| 1.3.2 Disable Unused Connectors | CONFIGURATION MANAGEMENT |
| 1.4.5 Disable client facing Stack Traces (Additional checks may be required) | SYSTEM AND INFORMATION INTEGRITY |
| 1.4.5 Disable client facing Stack Traces (Check if error-page has an exception-type defined) | SYSTEM AND INFORMATION INTEGRITY |
| 1.4.5 Disable client facing Stack Traces (Check if error-page has an location defined) | SYSTEM AND INFORMATION INTEGRITY |
| 1.4.6 Turn off TRACE (check web.xml configuration files) | SYSTEM AND INFORMATION INTEGRITY |
| 1.4.6 Turn off TRACE (verify if allowTrace is set to false) | SYSTEM AND INFORMATION INTEGRITY |
| 1.5.1 Set a nondeterministic Shutdown command value. | CONFIGURATION MANAGEMENT |
| 1.6.1 Restrict access to $CATALINA_HOME | CONFIGURATION MANAGEMENT |
| 1.6.2 Restrict access to $CATALINA_BASE | CONFIGURATION MANAGEMENT |
| 1.6.3 Restrict access to Tomcat configuration directory | CONFIGURATION MANAGEMENT |
| 1.6.4 Restrict access to Tomcat logs directory | CONFIGURATION MANAGEMENT |
| 1.6.5 Restrict access to Tomcat temp directory | CONFIGURATION MANAGEMENT |
| 1.6.6 Restrict access to Tomcat binaries directory | CONFIGURATION MANAGEMENT |
| 1.6.7 Restrict access to Tomcat web application directory | CONFIGURATION MANAGEMENT |
| 1.6.8 Restrict access to Tomcat catalina.policy | CONFIGURATION MANAGEMENT |
| 1.6.9 Restrict access to Tomcat catalina.properties | CONFIGURATION MANAGEMENT |
| 1.6.10 Restrict access to Tomcat context.xml | CONFIGURATION MANAGEMENT |
| 1.6.11 Restrict access to Tomcat logging.properties | CONFIGURATION MANAGEMENT |
| 1.6.12 Restrict access to Tomcat server.xml | CONFIGURATION MANAGEMENT |
| 1.6.13 Restrict access to Tomcat tomcat-users.xml | CONFIGURATION MANAGEMENT |
| 1.6.14 Restrict access to Tomcat web.xml | CONFIGURATION MANAGEMENT |
| 1.8.2 Ensure SSLEnabled is set to True for Sensitive Connectors | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.8.2 Ensure SSLEnabled is set to True for Sensitive Connectors(verify SSLEnabled is set to true) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.8.3 Ensure scheme is set accurately | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.8.4 Ensure secure is set to true only for SSL-enabled Connectors (verify secure is set to true) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.8.5 Ensure sslProtocol is set to TLS for Secure Connectors (verify sslProtocol is set to TLS) | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.9.2 Specify file handler in logging.properties (check if java.util.logging.ConsoleHandler exists in web application) | AUDIT AND ACCOUNTABILITY |
| 1.9.2 Specify file handler in logging.properties (check if java.util.logging.ConsoleHandler exists inin default) | AUDIT AND ACCOUNTABILITY |
| 1.9.2 Specify file handler in logging.properties (check if java.util.logging.ConsoleHandler logging is enabled in web application) | AUDIT AND ACCOUNTABILITY |
| 1.9.2 Specify file handler in logging.properties (check if java.util.logging.ConsoleHandler logging is enabled inin default) | AUDIT AND ACCOUNTABILITY |
| 1.9.2 Specify file handler in logging.properties (check if org.apache.juli.FileHandler exists in web application) | AUDIT AND ACCOUNTABILITY |
| 1.9.2 Specify file handler in logging.properties (check if org.apache.juli.FileHandler exists inin default) | AUDIT AND ACCOUNTABILITY |
| 1.9.2 Specify file handler in logging.properties (check if org.apache.juli.FileHandler logging is enabled in web application) | AUDIT AND ACCOUNTABILITY |
| 1.9.2 Specify file handler in logging.properties (check if org.apache.juli.FileHandler logging is enabled inin default) | AUDIT AND ACCOUNTABILITY |
| 1.9.4 Ensure directory in context.xml is a secure location - configuration | AUDIT AND ACCOUNTABILITY |
| 1.9.4 Ensure directory in context.xml is a secure location - permissions | CONFIGURATION MANAGEMENT |
| 1.9.5 Ensure pattern in context.xml is correct | AUDIT AND ACCOUNTABILITY |
| 1.9.6 Ensure directory in logging.properties is a secure location (check application log directory is secure) | CONFIGURATION MANAGEMENT |
| 1.9.6 Ensure directory in logging.properties is a secure location (check log directory location) | AUDIT AND ACCOUNTABILITY |
| 1.9.6 Ensure directory in logging.properties is a secure location (check prefix application name) | AUDIT AND ACCOUNTABILITY |
| 1.10.1 Restrict runtime access to sensitive packages | ACCESS CONTROL |
| 1.11.1 Starting Tomcat with Security Manager | CONFIGURATION MANAGEMENT |
| 1.12.1 Ensure Web content directory is on a separate partition from the Tomcat system files (verify Web content directory) | |
| 1.12.4 Force SSL when accessing the manager application | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.12.6 Enable strict servlet Compliance | CONFIGURATION MANAGEMENT |
| 1.12.7 Turn off session facade recycling | CONFIGURATION MANAGEMENT |
| 1.12.14 Do not allow symbolic linking | ACCESS CONTROL |
| 1.12.15 Do not run applications as privileged | ACCESS CONTROL |
| 1.12.16 Do not allow cross context requests | SYSTEM AND COMMUNICATIONS PROTECTION |
| CIS_v1.0.0_Apache_Tomcat_Level_1.audit Level 1 | |
