| NaN |
Version: 5.20130214 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE ID |
CCE Description |
CCE Parameters |
CCE Technical Mechanisms |
NaN |
APPLICATION SERVICES SECURITY CHECKLIST Version 1, Release 1.1 31 July 2006 Section 3A App_sService_Checklist_Sec3A_V1R1-1.doc |
Apache Software Foundation Apache Tomcat 4 Documentation |
Apache Software Foundation Apache Tomcat 5.5 Documentation |
Tomcat The Definitive Guide Ch 6 Tomcat Security http://oreilly.com/catalog/tomcat/chapter/ch06.pdf |
| CCE-27473-8 |
The Java Security Manager (JSM) should be enabled or disabled as appropriate. |
(1) exist/not exist |
(1) catalina.policy file under Catalina Home |
NaN |
SDID: AST0560 Category: 1 VULID: V0006215 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECRC-1 SDID Description: Application Security Manager is not turned on. Reference: Application Services STIG, Appendix B.3.5 |
NaN |
NaN |
NaN |
| CCE-27687-3 |
Tomcat should be configured to run with or without the Java Security Manager upon startup. |
(1) exist/not exist |
(1) '-security' command-line parameter on Tomcat startup -Djava.security.manager command line parameter |
NaN |
SDID: AST0560 Category: 1 VULID: V0006215 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECRC-1 SDID Description: Application Security Manager is not turned on. Reference: Application Services STIG, Appendix B.3.5 |
NaN |
NaN |
NaN |
| CCE-27749-1 |
The Tomcat server port number should be set correctly. |
(1) port number |
(1) '<Server Port = <port number> >' element in server.xml |
NaN |
SDID: APS0560 Category: II VULID: V0012322 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: DCFA-1 SDID Description: Interfaces between the application server and external systems are not identified and secured. Reference: Application Services STIG, Section 3.2.6 |
NaN |
NaN |
NaN |
| CCE-27391-2 |
The Tomcat Legacy JK AJP 1.3 connector should be enabled or disabled as appropriate. |
(1) exist/not exist |
(1) '<Connector protocolHandlerClassName="org.apache.ajp.tomcat4.Ajp13Connector">' element in server.xml |
NaN |
NaN |
http://tomcat.apache.org/tomcat-4.1-doc/config/connectors.html |
NaN |
NaN |
| CCE-27398-7 |
The Tomcat Legacy JK AJP 1.3 connectors should listen on the specified ports. |
(1) port number |
(1) 'port' attribute inside '<Connector protocolHandlerClassName="org.apache.ajp.tomcat4.Ajp13Connector">' element in server.xml |
NaN |
NaN |
http://tomcat.apache.org/tomcat-4.1-doc/config/connectors.html |
NaN |
NaN |
| CCE-27706-1 |
The Tomcat Legacy HTTP/1.1 connector should be enabled or disabled as appropriate. |
(1) exist/not exist |
(1) '<Connector protocolHandlerClassName="org.apache.catalina.connector.http.HttpConnector">' element in server.xml |
NaN |
NaN |
http://tomcat.apache.org/tomcat-4.1-doc/config/connectors.html |
NaN |
NaN |
| CCE-27614-7 |
The Tomcat Legacy HTTP/1.1 connectors should listen on the specified ports. |
(1) port number |
(1) 'port' attribute inside '<Connector protocolHandlerClassName="org.apache.catalina.connector.http.HttpConnector">' element in server.xml |
NaN |
NaN |
http://tomcat.apache.org/tomcat-4.1-doc/config/connectors.html |
NaN |
NaN |
| CCE-27704-6 |
The Tomcat login authentication method should be set correctly. |
(1) BASIC/FORM/DIGEST/CLIENT_CERT |
(1) Value of '<auth-method>' element in web.xml |
NaN |
SDID: APS0140 Category: II VULID: V0006202 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: IAIA-1, ECLO-2 SDID Description: Application server’s client authentication process is inadequate. Reference: Application Services STIG, Appendix B.4.2, B.4.3, B.4.4 |
NaN |
NaN |
NaN |
| CCE-27615-4 |
Security roles for the Tomcat manager app should be set correctly. |
(1) security role name |
(1) '<role-name>' element inside '<security-role>' element in the admin.xml file under Tomcat |
NaN |
SDID: AST0820 Category: II VULID: V0006225 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECLP-1 SDID Description: Admin and Manager Web Applications are not adequately restrictive. Reference: Application Services STIG, Section 3.4.1 |
NaN |
NaN |
NaN |
| CCE-27754-1 |
Security roles for the Tomcat admin app should be set correctly. |
(1) security role name |
(1) '<role-name>' element inside '<security-role>' element in the manager.xml file under Tomcat |
