# # This script is Copyright (C) 2004-2018 and is owned by Tenable, Inc. or an Affiliate thereof. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable, Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # # $Revision: 1.4 $ # $Date: 2018/07/24 $ # # Description : This .audit is designed against the CIS Security Configuration # Benchmark For Apache Tomcat 8 Version 1.0.1, September 6th, 2016 # # NOTE : The audits contained in this document audit are for Level 1 items # of the CIS Apache Tomcat 8 Benchmark version 1.0.1 and are # specific to Apache Tomcat version 8.x. # # NOTE : In order for the .audit to run correctly the CATALINA_HOME item # will need to be changed to the absolute path to your Tomcat # installation directory. # # #CIS Apache Tomcat 8 L1 v1.0.1 # # CIS # Apache Tomcat 8 L1 # 1.0.1 # https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf # #unix,cis,apache,tomcat # # #WEBSERVER_NAME #Apache Tomcat #Web server name string #The name given to Tomcat in your configuration information. # # #CATALINA_HOME #/usr/share/tomcat8 #Catalina home #The absolute path to your Tomcat installation directory. It should not end in a slash. # # #CATALINA_BASE #/var/lib/tomcat8/webapps #Catalina base #The absolute path to your Tomcat base directory. If you are running multiple instances of Tomcat you should set CATALINA_BASE to the instance directory and CATALINA_HOME to the common Tomcat installation whose files will be shared between instances. # # #CATALINA_CONF #/etc/tomcat8 #Catalina configuration directory #The absolute path to the Tomcat configuration files directory. (This is used primarily by Ubuntu and Debian-based installations of Linux). # # #WEB_APP_DIR #yourappname #Web application directory #The name of your web application directory within CATALINA_BASE (e.g., /var/lib/tomcat8/webapps/yourappname) # # #SSL_PORT #443 #SSL port number #The SSL port for your Sensitive Connector(s). # # #SECURE_LOG_DIR #/var/log/tomcat8 #Log directory #The path to where your logs are kept on the system. # # #LOGGING_LEVEL #WARNING #Configured logging level #The level of verbosity at which Tomcat should record log information. # # #TOMCAT_OWNER #tomcat_admin #Tomcat system owner #Unix user that owns the Tomcat installation files # # #TOMCAT_GROUP #tomcat #Tomcat system group #Unix group that can access the Tomcat installation files # # # type : CMD_EXEC description : "Tomcat found" # Note: Variable @CATALINA_HOME@ replaced with "/usr/share/tomcat8" in field "cmd". cmd : "java -cp /usr/share/tomcat8/lib/catalina.jar org.apache.catalina.util.ServerInfo | /bin/egrep 'version'" # Note: Variable @WEBSERVER_NAME@ replaced with "Apache Tomcat" in field "expect". expect : "Apache Tomcat" description : "CIS_Apache_Tomcat_8_L1_v1.0.1.audit Level 1" ################################################## # 1 Remove Extraneous Resources ################################################## ################################################## # 2 Limit Server Platform Information Leaks ################################################## system : "Linux" type : AUDIT_XML description : "2.5 Disable client-facing stack traces (check for defined exception type)" info : "Debugging information, such as that found in call stacks, often contains sensitive information that may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced." solution : "Perform the following to prevent Tomcat from providing debug information to the requestor during runtime errors: 1. Create a web page that contains the logic or message you wish to invoke when encountering a runtime error. For example purposes, assume this page is located at /error.jsp. 2. Add a child element, , to the element, in the $CATALINA_HOME/conf/web.xml file. 3. Add a child element, , to the element. Set the value of the element to java.lang.Throwable. 4. Add a child element, , to the element. Set the value of the element to the location of page created in #1. The resulting entry will look as follows: java.lang.Throwable /error.jsp " reference : "800-53|SI-11,ITSG-33|SI-11,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/web.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - Missing error-page element" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - Missing exception-type child element" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - Wrong exception-type - should be set to java.lang.Throwable" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - Missing location child element" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - error-page element correctly added" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "PASS" expect : "PASS" system : "Linux" type : AUDIT_XML description : "2.6 Turn off TRACE (check server.xml)" info : "Diagnostic information, such as that found in the response to a TRACE request, often contains sensitive information that may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced." solution : "Perform the following to prevent Tomcat from accepting a TRACE request: 1. Set the allowTrace attributes to each Connector specified in $CATALINA_HOME/conf/server.xml to false. Alternatively, ensure the allowTrace attribute for each Connector specified in $CATALINA_HOME/conf/server.xml is absent." reference : "800-53|SI-11,ITSG-33|SI-11,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/server.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - allowTrace not present" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - allowTrace set to false" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - allowTrace set to true" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "PASS" expect : "PASS" system : "Linux" type : CMD_EXEC description : "2.6 Turn off TRACE (check web.xml config files)" info : "Diagnostic information, such as that found in the response to a TRACE request, often contains sensitive information that may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced." solution : "Perform the following to prevent Tomcat from accepting a TRACE request: 1. Set the allowTrace attributes to each Connector specified in $CATALINA_HOME/conf/server.xml to false. Alternatively, ensure the allowTrace attribute for each Connector specified in $CATALINA_HOME/conf/server.xml is absent." reference : "800-53|SI-11,ITSG-33|SI-11,CSCv6|18.5,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_HOME@ replaced with "/usr/share/tomcat8" in field "cmd". cmd : "$(which find) /usr/share/tomcat8 -name web.xml -exec bash -c 'if test -f {}; then $(which cat) {} | $(which egrep) -q \"^[\\\s\\\t]*[Gg][Ee][Tt][Tt][Rr][Aa][Cc][Ee]<\\\/servlet-name>\"; if test $? -lt 1; then echo {};fi; fi' \\;" expect : "" ################################################## # 3 Protect the Shutdown Port ################################################## system : "Linux" type : AUDIT_XML description : "3.1 Set a nondeterministic Shutdown command value." info : "Tomcat listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. It is recommended that a nondeterministic value be set for the shutdown attribute in $CATALINA_HOME/conf/server.xml." solution : "Update the shutdown attribute in $CATALINA_HOME/conf/server.xml as follows: Note: NONDETERMINISTICVALUE should be replaced with a sequence of random characters." reference : "800-53|CM-6,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/server.