCODED_SLASH | CONFIGURATION MANAGEMENT |
| 10.9 Do not allow custom header status messages | CONFIGURATION MANAGEMENT |
| 10.10 Configure connectionTimeout | CONFIGURATION MANAGEMENT |
| 10.11 Configure maxHttpHeaderSize | CONFIGURATION MANAGEMENT |
| 10.12 Force SSL for all applications | SYSTEM AND COMMUNICATIONS PROTECTION |
| 10.16 Do not resolve hosts on logging valves | CONFIGURATION MANAGEMENT |
| CIS_Apache_Tomcat_8_L2_v1.1.0_Middleware.audit from CIS Apache Tomcat 8 Benchmark | |