NaN |
SDID: AST0820 Category: II VULID: V0006225 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECLP-1 SDID Description: Admin and Manager Web Applications are not adequately restrictive. Reference: Application Services STIG, Section 3.4.1 |
NaN |
NaN |
NaN |
| CCE-27644-4 |
Access to the Tomcat Admin app should be denied as appropriate. |
(1) list of IPs |
(1) '<deny>' element inside the '<Valve className="org.apache.catalina.valves.RemoteAddrValve"/>' element in the admin.xml file under Tomcat |
NaN |
SDID: AST0820 Category: II VULID: V0006225 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECLP-1 SDID Description: Admin and Manager Web Applications are not adequately restrictive. Reference: Application Services STIG, Section 3.4.1 |
NaN |
NaN |
NaN |
| CCE-27723-6 |
Access to the Tomcat Admin app should be allowed as appropriate. |
(1) list of IPs |
(1) '<allow>' element inside the '<Valve className="org.apache.catalina.valves.RemoteAddrValve"/>' element in the admin.xml file under Tomcat |
NaN |
SDID: AST0820 Category: II VULID: V0006225 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECLP-1 SDID Description: Admin and Manager Web Applications are not adequately restrictive. Reference: Application Services STIG, Section 3.4.1 |
NaN |
NaN |
NaN |
| CCE-27746-7 |
Access to the Tomcat manager app should be denied as appropriate. |
(1) list of IPs |
(1) '<deny>' element inside the '<Valve className="org.apache.catalina.valves.RemoteAddrValve"/>' element in the manager.xml file under Tomcat |
NaN |
SDID: AST0820 Category: II VULID: V0006225 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECLP-1 SDID Description: Admin and Manager Web Applications are not adequately restrictive. Reference: Application Services STIG, Section 3.4.1 |
NaN |
NaN |
NaN |
| CCE-27269-0 |
Access to the Tomcat manager app should be allowed as appropriate. |
(1) list of IPs |
(1) '<allow>' element inside the '<Valve className="org.apache.catalina.valves.RemoteAddrValve"/>' element in the manager.xml file under Tomcat |
NaN |
SDID: AST0820 Category: II VULID: V0006225 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECLP-1 SDID Description: Admin and Manager Web Applications are not adequately restrictive. Reference: Application Services STIG, Section 3.4.1 |
NaN |
NaN |
NaN |
| CCE-27624-6 |
The owner of the Tomcat home directory should be set correctly. |
(1) owner |
(1) via chown |
NaN |
SDID: AST0340 Category: II VULID: V0006207 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: OS level file permissions are not adequately restrictive. Reference: Application Services STIG, Appendix B.2 |
NaN |
NaN |
NaN |
| CCE-27532-1 |
The group of the Tomcat home directory should be set correctly. |
(1) group |
(1) via chgrp |
NaN |
SDID: AST0340 Category: II VULID: V0006207 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: OS level file permissions are not adequately restrictive. Reference: Application Services STIG, Appendix B.2 |
NaN |
NaN |
NaN |
| CCE-27751-7 |
The permissions for the Tomcat home directory should be set correctly. |
(1) permissions |
(1) via chown |
NaN |
SDID: AST0340 Category: II VULID: V0006207 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: OS level file permissions are not adequately restrictive. Reference: Application Services STIG, Appendix B.2 |
NaN |
NaN |
NaN |
| CCE-27524-8 |
The owner of the Tomcat home/conf/ directory should be set correctly. |
(1) owner |
(1) via chown |
NaN |
SDID: AST0340 Category: II VULID: V0006207 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: OS level file permissions are not adequately restrictive. Reference: Application Services STIG, Appendix B.2 |
NaN |
NaN |
NaN |
| CCE-27747-5 |
The group of the Tomcat home/conf/ directory should be set correctly. |
(1) group |
(1) via chgrp |
NaN |
SDID: AST0340 Category: II VULID: V0006207 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: OS level file permissions are not adequately restrictive. Reference: Application Services STIG, Appendix B.2 |
NaN |
NaN |
NaN |
| CCE-27376-3 |
The permissions for the Tomcat home/conf/ directory should be set correctly. |
(1) permissions |
(1) via chown |
NaN |
