TCAT-AS-000520 - DefaultServlet directory listings parameter must be disabled.

Information

The DefaultServlet serves static resources as well as directory listings. It is declared globally in $CATALINA_BASE/conf/web.xml and by default is configured with the directory 'listings' parameter set to disabled. If no welcome file is present and the 'listings' setting is enabled, a directory listing is shown. Directory listings must be disabled.

Solution

From the Tomcat server as a privileged user:

Edit the $CATALINA_BASE/conf/web.xml file.

Examine the <init-param> elements within the <Servletclass> element, if the 'listings' <param-value>element is 'true' change the 'listings' <param-value> to read 'false'.

sudo systemctl restart tomcat
sudo systemctl daemon-reload

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V3R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|III, CCI|CCI-000381, Rule-ID|SV-222954r960963_rule, STIG-ID|TCAT-AS-000520, STIG-Legacy|SV-111433, STIG-Legacy|V-102491, Vuln-ID|V-222954

Plugin: Unix

Control ID: 256c40ef45a8f3e67a75e473efffc02b50a3c49ba20dd3688a0f6fab2ec14ce5