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - Shutdown text is default value" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - Shutdown text is not default value" xsl_stmt : "" xsl_stmt : "" regex : "PASS" expect : "PASS" ################################################## # 4 Protect Tomcat Configurations ################################################## system : "Linux" type : FILE_CHECK description : "4.1 Restrict access to $CATALINA_HOME" info : "$CATALINA_HOME is the environment variable which holds the path to the root Tomcat directory. It is important to protect access to this in order to protect the Tomcat binaries and libraries from unauthorized modification. It is recommended that the ownership of $CATALINA_HOME be tomcat_admin:tomcat. It is also recommended that the permissions on $CATALINA_HOME prevent read, write, and execute for the world (o-rwx) and prevent write access to the group (g-w)." solution : "Perform the following to establish the recommended state: 1. Set the ownership of the $CATALINA_HOME to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world 3. Remove write permissions for the group. # chown tomcat_admin.tomcat $CATALINA_HOME # chmod g-w,o-rwx $CATALINA_HOME" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_HOME@ replaced with "/usr/share/tomcat8" in field "file". file : "/usr/share/tomcat8" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "027" file_type : "d" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.2 Restrict access to $CATALINA_BASE" info : "$CATALINA_BASE is the environment variable that specifies the base directory which most relative paths are resolved. $CATALINA_BASE is usually used when there are multiple instances of Tomcat running. It is important to protect access to this in order to protect the Tomcat-related binaries and libraries from unauthorized modification. It is recommended that the ownership of $CATALINA_BASE be tomcat_admin:tomcat. It is also recommended that the permissions on $CATALINA_BASE prevent read, write, and execute for the world (o-rwx) and prevent write access to the group (g-w)." solution : "Perform the following to establish the recommended state: 1. Set the ownership of the $CATALINA_BASE to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world 3. Remove write permissions for the group. # chown tomcat_admin.tomcat $CATALINA_BASE # chmod g-w,o-rwx $CATALINA_BASE" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_BASE@ replaced with "/var/lib/tomcat8/webapps" in field "file". file : "/var/lib/tomcat8/webapps" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "027" file_type : "d" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.3 Restrict access to Tomcat configuration directory" info : "The Tomcat $CATALINA_HOME/conf/ directory contains Tomcat configuration files. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permissions on this directory prevent read, write, and execute for the world (o-rwx) and prevent write access to the group (g-w)." solution : "Perform the following to restrict access to Tomcat configuration files: 1. Set the ownership of the $CATALINA_HOME/conf to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world 3. Remove write permissions for the group. # chown tomcat_admin:tomcat $CATALINA_HOME/conf # chmod g-w,o-rwx $CATALINA_HOME/conf" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "027" file_type : "d" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.4 Restrict access to Tomcat logs directory" info : "The Tomcat $CATALINA_HOME/logs/ directory contains Tomcat logs. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permissions on this directory prevent read, write, and execute for the world (o-rwx)." solution : "Perform the following to restrict access to Tomcat log files: 1. Set the ownership of the $CATALINA_HOME/logs to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world # chown tomcat_admin:tomcat # chmod o-rwx " reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @SECURE_LOG_DIR@ replaced with "/var/log/tomcat8" in field "file". file : "/var/log/tomcat8" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "007" file_type : "d" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.5 Restrict access to Tomcat temp directory" info : "The Tomcat $CATALINA_HOME/temp/ directory is used by Tomcat to persist temporary information to disk. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permissions on this directory prevent read, write, and execute for the world (o-rwx)." solution : "Perform the following to restrict access to Tomcat temp directory: 1. Set the ownership of the $CATALINA_HOME/temp to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world # chown tomcat_admin:tomcat $CATALINA_HOME/temp # chmod o-rwx $CATALINA_HOME/temp" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_HOME@ replaced with "/usr/share/tomcat8" in field "file". file : "/usr/share/tomcat8/temp" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "007" file_type : "d" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.6 Restrict access to Tomcat binaries directory" info : "The Tomcat $CATALINA_HOME/bin/ directory contains executables that are part of the Tomcat run-time. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permissions on $CATALINA_HOME prevent read, write, and execute for the world (o-rwx) and prevent write access to the group (g-w)." solution : "Perform the following to restrict access to Tomcat bin directory: 1. Set the ownership of the $CATALINA_HOME/bin to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world # chown tomcat_admin:tomcat $CATALINA_HOME/bin # chmod g-w,o-rwx $CATALINA_HOME/bin" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_HOME@ replaced with "/usr/share/tomcat8" in field "file". file : "/usr/share/tomcat8/bin" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "027" file_type : "d" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.7 Restrict access to Tomcat web application directory" info : "The Tomcat $CATALINA_HOME/webapps directory contains web applications that are deployed through Tomcat. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permissions on $CATALINA_HOME/webapps prevent read, write, and execute for the world (o-rwx) and prevent write access to the group (g-w)." solution : "Perform the following to restrict access to Tomcat webapps directory: 1. Set the ownership of the $CATALINA_HOME/webapps to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world. # chown tomcat_admin:tomcat $CATALINA_HOME/webapps # chmod g-w,o-rwx $CATALINA_HOME/webapps" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_BASE@ replaced with "/var/lib/tomcat8/webapps" in field "file". file : "/var/lib/tomcat8/webapps" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "027" file_type : "d" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.8 Restrict access to Tomcat catalina.policy" info : "The catalina.policy file is used to configure security policies for Tomcat. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes." solution : "Perform the following to restrict access to $CATALINA_HOME/conf/catalina.policy. 1. Set the owner and group owner of the contents of $CATALINA_HOME/conf/catalina.policy to tomcat_admin and tomcat, respectively. # chmod 770 $CATALINA_HOME/conf/catalina.policy # chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.policy" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/catalina.policy" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "007" file_type : "f" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.9 Restrict access to Tomcat catalina.properties" info : "catalina.properties is a Java properties files that contains settings for Tomcat including class loader information, security package lists, and performance properties. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes." solution : "Perform the following to restrict access to catalina.properties: 1. Set the ownership of the $CATALINA_HOME/conf/catalina.properties to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world. 3. Remove write permissions for the group. # chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.properties # chmod g-w,o-rwx $CATALINA_HOME/conf/catalina.properties" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/catalina.properties" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "027" file_type : "f" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.10 Restrict access to Tomcat context.xml" info : "The context.xml file is loaded by all web applications and sets certain configuration options. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes." solution : "Perform the following to restrict access to context.xml: 1. Set the ownership of the $CATALINA_HOME/conf/context.xml to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world. 3. Remove write permissions for the group. # chown tomcat_admin:tomcat $CATALINA_HOME/conf/context.xml # chmod g-w,o-rwx $CATALINA_HOME/conf/context.xml" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/context.xml" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "027" file_type : "f" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.11 Restrict access to Tomcat logging.properties" info : "logging.properties is a Tomcat files that specifies the logging configuration. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes." solution : "Perform the following to restrict access to logging.properties: 1. Set the ownership of the $CATALINA_HOME/conf/logging.properties to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world. 3. Remove write permissions for the group. # chown tomcat_admin:tomcat $CATALINA_HOME/conf/logging.properties # chmod g-w,o-rwx $CATALINA_HOME/conf/logging.properties" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/logging.properties" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "027" file_type : "f" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.12 Restrict access to Tomcat server.xml" info : "server.xml contains Tomcat servlet definitions and configurations. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes." solution : "Perform the following to restrict access to server.xml: 1. Set the ownership of the $CATALINA_HOME/conf/server.xml to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world. 3. Remove write permissions for the group. # chown tomcat_admin:tomcat $CATALINA_HOME/conf/server.xml # chmod g-w,o-rwx $CATALINA_HOME/conf/server.xml" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/server.xml" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "027" file_type : "f" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.13 Restrict access to Tomcat tomcat-users.xml" info : "tomcat-users.xml contains authentication information for Tomcat applications. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes." solution : "Perform the following to restrict access to tomcat-users.xml: 1. Set the ownership of the $CATALINA_HOME/conf/tomcat-users.xml to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world. 3. Remove write permissions for the group. # chown tomcat_admin:tomcat $CATALINA_HOME/conf/tomcat-users.xml # chmod g-w,o-rwx $CATALINA_HOME/conf/tomcat-users.xml" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/tomcat-users.xml" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "027" file_type : "f" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : FILE_CHECK description : "4.14 Restrict access to Tomcat web.xml" info : "web.xml is a Tomcat configuration file that stores application configuration settings. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes." solution : "Perform the following to restrict access to web.xml: 1. Set the ownership of the $CATALINA_HOME/conf/web.xml to tomcat_admin:tomcat. 2. Remove read, write, and execute permissions for the world. 3. Remove write permissions for the group. # chown tomcat_admin:tomcat $CATALINA_HOME/conf/web.xml # chmod g-w,o-rwx $CATALINA_HOME/conf/web.xml" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/web.xml" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "027" file_type : "f" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" ################################################## # 5 Configure Realms ################################################## ################################################## # 6 Connector Security ################################################## system : "Linux" type : AUDIT_XML description : "6.2 Ensure SSLEnabled is set to True for Sensitive Connectors(verify SSLEnabled is set to true)" info : "The SSLEnabled setting determines if SSL is enabled for a specific Connector. It is recommended that SSL be utilized for any Connector that sends or receives sensitive information, such as authentication credentials or personal information." solution : "In server.xml, set the SSLEnabled attribute to true for each Connector that sends or receives sensitive information." reference : "800-53|SC-13,800-171|3.13.11,CSF|PR.DS-5,ITSG-33|SC-13,LEVEL|1NS" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/server.