SDID: AST0340 Category: II VULID: V0006207 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: OS level file permissions are not adequately restrictive. Reference: Application Services STIG, Appendix B.2 |
NaN |
NaN |
NaN |
| CCE-27113-0 |
The owner of the tomcat-users.xml file should be set correctly. |
(1) owner |
(1) via chown |
NaN |
SDID: AST0340 Category: II VULID: V0006207 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: OS level file permissions are not adequately restrictive. Reference: Application Services STIG, Appendix B.2 |
NaN |
NaN |
NaN |
| CCE-27538-8 |
The group of the tomcat-users.xml file should be set correctly. |
(1) group |
(1) via chgrp |
NaN |
SDID: AST0340 Category: II VULID: V0006207 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: OS level file permissions are not adequately restrictive. Reference: Application Services STIG, Appendix B.2 |
NaN |
NaN |
NaN |
| CCE-27689-9 |
The permissions for the tomcat-users.xml file should be set correctly. |
(1) permissions |
(1) via chown |
NaN |
SDID: AST0340 Category: II VULID: V0006207 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: OS level file permissions are not adequately restrictive. Reference: Application Services STIG, Appendix B.2 |
NaN |
NaN |
NaN |
| CCE-27159-3 |
The password digest algorithm for JDBCRealm (database) connections should be enabled or disabled as appropriate. |
(1) exist/not exist |
(1) 'digest' attribute inside '<Realm classname=org.apache.catalina.realm.JDBCRealm>' element in server.xml |
NaN |
SDID: AST0310 Category: II VULID: V0006204 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: Sensitive application data is not adequately protected at rest. Reference: Application Services STIG, Appendix B.3 |
NaN |
NaN |
NaN |
| CCE-27760-8 |
The JDBCRealm (database) password digest algorithm should be set correctly |
(1) SHA/MD2/MD5 |
(1) 'digest' attribute inside '<Realm classname=org.apache.catalina.realm.JDBCRealm>' element in server.xml |
NaN |
SDID: AST0310 Category: II VULID: V0006204 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: Sensitive application data is not adequately protected at rest. Reference: Application Services STIG, Appendix B.3 |
NaN |
NaN |
NaN |
| CCE-27681-6 |
The password digest algorithm for JNDIRealm (LDAP) connections should be enabled or disabled as appropriate. |
(1) exist/not exist |
(1) 'digest' attribute inside '<Realm classname=org.apache.catalina.realm.JNDIRealm>' element in server.xml |
NaN |
SDID: AST0310 Category: II VULID: V0006204 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: Sensitive application data is not adequately protected at rest. Reference: Application Services STIG, Appendix B.3 |
NaN |
NaN |
NaN |
| CCE-27717-8 |
The JNDIRealm (LDAP) password digest should be configured appropriately. |
(1) SHA/MD2/MD5 |
(1) 'digest' attribute inside '<Realm classname=org.apache.catalina.realm.JNDIRealm>' element in server.xml |
NaN |
SDID: AST0310 Category: II VULID: V0006204 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECCR-1, ECCR-2 SDID Description: Sensitive application data is not adequately protected at rest. Reference: Application Services STIG, Appendix B.3 |
NaN |
NaN |
NaN |
| CCE-27429-0 |
The Tomcat HTTP/1.1 connector should be enabled or disabled. |
(1) exists/ not exist |
(1) '<Connector protocol="HTTP/1.1">' element in server.xml |
NaN |
NaN |
NaN |
Apache Tomcat Configuration Reference The HTTP Connector http://tomcat.apache.org/tomcat-5.5-doc/config/http.html |
NaN |
| CCE-27673-3 |
The Tomcat HTTP/1.1 connector should be configured appropriately for the specified ports. |
(1) TARGET: port number (2) exists/ not exist |
(1) 'port' attribute inside '<Connector protocol="HTTP/1.1">' element in server.xml |
NaN |
NaN |
NaN |
Apache Tomcat Configuration Reference The HTTP Connector http://tomcat.apache.org/tomcat-5.5-doc/config/http.html |
NaN |
| CCE-27738-4 |
The secure attribute should be set as appropriate for the specified Tomcat HTTP/1.1 connectors. |
(1) TARGET: connector (2) true/false |
(1) secure attribute in a <Connector protocol="HTTP/1.1"> line in server.xml |
NaN |
NaN |
NaN |
Apache Tomcat Configuration Reference The HTTP Connector http://tomcat.apache.org/tomcat-5.5-doc/config/http.html |
NaN |
| CCE-27758-2 |
The Tomcat JK/JK2 AJP 1.3 connector should be enabled or disabled as appropriate. |
(1) exist/not exist |
