STIGQter: STIG Summary:| Checked | Name | Title |
|---|---|---|
| ☐ | SV-222926r615938_rule | The number of allowed simultaneous sessions to the manager application must be limited. |
| ☐ | SV-222927r615938_rule | Secured connectors must be configured to use strong encryption ciphers. |
| ☐ | SV-222928r616154_rule | HTTP Strict Transport Security (HSTS) must be enabled. |
| ☐ | SV-222929r615938_rule | TLS 1.2 must be used on secured HTTP connectors. |
| ☐ | SV-222930r615938_rule | AccessLogValve must be configured for each application context. |
| ☐ | SV-222931r615938_rule | Default password for keystore must be changed. |
| ☐ | SV-222932r615938_rule | Cookies must have secure flag set. |
| ☐ | SV-222933r615938_rule | Cookies must have http-only flag set. |
| ☐ | SV-222934r615938_rule | DefaultServlet must be set to readonly for PUT and DELETE. |
| ☐ | SV-222935r615938_rule | Connectors must be secured. |
| ☐ | SV-222936r615938_rule | The Java Security Manager must be enabled. |
| ☐ | SV-222937r615938_rule | Tomcat servers behind a proxy or load balancer must log client IP. |
| ☐ | SV-222938r615938_rule | AccessLogValve must be configured per each virtual host. |
| ☐ | SV-222939r615938_rule | Date and time of events must be logged. |
| ☐ | SV-222940r615938_rule | Remote hostname must be logged. |
| ☐ | SV-222941r615938_rule | HTTP status code must be logged. |
| ☐ | SV-222942r615938_rule | The first line of request must be logged. |
| ☐ | SV-222943r615938_rule | $CATALINA_BASE/logs folder permissions must be set to 750. |
| ☐ | SV-222944r615938_rule | Files in the $CATALINA_BASE/logs/ folder must have their permissions set to 640. |
| ☐ | SV-222945r615938_rule | Files in the $CATALINA_BASE/conf/ folder must have their permissions set to 640. |
| ☐ | SV-222946r615938_rule | $CATALINA_BASE/conf folder permissions must be set to 750. |
| ☐ | SV-222947r615938_rule | Jar files in the $CATALINA_HOME/bin/ folder must have their permissions set to 640. |
| ☐ | SV-222948r615938_rule | $CATALINA_HOME/bin folder permissions must be set to 750. |
| ☐ | SV-222949r615938_rule | Tomcat user UMASK must be set to 0027. |
| ☐ | SV-222950r615938_rule | Stack tracing must be disabled. |
| ☐ | SV-222951r615938_rule | The shutdown port must be disabled. |
| ☐ | SV-222952r615938_rule | Unapproved connectors must be disabled. |
| ☐ | SV-222953r615938_rule | DefaultServlet debug parameter must be disabled. |
| ☐ | SV-222954r615938_rule | DefaultServlet directory listings parameter must be disabled. |
| ☐ | SV-222955r615938_rule | The deployXML attribute must be set to false in hosted environments. |
| ☐ | SV-222956r615938_rule | Autodeploy must be disabled. |
| ☐ | SV-222957r615938_rule | xpoweredBy attribute must be disabled. |
| ☐ | SV-222958r615938_rule | Example applications must be removed. |
| ☐ | SV-222959r615938_rule | Tomcat default ROOT web application must be removed. |
| ☐ | SV-222960r615938_rule | Documentation must be removed. |
| ☐ | SV-222961r615938_rule | Applications in privileged mode must be approved by the ISSO. |
| ☐ | SV-222962r615938_rule | Tomcat management applications must use LDAP realm authentication. |
| ☐ | SV-222963r615938_rule | JMX authentication must be secured. |
| ☐ | SV-222964r615938_rule | TLS must be enabled on JMX. |
| ☐ | SV-222965r615938_rule | LDAP authentication must be secured. |
| ☐ | SV-222966r616155_rule | DoD root CA certificates must be installed in Tomcat trust store. |
| ☐ | SV-222967r615938_rule | Keystore file must be protected. |
| ☐ | SV-222968r615938_rule | Tomcat must use FIPS-validated ciphers on secured connectors. |
| ☐ | SV-222969r615938_rule | Access to JMX management interface must be restricted. |