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" # Note: Variable @SSL_PORT@ replaced with "443" in field "xsl_stmt". xsl_stmt : "" xsl_stmt : "FAIL - SSLEnabled set to false on port " xsl_stmt : "" # Note: Variable @SSL_PORT@ replaced with "443" in field "xsl_stmt". xsl_stmt : "" xsl_stmt : "PASS - SSLEnabled configured correctly" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - No connectors using SSL" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "PASS" expect : "PASS" system : "Linux" type : AUDIT_XML description : "6.3 Ensure scheme is set accurately" info : "The scheme attribute is used to indicate to callers of request.getScheme() which scheme is in use by the Connector. Ensure the scheme attribute is set to http for Connectors operating over HTTP. Ensure the scheme attribute is set to https for Connectors operating of HTTPS." solution : "In server.xml, set the Connector's scheme attribute to http for Connectors operating over HTTP. Set the Connector's scheme attribute to https for Connectors operating of HTTPS." reference : "800-53|SC-13,800-171|3.13.11,CSF|PR.DS-5,ITSG-33|SC-13,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/server.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" # Note: Variable @SSL_PORT@ replaced with "443" in field "xsl_stmt". xsl_stmt : "" xsl_stmt : "FAIL - Scheme not set to HTTPS for SSL connector at port " xsl_stmt : "" # Note: Variable @SSL_PORT@ replaced with "443" in field "xsl_stmt". xsl_stmt : "" xsl_stmt : "PASS - Scheme configured correctly" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - No connectors using SSL" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "PASS" expect : "PASS" system : "Linux" type : AUDIT_XML description : "6.4 Ensure secure is set to true only for SSL-enabled Connectors (verify secure is set to true)" info : "The secure attribute is used to convey Connector security status to applications operating over the Connector. This is typically achieved by calling request.isSecure(). Ensure the secure attribute is only set to true for Connectors operating with the SSLEnabled attribute set to true." solution : "For each Connector defined in server.xml, set the secure attribute to true for those Connectors having SSLEnabled set to true. Set the secure attribute set to false for those Connectors having SSLEnabled set to false" reference : "800-53|SC-13,800-171|3.13.11,CSF|PR.DS-5,ITSG-33|SC-13,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/server.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" # Note: Variable @SSL_PORT@ replaced with "443" in field "xsl_stmt". xsl_stmt : "" xsl_stmt : "FAIL - Secure not set to true for SSL connector at port " xsl_stmt : "" # Note: Variable @SSL_PORT@ replaced with "443" in field "xsl_stmt". xsl_stmt : "" xsl_stmt : "PASS - Secure configured correctly" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - No connectors using SSL" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "PASS" expect : "PASS" system : "Linux" type : AUDIT_XML description : "6.5 Ensure sslProtocol is set to TLS for Secure Connectors (verify sslProtocol is set to TLS)" info : "The sslProtocol setting determines which protocol Tomcat will use to protect traffic. It is recommended that sslProtocol attribute be set to TLS." solution : "In server.xml, set the sslProtocol attribute to 'TLS' for Connectors having SSLEnabled set to true." reference : "800-53|SC-13,800-171|3.13.11,CSF|PR.DS-5,ITSG-33|SC-13,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/server.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" # Note: Variable @SSL_PORT@ replaced with "443" in field "xsl_stmt". xsl_stmt : "" xsl_stmt : "FAIL - sslProtocol not set to TLS for SSL connector at port " xsl_stmt : "" # Note: Variable @SSL_PORT@ replaced with "443" in field "xsl_stmt". xsl_stmt : "" xsl_stmt : "PASS - sslProtocol configured correctly" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - No connectors using SSL" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "PASS" expect : "PASS" ################################################## # 7 Establish and Protect Logging Facilities ################################################## system : "Linux" type : FILE_CONTENT_CHECK description : "7.2 Specify file handler in logging.properties (check if org.apache.juli.FileHandler exists in web application)" info : "Handlers specify where log messages are sent. Console handlers send log messages to the Java console and File handlers specify logging to a file." solution : "Add the following entries to your logging.properties file if they do not exist. handlers=org.apache.juli.FileHandler, java.util.logging.ConsoleHandler Ensure logging is not off and set the logging level to the desired level such as: org.apache.juli.FileHandler.level=FINEST" reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_BASE@ replaced with "/var/lib/tomcat8/webapps" in field "file". # Note: Variable @WEB_APP_DIR@ replaced with "yourappname" in field "file". file : "/var/lib/tomcat8/webapps/yourappname/WEB-INF/classes/logging.properties" regex : "handlers[\\s]*=[\\s]*.*org\.apache\.juli\.FileHandler" expect : "handlers[\\s]*=[\\s]*.*org\.apache\.juli\.FileHandler" system : "Linux" type : FILE_CONTENT_CHECK description : "7.2 Specify file handler in logging.properties (check if org.apache.juli.FileHandler logging is enabled in web application)" info : "Handlers specify where log messages are sent. Console handlers send log messages to the Java console and File handlers specify logging to a file." solution : "Add the following entries to your logging.properties file if they do not exist. handlers=org.apache.juli.FileHandler, java.util.logging.ConsoleHandler Ensure logging is not off and set the logging level to the desired level such as: org.apache.juli.FileHandler.level=FINEST" reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_BASE@ replaced with "/var/lib/tomcat8/webapps" in field "file". # Note: Variable @WEB_APP_DIR@ replaced with "yourappname" in field "file". file : "/var/lib/tomcat8/webapps/yourappname/WEB-INF/classes/logging.properties" # Note: Variable @LOGGING_LEVEL@ replaced with "WARNING" in field "regex". regex : "org\.apache\.juli\.FileHandler\.level[\\s]*=[\\s]*(WARNING)" # Note: Variable @LOGGING_LEVEL@ replaced with "WARNING" in field "expect". expect : "org\.apache\.juli\.FileHandler\.level[\\s]*=[\\s]*(WARNING)" system : "Linux" type : FILE_CONTENT_CHECK description : "7.2 Specify file handler in logging.properties (check if java.util.logging.ConsoleHandler exists in web application)" info : "Handlers specify where log messages are sent. Console handlers send log messages to the Java console and File handlers specify logging to a file." solution : "Add the following entries to your logging.properties file if they do not exist. handlers=org.apache.juli.FileHandler, java.util.logging.ConsoleHandler Ensure logging is not off and set the logging level to the desired level such as: org.apache.juli.FileHandler.level=FINEST" reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_BASE@ replaced with "/var/lib/tomcat8/webapps" in field "file". # Note: Variable @WEB_APP_DIR@ replaced with "yourappname" in field "file". file : "/var/lib/tomcat8/webapps/yourappname/WEB-INF/classes/logging.properties" regex : "handlers[\\s]*=[\\s]*.