Detections
Analytics

CIS Apache Tomcat5.5/6.0 L2 v1.0

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Apache Tomcat5.5/6.0 L2 v1.0

Updated: 1/20/2021

Authority: CIS

Plugin: Unix

Revision: 1.28

Estimated Item Count: 44

Audit Items

DescriptionCategories
1.1.1 Do not install Tomcat on a multi-use system
1.3.1 Remove extraneous files and directories (@CATALINA_HOME@/conf/Catalina/localhost/host-manager.xml)

CONFIGURATION MANAGEMENT

1.3.1 Remove extraneous files and directories (@CATALINA_HOME@/server/webapps/host-manager.xml)

CONFIGURATION MANAGEMENT

1.3.1 Remove extraneous files and directories (@CATALINA_HOME@/server/webapps/manager)

CONFIGURATION MANAGEMENT

1.3.1 Remove extraneous files and directories (@CATALINA_HOME@/webapps/balancer)

CONFIGURATION MANAGEMENT

1.3.1 Remove extraneous files and directories (@CATALINA_HOME@/webapps/examples)

CONFIGURATION MANAGEMENT

1.3.1 Remove extraneous files and directories (@CATALINA_HOME@/webapps/js-examples)

CONFIGURATION MANAGEMENT

1.3.1 Remove extraneous files and directories (@CATALINA_HOME@/webapps/ROOT/admin)

CONFIGURATION MANAGEMENT

1.3.1 Remove extraneous files and directories (@CATALINA_HOME@/webapps/servlet-example)

CONFIGURATION MANAGEMENT

1.3.1 Remove extraneous files and directories (@CATALINA_HOME@/webapps/tomcat-docs)

CONFIGURATION MANAGEMENT

1.3.1 Remove extraneous files and directories (@CATALINA_HOME@/webapps/webdav)

CONFIGURATION MANAGEMENT

1.3.1 Remove extraneous files and directories(@CATALINA_HOME@/conf/Catalina/localhost/manager.xml)

CONFIGURATION MANAGEMENT

1.4.1 Alter the Advertised server.info String (verify server.info is not set to default)

SYSTEM AND COMMUNICATIONS PROTECTION

1.4.1/1.4.2/1.4.3 Alter the Advertised server.info String (verify catalina.jar is not the default)

CONFIGURATION MANAGEMENT

1.4.2 Alter the Advertised server.number String (verify server.number is not set to default)

SYSTEM AND COMMUNICATIONS PROTECTION

1.4.3 Alter the Advertised server.built String (verify server.built is not set to default)

SYSTEM AND COMMUNICATIONS PROTECTION

1.4.4 Disable X-Powered-By HTTP Header and Rename the Server Value for all Connecters (verify if xpoweredBy is set to false)

SYSTEM AND COMMUNICATIONS PROTECTION

1.4.4 Disable X-Powered-By HTTP Header and Rename the Server Value for all Connecters (verify the server value is blank)

SYSTEM AND COMMUNICATIONS PROTECTION

1.5.2 Disable the Shutdown port.

CONFIGURATION MANAGEMENT

1.7.1 Use secure Realms

CONFIGURATION MANAGEMENT

1.7.2 Use LockOut Realms (check cacheRemovalWarningTime is set to 3600)

ACCESS CONTROL

1.7.2 Use LockOut Realms (check cacheSize is set to 1000)

ACCESS CONTROL

1.7.2 Use LockOut Realms (check failureCount is set to 3)

ACCESS CONTROL

1.7.2 Use LockOut Realms (check lockOutTime is set to 600)

ACCESS CONTROL

1.8.1 Setup Client-cert Authentication (verify clientAuth is set to true)

IDENTIFICATION AND AUTHENTICATION

1.9.1 Application specific logging

CONFIGURATION MANAGEMENT

1.9.3 Ensure className is set correctly in context.xml

AUDIT AND ACCOUNTABILITY

1.9.7 Configure log file size limit

AUDIT AND ACCOUNTABILITY

1.11.2 Disabling auto deployment of applications

CONFIGURATION MANAGEMENT

1.11.3 Disable deploy on startup applications

CONFIGURATION MANAGEMENT

1.12.2 Restrict access to the web administration

ACCESS CONTROL

1.12.3 Restrict manager application

ACCESS CONTROL

1.12.5 Rename the manager application (verify the default manager directory has been removed/renamed)

CONFIGURATION MANAGEMENT

1.12.5 Rename the manager application (verify the default manager.xml has been renamed)

CONFIGURATION MANAGEMENT

1.12.8 Do not allow additional path delimiters (verify ALLOW_BACKSLASH is set to false)

SYSTEM AND INFORMATION INTEGRITY

1.12.8 Do not allow additional path delimiters (verify ALLOW_ENCODED_SLASH is set to false)

SYSTEM AND INFORMATION INTEGRITY

1.12.9 Do not allow custom header status messages

SYSTEM AND COMMUNICATIONS PROTECTION

1.12.10 Configure connection Timeout

SYSTEM AND COMMUNICATIONS PROTECTION

1.12.11 Configure maxHttpHeaderSize

SYSTEM AND COMMUNICATIONS PROTECTION

1.12.12 Force SSL for all applications

SYSTEM AND COMMUNICATIONS PROTECTION

1.12.13 Increase the entropy in session identifiers

SYSTEM AND COMMUNICATIONS PROTECTION

1.12.17 Do not resolve hosts on logging valves (verify context.xml has resolveHosts set to false)

CONFIGURATION MANAGEMENT

1.12.17 Do not resolve hosts on logging valves (verify server.xml has resolveHosts set to false)

CONFIGURATION MANAGEMENT

CIS_v1.0.0_Apache_Tomcat_Level_2.audit Level 2