| ☐ | SV-222970r615938_rule | Access to Tomcat manager application must be restricted. |
| ☐ | SV-222971r615938_rule | Tomcat servers must mutually authenticate proxy or load balancer connections. |
| ☐ | SV-222973r615938_rule | Tomcat must be configured to limit data exposure between applications. |
| ☐ | SV-222974r615938_rule | Clusters must operate on a trusted network. |
| ☐ | SV-222975r615938_rule | ErrorReportValve showServerInfo must be set to false. |
| ☐ | SV-222976r615938_rule | Default error pages for manager application must be customized. |
| ☐ | SV-222977r615938_rule | ErrorReportValve showReport must be set to false. |
| ☐ | SV-222978r615938_rule | Tomcat server version must not be sent with warnings and errors. |
| ☐ | SV-222979r615938_rule | Idle timeout for management application must be set to 10 minutes. |
| ☐ | SV-222980r615938_rule | LockOutRealms must be used for management of Tomcat. |
| ☐ | SV-222981r615938_rule | LockOutRealms failureCount attribute must be set to 5 failed logins for admin users. |
| ☐ | SV-222982r615938_rule | LockOutRealms lockOutTime attribute must be set to 600 seconds (10 minutes) for admin users. |
| ☐ | SV-222983r615938_rule | Tomcat user account must be set to nologin. |
| ☐ | SV-222984r615938_rule | Tomcat user account must be a non-privileged user. |
| ☐ | SV-222985r615938_rule | Application user name must be logged. |
| ☐ | SV-222986r615938_rule | $CATALINA_HOME folder must be owned by the root user, group tomcat. |
| ☐ | SV-222987r615938_rule | $CATALINA_BASE/conf/ folder must be owned by root, group tomcat. |
| ☐ | SV-222988r615938_rule | $CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat. |
| ☐ | SV-222989r615938_rule | $CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat. |
| ☐ | SV-222990r615938_rule | $CATALINA_BASE/temp folder permissions must be set to 750. |
| ☐ | SV-222991r615938_rule | $CATALINA_BASE/work/ folder must be owned by tomcat user, group tomcat. |
| ☐ | SV-222993r615938_rule | Multifactor certificate-based tokens (CAC) must be used when accessing the management interface. |
| ☐ | SV-222994r615938_rule | Certificates in the trust store must be issued/signed by an approved CA. |
| ☐ | SV-222995r615938_rule | The application server, when categorized as a high availability system within RMF, must be in a high-availability (HA) cluster. |
| ☐ | SV-222996r615938_rule | Tomcat server must be patched for security vulnerabilities. |
| ☐ | SV-222997r615938_rule | AccessLogValve must be configured for Catalina engine. |
| ☐ | SV-222998r615938_rule | Changes to $CATALINA_HOME/bin/ folder must be logged. |
| ☐ | SV-222999r615938_rule | Changes to $CATALINA_BASE/conf/ folder must be logged. |
| ☐ | SV-223000r615938_rule | Changes to $CATALINA_HOME/lib/ folder must be logged. |
| ☐ | SV-223001r615938_rule | Application servers must use NIST-approved or NSA-approved key management technology and processes. |
| ☐ | SV-223002r615938_rule | STRICT_SERVLET_COMPLIANCE must be set to true. |
| ☐ | SV-223003r615938_rule | RECYCLE_FACADES must be set to true. |
| ☐ | SV-223004r615938_rule | ALLOW_BACKSLASH must be set to false. |
| ☐ | SV-223005r615938_rule | ENFORCE_ENCODING_IN_GET_WRITER must be set to true. |
| ☐ | SV-223006r615938_rule | Tomcat users in a management role must be approved by the ISSO. |
| ☐ | SV-223007r615938_rule | Hosted applications must be documented in the system security plan. |
| ☐ | SV-223008r615938_rule | Connectors must be approved by the ISSO. |
| ☐ | SV-223009r615938_rule | Connector address attribute must be set. |
| ☐ | SV-223010r615938_rule | The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure. |