*java\.util\.logging\.ConsoleHandler" expect : "handlers[\\s]*=[\\s]*.*java\.util\.logging\.ConsoleHandler" system : "Linux" type : FILE_CONTENT_CHECK description : "7.2 Specify file handler in logging.properties (check if java.util.logging.ConsoleHandler logging is enabled in web application)" info : "Handlers specify where log messages are sent. Console handlers send log messages to the Java console and File handlers specify logging to a file." solution : "Add the following entries to your logging.properties file if they do not exist. handlers=org.apache.juli.FileHandler, java.util.logging.ConsoleHandler Ensure logging is not off and set the logging level to the desired level such as: org.apache.juli.FileHandler.level=FINEST" reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_BASE@ replaced with "/var/lib/tomcat8/webapps" in field "file". # Note: Variable @WEB_APP_DIR@ replaced with "yourappname" in field "file". file : "/var/lib/tomcat8/webapps/yourappname/WEB-INF/classes/logging.properties" # Note: Variable @LOGGING_LEVEL@ replaced with "WARNING" in field "regex". regex : "java\.util\.logging\.ConsoleHandler\.level\\s=\\s(WARNING)" # Note: Variable @LOGGING_LEVEL@ replaced with "WARNING" in field "expect". expect : "java\.util\.logging\.ConsoleHandler\.level\\s=\\s(WARNING)" system : "Linux" type : FILE_CONTENT_CHECK description : "7.2 Specify file handler in logging.properties (check if org.apache.juli.FileHandler exists in default)" info : "Handlers specify where log messages are sent. Console handlers send log messages to the Java console and File handlers specify logging to a file." solution : "Add the following entries to your logging.properties file if they do not exist. handlers=org.apache.juli.FileHandler, java.util.logging.ConsoleHandler Ensure logging is not off and set the logging level to the desired level such as: org.apache.juli.FileHandler.level=FINEST" reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/logging.properties" regex : "handlers[\\s]*=[\\s]*.*org\.apache\.juli\.FileHandler" expect : "handlers[\\s]*=[\\s]*.*org\.apache\.juli\.FileHandler" system : "Linux" type : FILE_CONTENT_CHECK description : "7.2 Specify file handler in logging.properties (check if org.apache.juli.FileHandler logging is enabled in default)" info : "Handlers specify where log messages are sent. Console handlers send log messages to the Java console and File handlers specify logging to a file." solution : "Add the following entries to your logging.properties file if they do not exist. handlers=org.apache.juli.FileHandler, java.util.logging.ConsoleHandler Ensure logging is not off and set the logging level to the desired level such as: org.apache.juli.FileHandler.level=FINEST" reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/logging.properties" # Note: Variable @LOGGING_LEVEL@ replaced with "WARNING" in field "regex". regex : "org\.apache\.juli\.FileHandler\.level[\\s]*=[\\s]*(WARNING)" # Note: Variable @LOGGING_LEVEL@ replaced with "WARNING" in field "expect". expect : "org\.apache\.juli\.FileHandler\.level[\\s]*=[\\s]*(WARNING)" system : "Linux" type : FILE_CONTENT_CHECK description : "7.2 Specify file handler in logging.properties (check if java.util.logging.ConsoleHandler exists inin default)" info : "Handlers specify where log messages are sent. Console handlers send log messages to the Java console and File handlers specify logging to a file." solution : "Add the following entries to your logging.properties file if they do not exist. handlers=org.apache.juli.FileHandler, java.util.logging.ConsoleHandler Ensure logging is not off and set the logging level to the desired level such as: org.apache.juli.FileHandler.level=FINEST" reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/logging.properties" regex : "handlers[\\s]*=[\\s]*.*java\.util\.logging\.ConsoleHandler" expect : "handlers[\\s]*=[\\s]*.*java\.util\.logging\.ConsoleHandler" system : "Linux" type : FILE_CONTENT_CHECK description : "7.2 Specify file handler in logging.properties (check if java.util.logging.ConsoleHandler logging is enabled in default)" info : "Handlers specify where log messages are sent. Console handlers send log messages to the Java console and File handlers specify logging to a file." solution : "Add the following entries to your logging.properties file if they do not exist. handlers=org.apache.juli.FileHandler, java.util.logging.ConsoleHandler Ensure logging is not off and set the logging level to the desired level such as: org.apache.juli.FileHandler.level=FINEST" reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/logging.properties" # Note: Variable @LOGGING_LEVEL@ replaced with "WARNING" in field "regex". regex : "java\.util\.logging\.ConsoleHandler\.level[\\s]*=[\\s]*(WARNING)" # Note: Variable @LOGGING_LEVEL@ replaced with "WARNING" in field "expect". expect : "java\.util\.logging\.ConsoleHandler\.level[\\s]*=[\\s]*(WARNING)" system : "Linux" type : CMD_EXEC description : "7.4 Ensure directory in context.xml is a secure location - configuration" info : "The directory attribute tells Tomcat where to store logs. It is recommended that the location pointed to by the directory attribute is secured." solution : "1. Add the following statement into the $CATALINA_BASE\webapps\\METAINF\context.xml file if it does not already exist. 2. Set the location pointed to by the directory attribute to be owned by tomcat_admin:tomcat with permissions of o-rwx. # chown tomcat_admin:tomcat $CATALINA_HOME/logs # chmod o-rwx $CATALINA_HOME/logs" reference : "800-53|AU-9,800-171|3.3.8,800-171|3.3.9,CSF|PR.PT-1,ITSG-33|AU-9,SWIFT-CSCv1|5.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_BASE@ replaced with "/var/lib/tomcat8/webapps" in field "cmd". # Note: Variable @WEB_APP_DIR@ replaced with "yourappname" in field "cmd". cmd : "$(which egrep) '^ *[^ system : "Linux" type : FILE_CHECK description : "7.4 Ensure directory in context.xml is a secure location - permissions" info : "The directory attribute tells Tomcat where to store logs. It is recommended that the location pointed to by the directory attribute is secured." solution : "1. Add the following statement into the $CATALINA_BASE\webapps\\META-INF\context.xml file if it does not already exist. 