Details

Setting enableLookups to true on Connector will result in a DNS look-ups to obtain the host name of the remote client before logging any information. This uses additional resources when logging.

Rationale:

Allowing enableLookups adds additional overhead to resolve the host name of a remote client which is rarely needed.

Solution

In Connector elements, set the enableLookups attribute to false or remove it.

Default Value:

By default, DNS lookups are disabled.

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2506

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-6
• CSCv7|5.1

Source

• Tenable.com/audits