Home
Security Hardening
DISA STIG Apache Tomcat Application Server 9 V2R3 Middleware

DISA STIG Apache Tomcat Application Server 9 V2R3 Middleware

TCAT-AS-000010 – The number of allowed simultaneous sessions to the manager application must be limited.
Details The manager application provides configuration access to the Tomcat server. Access to the manager application must be limited and...
TCAT-AS-000020 – Secured connectors must be configured to use strong encryption ciphers.
Details The Tomcat element controls the TLS protocol and the associated ciphers used. If a strong cipher is not selected,...
TCAT-AS-000030 – HTTP Strict Transport Security (HSTS) must be enabled.
Details HTTP Strict Transport Security (HSTS) instructs web browsers to only use secure connections for all future requests when communicating...
TCAT-AS-000040 – TLS 1.2 must be used on secured HTTP connectors.
Details Using older versions of TLS introduces security vulnerabilities that exist in the older versions of the protocol. Tomcat by...
TCAT-AS-000050 – AccessLogValve must be configured for each application context.
Details Tomcat has the ability to host multiple contexts (applications) on one physical server by using the attribute. This allows...
TCAT-AS-000060 – Default password for keystore must be changed.
Details Tomcat currently operates only on JKS, PKCS11, or PKCS12 format keystores. The JKS format is Java’s standard ‘Java KeyStore’...
TCAT-AS-000070 – Cookies must have secure flag set.
Details It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the...
TCAT-AS-000080 – Cookies must have http-only flag set.
Details It is possible to steal or manipulate web application session and cookies without having a secure cookie. Configuring the...
TCAT-AS-000270 – The first line of request must be logged.
Details The access logfile format is defined within a Valve that implements the org.apache.catalina.valves.AccessLogValve interface within the /opt/tomcat/server.xml configuration file:...
TCAT-AS-000360 – $CATALINA_BASE/logs folder permissions must be set to 750.
Details Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with...

DISA STIG Apache Tomcat Application Server 9 V2R3 Middleware

TCAT-AS-000010 – The number of allowed simultaneous sessions to the manager application must be limited.

TCAT-AS-000020 – Secured connectors must be configured to use strong encryption ciphers.

TCAT-AS-000030 – HTTP Strict Transport Security (HSTS) must be enabled.

TCAT-AS-000040 – TLS 1.2 must be used on secured HTTP connectors.

TCAT-AS-000050 – AccessLogValve must be configured for each application context.

TCAT-AS-000060 – Default password for keystore must be changed.

TCAT-AS-000070 – Cookies must have secure flag set.

TCAT-AS-000080 – Cookies must have http-only flag set.

TCAT-AS-000270 – The first line of request must be logged.

TCAT-AS-000360 – $CATALINA_BASE/logs folder permissions must be set to 750.