2. Set the location pointed to by the directory attribute to be owned by tomcat_admin:tomcat with permissions of o-rwx. # chown tomcat_admin:tomcat $CATALINA_HOME/logs # chmod o-rwx $CATALINA_HOME/logs" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @SECURE_LOG_DIR@ replaced with "/var/log/tomcat8" in field "file". file : "/var/log/tomcat8" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "007" file_type : "d" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" system : "Linux" type : CMD_EXEC description : "7.5 Ensure pattern in context.xml is correct" info : "The pattern setting informs Tomcat what information should be logged. At a minimum, enough information to uniquely identify a request, what was requested, where the requested originated from, and when the request occurred should be logged." solution : "Add the following statement into the $CATALINA_BASE\webapps\\META-INF\context.xml file if it does not already exist. " reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CN-L3|7.1.3.3(a),CN-L3|7.1.3.3(b),CN-L3|7.1.3.3(c),CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,ISO/IEC-27001|A.12.4.1,ITSG-33|AU-12,SWIFT-CSCv1|6.4,TBA-FIISB|45.1.1,CSCv6|6.2,LEVEL|1S,PCI-DSSv3.1|10.3,PCI-DSSv3.2|10.3" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_BASE@ replaced with "/var/lib/tomcat8/webapps" in field "cmd". # Note: Variable @WEB_APP_DIR@ replaced with "yourappname" in field "cmd". cmd : "$(which egrep) '^ *[^ system : "Linux" type : FILE_CONTENT_CHECK description : "7.6 Ensure directory in logging.properties is a secure location (check log directory location)" info : "The directory attribute tells Tomcat where to store logs. The directory value should be a secure location with restricted access." solution : "Perform the following: 1. Add the following properties into your logging.properties file if they do not exist .org.apache.juli.FileHandler.directory= .org.apache.juli.FileHandler.prefix= 2. Set the location pointed to by the directory attribute to be owned by tomcat_admin:tomcat with permissions of o-rwx. # chown tomcat_admin:tomcat # chmod o-rwx " reference : "800-53|AU-9,800-171|3.3.8,800-171|3.3.9,CSF|PR.PT-1,ITSG-33|AU-9,SWIFT-CSCv1|5.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/logging.properties" # Note: Variable @WEB_APP_DIR@ replaced with "yourappname" in field "regex". # Note: Variable @SECURE_LOG_DIR@ replaced with "/var/log/tomcat8" in field "regex". regex : "yourappname\.org\.apache\.juli\.FileHandler\.directory[\\s]*=[\\s]*/var/log/tomcat8" # Note: Variable @WEB_APP_DIR@ replaced with "yourappname" in field "expect". # Note: Variable @SECURE_LOG_DIR@ replaced with "/var/log/tomcat8" in field "expect". expect : "yourappname\.org\.apache\.juli\.FileHandler\.directory[\\s]*=[\\s]*/var/log/tomcat8" system : "Linux" type : FILE_CONTENT_CHECK description : "7.6 Ensure directory in logging.properties is a secure location (check prefix application name)" info : "The directory attribute tells Tomcat where to store logs. The directory value should be a secure location with restricted access." solution : "Perform the following: 1. Add the following properties into your logging.properties file if they do not exist .org.apache.juli.FileHandler.directory= .org.apache.juli.FileHandler.prefix= 2. Set the location pointed to by the directory attribute to be owned by tomcat_admin:tomcat with permissions of o-rwx. # chown tomcat_admin:tomcat # chmod o-rwx " reference : "800-53|AU-9,800-171|3.3.8,800-171|3.3.9,CSF|PR.PT-1,ITSG-33|AU-9,SWIFT-CSCv1|5.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/logging.properties" # Note: Variable @WEB_APP_DIR@ replaced with "yourappname" in field "regex". # Note: Variable @WEB_APP_DIR@ replaced with "yourappname" in field "regex". regex : "yourappname\.org\.apache\.juli\.FileHandler\.prefix[\\s]*=[\\s]*yourappname" # Note: Variable @WEB_APP_DIR@ replaced with "yourappname" in field "expect". # Note: Variable @WEB_APP_DIR@ replaced with "yourappname" in field "expect". expect : "yourappname\.org\.apache\.juli\.FileHandler\.prefix[\\s]*=[\\s]*yourappname" system : "Linux" type : FILE_CHECK description : "7.6 Ensure directory in logging.properties is a secure location (check application log directory is secure)" info : "The directory attribute tells Tomcat where to store logs. The directory value should be a secure location with restricted access." solution : "Perform the following: 1. Add the following properties into your logging.properties file if they do not exist .org.apache.juli.FileHandler.directory= .org.apache.juli.FileHandler.prefix= 2. Set the location pointed to by the directory attribute to be owned by tomcat_admin:tomcat with permissions of o-rwx. # chown tomcat_admin:tomcat # chmod o-rwx " reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @SECURE_LOG_DIR@ replaced with "/var/log/tomcat8" in field "file". file : "/var/log/tomcat8" # Note: Variable @TOMCAT_OWNER@ replaced with "tomcat_admin" in field "owner". owner : "tomcat_admin" mask : "077" file_type : "d" # Note: Variable @TOMCAT_GROUP@ replaced with "tomcat" in field "group". group : "tomcat" ################################################## # 8 Configure Catalina Policy ################################################## system : "Linux" type : CMD_EXEC description : "8.1 Restrict runtime access to sensitive packages" info : "package.access grants or revokes access to listed packages during runtime. It is recommended that application access to certain packages be restricted. NOTE: Nessus did not perform this check as it requires a manual review of the outputted packages that have access. Review the reported packages to ensure only required packages are enabled." solution : "Edit $CATALINA_BASE/conf/catalina.properties by adding allowed packages to the package.access list." reference : "800-53|AC-6,800-171|3.1.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,SWIFT-CSCv1|5.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "cmd". cmd : "/bin/egrep 'package\.access[\s\t]*=[\s\t]*(.*)' /etc/tomcat8/catalina.properties" expect : "" ################################################## # 9 Application Deployment ################################################## system : "Linux" type : FILE_CONTENT_CHECK description : "9.1 Starting Tomcat with Security Manager" info : "Configure application to run in a sandbox using the Security Manager. The Security Manager restrict what classes Tomcat can access thus protecting your server from mistakes, Trojans, and malicious code. NOTE: This check looks at the $CATALINA_HOME/bin/startup.sh script to determine if -security is enabled when Tomcat is started. If your startup script is located in a different location, adjust this check to account for this." solution : "The security policies implemented by the Java SecurityManager are configured in the $CATALINA_HOME/conf/catalina.policy file. Once you have configured the catalina.policy file for use with a SecurityManager, Tomcat can be started with a SecurityManager in place by using the --security option: $ $CATALINA_HOME/bin/catalina.sh start -security" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_HOME@ replaced with "/usr/share/tomcat8" in field "file". file : "/usr/share/tomcat8/bin/startup.sh" regex : "\-security" expect : "\-security" ################################################## # 10 