(1) '<Connector protocol="AJP/1.3">' element in server.xml |
NaN |
NaN |
NaN |
Apache Tomcat Configuration Reference The HTTP Connector http://tomcat.apache.org/tomcat-5.5-doc/config/http.html |
NaN |
| CCE-27450-6 |
The Tomcat JK/JK2 AJP 1.3 connector should be configured appropriately for the specified ports. |
(1) port number |
(1) 'port' attribute inside '<Connector protocol="AJP/1.3">' element in server.xml |
NaN |
NaN |
NaN |
Apache Tomcat Configuration Reference The HTTP Connector http://tomcat.apache.org/tomcat-5.5-doc/config/http.html |
NaN |
| CCE-27402-7 |
The secure attribute should be set as appropriate for the specified Tomcat JK/JK2 AJP 1.3 connectors. |
(1) exist/not exist |
(1) security attribute inside '<Connector protocol="AJP/1.3">' element in server.xml |
NaN |
NaN |
NaN |
Apache Tomcat Configuration Reference The HTTP Connector http://tomcat.apache.org/tomcat-5.5-doc/config/http.html |
NaN |
| CCE-27551-1 |
The Tomcat Legacy JK AJP 1.3 connector should be enabled or disabled as appropriate. |
(1) exist/not exist |
(1) '<Connector protocolHandlerClassName="org.apache.ajp.tomcat4.Ajp13Connector">' element in server.xml |
NaN |
NaN |
http://tomcat.apache.org/tomcat-4.1-doc/config/connectors.html |
NaN |
NaN |
| CCE-27665-9 |
The Tomcat Legacy JK AJP 1.3 connector should be configured appropriately for the specified ports. |
(1) port number |
(1) 'port' attribute inside '<Connector protocolHandlerClassName="org.apache.ajp.tomcat4.Ajp13Connector">' element in server.xml |
NaN |
NaN |
http://tomcat.apache.org/tomcat-4.1-doc/config/connectors.html |
NaN |
NaN |
| CCE-27729-3 |
The Tomcat WARP connector should be enabled or disabled as appropriate. |
(1) exist/not exist |
(1) '<Connector protocol=WARP>' element in server.xml |
NaN |
NaN |
http://tomcat.apache.org/tomcat-4.1-doc/config/connectors.html |
NaN |
NaN |
| CCE-27467-0 |
The Tomcat WARP connector should be configured appropriately for the specified ports. |
(1) port number |
(1) 'port' attribute inside '<Connector protocol=WARP>' element in server.xml |
NaN |
NaN |
http://tomcat.apache.org/tomcat-4.1-doc/config/connectors.html |
NaN |
NaN |
| CCE-27637-8 |
JULI container level logging should be enabled or disabled as appropriate. |
(1) exists/ not exist |
(1) logging.properties file |
NaN |
NaN |
NaN |
The Apache Tomcat 5.5 Servlet/JSP Container Logging in Tomcat java.util.logging http://tomcat.apache.org/tomcat-5.5-doc/logging.html |
NaN |
| CCE-27703-8 |
The JULI FileHandler threshold level should be set correctly for the specified classes. |
(1) TARGET: class (2) FINEST/FINER/FINE/CONFIG/INFO/WARNING/SEVERE |
(1) <class>.org.apache.juli.FileHandler.level in logging.properties |
NaN |
NaN |
NaN |
The Apache Tomcat 5.5 Servlet/JSP Container Logging in Tomcat java.util.logging http://tomcat.apache.org/tomcat-5.5-doc/logging.html |
NaN |
| CCE-27552-9 |
The JULI FileHandler save directory should be configured appropriately for the specified classes |
(1) TARGET: class (2) directory |
(1) <class>.org.apache.juli.FileHandler.directory in logging.properties |
NaN |
NaN |
NaN |
The Apache Tomcat 5.5 Servlet/JSP Container Logging in Tomcat java.util.logging http://tomcat.apache.org/tomcat-5.5-doc/logging.html |
NaN |
| CCE-27488-6 |
The JULI FileHandlerlog file name prefix should be set correctly for the specified classes. |
(1) TARGET: class (2) prefix |
(1) <class>.org.apache.juli.FileHandler.prefix in logging.properties |
NaN |
NaN |
NaN |
The Apache Tomcat 5.5 Servlet/JSP Container Logging in Tomcat java.util.logging http://tomcat.apache.org/tomcat-5.5-doc/logging.html |
NaN |
| CCE-27539-6 |
Granting of all permissions to Tomcat web applications should be enabled or disabled as appropriate. |
(1) exist/not exist |
(1) 'permission java.security.AllPermission' line(s) inside 'grant{}' statement in catalina.policy |
NaN |
NaN |
NaN |
Apache Tomcat 5.5 Security Manager HOW-TO Standard Permissions http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html |
NaN |
| CCE-26982-9 |
The example files should be installed as appropriate. |
(1) exist/not exist |
(1) located in /examples directory |
NaN |
SDID: AST0610 Category: II VULID: V0006217 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: DCSQ-1 SDID Description: Application server default content has not been removed. Reference: Application Services STIG, Appendix B.6 |