Miscellaneous Configuration Settings ################################################## system : "Linux" type : CMD_EXEC description : "10.1 Ensure Web content directory is on a separate partition from the Tomcat system files (verify Web content directory)" info : "The web document directory is where the files which are served to the end user reside. In the past, directory traversal exploits have allowed malicious users to play havoc on a web server including executing code, uploading files, and reading sensitive data. Even if you do not have any directory traversal exploits in your server or code at this time, that doesn't mean they won't be introduced in the future. Moving your web document directory onto a different partition will prevent these kinds of attacks from doing more damage to other part of the file system." solution : "Move the web content files to a separate partition from the tomcat system files and update your configuration." reference : "800-53|CM-6,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1NS" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_HOME@ replaced with "/usr/share/tomcat8" in field "cmd". # Note: Variable @CATALINA_HOME@ replaced with "/usr/share/tomcat8" in field "cmd". cmd : "/bin/df /usr/share/tomcat8 /usr/share/tomcat8/webapps | /bin/sed 1,1d | /usr/bin/sort -u | /usr/bin/wc -l" expect : "2" system : "Linux" type : AUDIT_XML description : "10.4 Force SSL when accessing the manager application" info : "Use the transport-guarantee attribute to ensure SSL protection when accessing the manager application." solution : "Set $CATALINA_HOME/webapps/manager/WEB-INF/web.xml: CONFIDENTIAL " reference : "800-53|SC-13,800-171|3.13.11,CSF|PR.DS-5,ITSG-33|SC-13,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_BASE@ replaced with "/var/lib/tomcat8/webapps" in field "file". file : "/var/lib/tomcat8/webapps/manager/WEB-INF/web.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - SSL forced for manager application" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - transport-guarantee not set to CONFIDENTIAL" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - security-constraint misconfigured or not present" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "PASS" expect : "PASS" system : "Linux" type : FILE_CONTENT_CHECK description : "10.6 Enable strict servlet Compliance" info : "The STRICT_SERVLET_COMPLIANCE influences Tomcat's behavior in several subtle ways. See the References below for the complete list. It is recommended that STRICT_SERVLET_COMPLIANCE is set to true." solution : "Start Tomcat with strict compliance enabled. Add the following to your startup script: -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true" reference : "800-53|CM-6,CSCv6|3.1,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_HOME@ replaced with "/usr/share/tomcat8" in field "file". file : "/usr/share/tomcat8/bin/catalina.sh" regex : "-Dorg\.apache\.catalina\.STRICT_SERVLET_COMPLIANCE[\\s]*=[\\s]*[Tt][Rr][Uu][Ee]" expect : "-Dorg\.apache\.catalina\.STRICT_SERVLET_COMPLIANCE[\\s]*=[\\s]*[Tt][Rr][Uu][Ee]" system : "Linux" type : FILE_CONTENT_CHECK description : "10.7 Turn off session facade recycling" info : "The RECYCLE_FACADES can specify if a new facade will be created for each request. If a new facade is not created there is a potential for information leakage from other sessions." solution : "Start Tomcat with RECYCLE_FACADES set to true. Add the following to your startup script: -Dorg.apache.catalina.connector.RECYCLE_FACADES=true" reference : "800-53|CM-6,800-171|3.4.2,CSF|PR.IP-1,ITSG-33|CM-6,SWIFT-CSCv1|2.3,CSCv6|3.1,LEVEL|1S,PCI-DSSv3.1|2.2.4,PCI-DSSv3.2|2.2.4" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_HOME@ replaced with "/usr/share/tomcat8" in field "file". file : "/usr/share/tomcat8/bin/catalina.sh" regex : "-Dorg\.apache\.catalina\.connector\.RECYCLE_FACADES[\\s]*=[\\s]*[Tt][Rr][Uu][Ee]" expect : "-Dorg\.apache\.catalina\.connector\.RECYCLE_FACADES[\\s]*=[\\s]*[Tt][Rr][Uu][Ee]" system : "Linux" type : AUDIT_XML description : "10.13 Do not allow symbolic linking" info : "Symbolic links allow one application to include the libraries from another. This allows for re-use of code but also allows for potential security issues when applications include libraries from other applications they should not have access to." solution : "In all context.xml, set the allowLinking attribute to false." reference : "800-53|AC-6,800-171|3.1.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,SWIFT-CSCv1|5.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/context.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - allowLinking is explicitly disabled" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - allowLinking is enabled" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - allowLinking attribute not present" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "PASS" expect : "PASS" system : "Linux" type : AUDIT_XML description : "10.14 Do not run applications as privileged" info : "Setting the privileged attribute for an application changes the class loader to the Server class loader instead of the Shared class loader." solution : "In all context.xml, set the privileged attribute to false unless it is required like the manager application: " reference : "800-53|AC-6,800-171|3.1.5,CN-L3|7.1.3.2(b),CN-L3|7.1.3.2(g),CSF|PR.AC-4,CSF|PR.DS-5,ITSG-33|AC-6,SWIFT-CSCv1|5.1,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/context.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - privileged attribute is explicitly disabled" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - privileged attribute is enabled" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - privileged attribute not present" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "PASS" expect : "PASS" system : "Linux" type : AUDIT_XML description : "10.15 Do not allow cross context requests" info : "Setting crossContext to true allows for an application to call ServletConext.getContext to return a dispatcher for another application." solution : "In all context.xml, set the crossContext attribute to false: " reference : "800-53|CM-7,800-171|3.4.6,800-171|3.4.7,CN-L3|7.1.3.5(c),CN-L3|7.1.3.7(d),CSF|PR.IP-1,CSF|PR.PT-3,ITSG-33|CM-7,SWIFT-CSCv1|2.3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/context.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - crossContext attribute is explicitly disabled" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - crossContext attribute is enabled" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - crossContext attribute not present" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" regex : "PASS" expect : "PASS" system : "Linux" type : AUDIT_XML description : "10.17 Enable memory leak listener (verify present)" info : "The JRE Memory Leak Prevention Listener provides work-arounds for known places where the Java Runtime environment uses the context class loader to load a singleton as this will cause a memory leak if a web application class loader happens to be the context class loader at the time. The work-around is to initialise these singletons when this listener starts as Tomcat's common class loader is the context class loader at that time. It also provides work-arounds for known issues that can result in locked JAR files." solution : "Uncomment the JRE Memory Leak Prevention Listener in $CATALINA_HOME/conf/server.xml " reference : "800-53|SI-16,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/server.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - org.apache.catalina.core.JreMemoryLeakPreventionListener enabled" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - org.apache.catalina.core.JreMemoryLeakPreventionListener commented out or not present" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" expect : "PASS" system : "Linux" type : AUDIT_XML description : "10.18 Setting Security Lifecycle Listener (check for config component)" info : "The Security Lifecycle Listener performs a number of security checks when Tomcat starts and prevents Tomcat from starting if they fail." solution : "To enable it uncomment the listener in $CATALINA_BASE/conf/server.xml. If the operating system supports umask then the line in $CATALINA_HOME/bin/catalina.sh that obtains the umask also needs to be uncommented. Within Server elements add: - checkedOsUsers: A comma separated list of OS users that must not be used to start Tomcat. If not specified, the default value of root is used. - minimumUmask: The least restrictive umask that must be configured before Tomcat will start. If not specified, the default value of 0007 is used. " reference : "800-53|SI-10,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_CONF@ replaced with "/etc/tomcat8" in field "file". file : "/etc/tomcat8/server.xml" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "PASS - org.apache.catalina.security.SecurityListener present" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "FAIL - org.apache.catalina.security.SecurityListener commented out or not present" xsl_stmt : "" xsl_stmt : "" xsl_stmt : "" expect : "PASS" system : "Linux" type : FILE_CONTENT_CHECK_NOT description : "10.18 Setting Security Lifecycle Listener (check for umask uncommented in startup)" info : "The Security Lifecycle Listener performs a number of security checks when Tomcat starts and prevents Tomcat from starting if they fail." solution : "To enable it uncomment the listener in $CATALINA_BASE/conf/server.xml. If the operating system supports umask then the line in $CATALINA_HOME/bin/catalina.sh that obtains the umask also needs to be uncommented. Within Server elements add: - checkedOsUsers: A comma separated list of OS users that must not be used to start Tomcat. If not specified, the default value of root is used. - minimumUmask: The least restrictive umask that must be configured before Tomcat will start. If not specified, the default value of 0007 is used. " reference : "800-53|AC-3,800-171|3.1.1,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_HOME@ replaced with "/usr/share/tomcat8" in field "file". file : "/usr/share/tomcat8/bin/catalina.sh" regex : "^\s*#\s*JAVA_OPTS=\"\$JAVA_OPTS -Dorg\.apache\.catalina\.security\.SecurityListener\.UMASK=.*\"" expect : "^\s*#\s*JAVA_OPTS=\"\$JAVA_OPTS -Dorg\.apache\.catalina\.security\.SecurityListener\.UMASK=.*\"" system : "Linux" type : FILE_CONTENT_CHECK_NOT description : "10.18 Setting Security Lifecycle Listener (check for umask present in startup)" info : "The Security Lifecycle Listener performs a number of security checks when Tomcat starts and prevents Tomcat from starting if they fail." solution : "To enable it uncomment the listener in $CATALINA_BASE/conf/server.xml. If the operating system supports umask then the line in $CATALINA_HOME/bin/catalina.sh that obtains the umask also needs to be uncommented. Within Server elements add: - checkedOsUsers: A comma separated list of OS users that must not be used to start Tomcat. If not specified, the default value of root is used. - minimumUmask: The least restrictive umask that must be configured before Tomcat will start. If not specified, the default value of 0007 is used. " reference : "800-53|AC-3,800-171|3.1.1,CSF|PR.AC-4,CSF|PR.PT-3,ITSG-33|AC-3,LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" # Note: Variable @CATALINA_HOME@ replaced with "/usr/share/tomcat8" in field "file". file : "/usr/share/tomcat8/bin/catalina.sh" regex : "^\s*JAVA_OPTS=\"\$JAVA_OPTS -Dorg\.apache\.catalina\.security\.SecurityListener\.UMASK=\d{3,4}\"" expect : "^\s*JAVA_OPTS=\"\$JAVA_OPTS -Dorg\.apache\.catalina\.security\.SecurityListener\.UMASK=\d{3,4}\"" description : "10.19 Use the logEffectiveWebXml and metadata-complete settings for deploying applications in production" info : "Both Fragments and annotations give rise to security concerns. web.xml contains a metadata-complete attribute in the web-app element whose binary value defines whether other sources of metadata should be considered when deploying this web application, this includes annotations on class files (@WebServlet, but also @WebListener, @WebFilter, ), web-fragment.xml as well as classes located in WEB-INF/classes. In addition, Tomcat 8 could allow you to log the effective web.xml, when an application starts, and the effective web.xml is the result of taking the main web.xml for your application merging in all the fragments applying all the annotations. By logging that you are able to review it, and see if that is in fact what you actually want. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance." solution : "1. Set the metadata-complete value in the web.xml in each of applications to true, the web.xml contains a metadata-complete attribute in the web-app element whose binary value defines whether other sources of metadata should be considered when deploying this web application, this includes annotations on class files (@WebServlet, but also @WebListener, @WebFilter, ...), web-fragment.xml as well as classes located in WEB-INF/classes. If set to true, all of these will be ignored and web.xml is the only metadata considered. NOTE: The metadata-complete option is not enough to disable all of annotation scanning. If there is a ServletContainerInitializer with a @HandlesTypes annotation, Tomcat has to scan your application for classes that use annotations or interfaces specified in that annotation. 2. Set the logEffectiveWebXml value in the context.xml in each of applications to true." reference : "LEVEL|1S" see_also : "https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_Tomcat_8_Benchmark_v1.0.1.pdf" description : "CIS_Apache_Tomcat_8_L1_v1.0.1.audit Level 1" info : "NOTE: Nessus has not identified that the chosen audit applies to the target device."