NaN |
NaN |
NaN |
| CCE-27603-0 |
The WebDAV app should be installed as appropriate. |
(1) exist/not exist |
(1) located in /webdav directory |
NaN |
SDID: AST0610 Category: II VULID: V0006217 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: DCSQ-1 SDID Description: Application server default content has not been removed. Reference: Application Services STIG, Appendix B.6 |
NaN |
NaN |
NaN |
| CCE-27504-0 |
The Tomcat-docs should be installed as appropriate. |
(1) exist/not exist |
(1) located in /tomcat-docs directory |
NaN |
SDID: AST0610 Category: II VULID: V0006217 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: DCSQ-1 SDID Description: Application server default content has not been removed. Reference: Application Services STIG, Appendix B.6 |
NaN |
NaN |
NaN |
| CCE-27585-9 |
The Balancer app should be installed as appropriate. |
(1) exist/not exist |
(1) located in /balancer directory |
NaN |
SDID: AST0610 Category: II VULID: V0006217 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: DCSQ-1 SDID Description: Application server default content has not been removed. Reference: Application Services STIG, Appendix B.6 |
NaN |
NaN |
NaN |
| CCE-27543-8 |
The example server.xml file should be installed as appropriate. |
(1) exist/not exist |
(1) located in the Tomcat home/conf/ directory |
NaN |
SDID: AST0610 Category: II VULID: V0006217 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: DCSQ-1 SDID Description: Application server default content has not been removed. Reference: Application Services STIG, Appendix B.6 |
NaN |
NaN |
NaN |
| CCE-27527-1 |
Tomcat should be run by the appropriate account |
(1) exist/not exist |
(1) via chown |
NaN |
SDID: ASG0520 Category: II VULID: V0006211 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECLP-1 SDID Description: The application server process runs with privileges not necessary for proper operation. Reference: Application Services STIG, Appendix B.3.5 |
NaN |
NaN |
NaN |
| CCE-27478-7 |
Tomcat should be run with the appropriate group membership. |
(1) exist/not exist |
(1) via chgrp |
NaN |
SDID: ASG0520 Category: II VULID: V0006211 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECLP-1 SDID Description: The application server process runs with privileges not necessary for proper operation. Reference: Application Services STIG, Appendix B.3.5 |
NaN |
NaN |
NaN |
| CCE-27655-0 |
Tomcat web application JVM property read permissions should be set correctly for the specified properties. |
(1) TARGET: JVM property |
(1) 'permission java.util.PropertyPermission' line(s) inside 'grant{}' statement in catalina.policy |
NaN |
NaN |
NaN |
Apache Tomcat 5.5 Security Manager HOW-TO Standard Permissions http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html |
NaN |
| CCE-27493-6 |
Tomcat web application JVM property write permissions should be set correctly for the specified properties. |
(1) TARGET: JVM property |
(1) 'permission java.util.PropertyPermission' line(s) inside 'grant{}' statement in catalina.policy |
NaN |
NaN |
NaN |
Apache Tomcat 5.5 Security Manager HOW-TO Standard Permissions http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html |
NaN |
| CCE-27629-5 |
Tomcat should be run by the appropriate account |
(1) exist/not exist |
(1) via chown |
NaN |
SDID: ASG0520 Category: II VULID: V0006211 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECLP-1 SDID Description: The application server process runs with privileges not necessary for proper operation. Reference: Application Services STIG, Appendix B.3.5 |
NaN |
NaN |
NaN |
| CCE-27028-0 |
Tomcat should be run with the appropriate group membership. |
(1) exist/not exist |
(1) via chgrp |
NaN |
SDID: ASG0520 Category: II VULID: V0006211 MAC/Confidentiality Levels: MAC I – CSP, MAC II – CSP, MAC III – CSP IA Controls: ECLP-1 SDID Description: The application server process runs with privileges not necessary for proper operation. Reference: Application Services STIG, Appendix B.3.5 |
NaN |
NaN |
NaN |
| CCE-27659-2 |
The Tomcat user account should be locked or unlocked as appropriate. |
(1) locked/unlocked |
(1) via passwd |
NaN |
NaN |
NaN |
NaN |
Using a Non-root User in the chroot Jail pg 145 |