{
"format_version": 3,
"policy": {
"external_id": "452936171df597bf99ed0eb9e1b26f53",
"name": "CIS Apache Tomcat 8 Benchmark v1.1.0 - Level 1",
"version": "1.0.0",
"description": "CIS Level 1 hardening profile for Apache Tomcat 8 on Linux. Server-banner suppression, TRACE off, nondeterministic shutdown command, CATALINA_HOME permissions, LockOutRealm, accurate connector scheme, package.access restrictions, auto/startup deploy disabled, bounded connection timeout, allowLinking false. server.xml lookups expand across /etc/tomcat*, /opt/tomcat*, /usr/share/tomcat*, /var/lib/tomcat*.",
"author": "Center for Internet Security"
},
"tests": [
{
"external_id": "f42b0db336326a00e41e53f474f103bd",
"name": "2.4 — Disable X-Powered-By HTTP Header and rename the Server value for all Connectors",
"description": "Connector elements should set xpoweredBy=\"false\" and a non-default `server` attribute.",
"rational": "Default server-banner values leak the exact Tomcat version, helping attackers target known CVEs.",
"remediation": "In server.xml set ``.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "grep -hE 'xpoweredBy=\"false\"' /etc/tomcat*/server.xml /opt/tomcat*/conf/server.xml /usr/share/tomcat*/conf/server.xml /var/lib/tomcat*/conf/server.xml 2>/dev/null",
"selement": "OUTPUT",
"condition": "NOT EQUALS",
"sinput": ""
}
],
"applicability": []
},
{
"external_id": "9e770a7d091f0fb85e29b2121f628ca7",
"name": "2.5 — Disable client facing Stack Traces",
"description": "Application errors must not propagate stack traces to clients.",
"rational": "Stack traces expose package names, file paths, and library versions — all of which aid targeted exploitation.",
"remediation": "Define `` entries with `java.lang.Throwable` in web.xml.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "grep -hE 'java\\.lang\\.Throwable' /etc/tomcat*/web.xml /opt/tomcat*/conf/web.xml 2>/dev/null",
"selement": "OUTPUT",
"condition": "NOT EQUALS",
"sinput": ""
}
],
"applicability": []
},
{
"external_id": "077ee91e1ce8e96a148afc24fa66c50a",
"name": "2.6 — Turn off TRACE",
"description": "The HTTP TRACE method should be disabled on every Connector.",
"rational": "TRACE responses echo client headers and can be abused in cross-site tracing attacks.",
"remediation": "Set `allowTrace=\"false\"` on every in server.xml (or omit — false is the default).",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "grep -hE 'allowTrace=\"true\"' /etc/tomcat*/server.xml /opt/tomcat*/conf/server.xml /usr/share/tomcat*/conf/server.xml /var/lib/tomcat*/conf/server.xml 2>/dev/null",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": ""
}
],
"applicability": []
},
{
"external_id": "1ab1b14a4e681337dcaa9e793c8cd376",
"name": "3.1 — Set a nondeterministic Shutdown command value",
"description": "The default shutdown password 'SHUTDOWN' must be replaced with a random string (or disabled).",
"rational": "Anyone who can connect to the shutdown port can stop Tomcat using the default password.",
"remediation": "In change `shutdown=\"SHUTDOWN\"` to a long random string, or set the port to -1.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "grep -hE 'shutdown=\"SHUTDOWN\"' /etc/tomcat*/server.xml /opt/tomcat*/conf/server.xml /usr/share/tomcat*/conf/server.xml /var/lib/tomcat*/conf/server.xml 2>/dev/null",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": ""
}
],
"applicability": []
},
{
"external_id": "70661d6b92c09b0835aeb3d42b3a744a",
"name": "4.1 — Restrict access to $CATALINA_HOME",
"description": "$CATALINA_HOME and its contents must be owned by the Tomcat user and not group/world writable.",
"rational": "Loose permissions on CATALINA_HOME let other accounts swap binaries or webapps and run as the Tomcat user.",
"remediation": "chown -R tomcat:tomcat /opt/tomcat && chmod -R g-w,o-rwx /opt/tomcat",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "find /opt/tomcat* /usr/share/tomcat* -maxdepth 0 -type d \\( -perm /022 -o -not -user tomcat \\) 2>/dev/null | wc -l",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": "0"
}
],
"applicability": []
},
{
"external_id": "94957532edeb4d77f9ab1d97b6e924eb",
"name": "5.2 — Use LockOut Realms",
"description": "A LockOutRealm should wrap the configured Realm so brute-force attempts trigger lockouts.",
"rational": "Without lockout, an attacker can iterate the Realm for passwords without rate limiting.",
"remediation": "In server.xml wrap your Realm inside `…`.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "grep -hE 'LockOutRealm' /etc/tomcat*/server.xml /opt/tomcat*/conf/server.xml /usr/share/tomcat*/conf/server.xml /var/lib/tomcat*/conf/server.xml 2>/dev/null",
"selement": "OUTPUT",
"condition": "NOT EQUALS",
"sinput": ""
}
],
"applicability": []
},
{
"external_id": "1c11b45f2a09a08c6bf95648175ba8bf",
"name": "6.3 — Ensure scheme is set accurately",
"description": "Connectors must declare scheme=\"http\" or scheme=\"https\" matching their actual protocol.",
"rational": "An incorrect scheme causes Tomcat to construct URLs and security checks against the wrong base, undermining HSTS and cookie-secure flags.",
"remediation": "Set `scheme=\"https\"` on the SSL connector and `scheme=\"http\"` on the plain one in server.xml.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "grep -hE 'scheme=\"https\"' /etc/tomcat*/server.xml /opt/tomcat*/conf/server.xml /usr/share/tomcat*/conf/server.xml /var/lib/tomcat*/conf/server.xml 2>/dev/null",
"selement": "OUTPUT",
"condition": "NOT EQUALS",
"sinput": ""
}
],
"applicability": []
},
{
"external_id": "4ae5d8794cd957e240fb5265e34d8a92",
"name": "8.1 — Restrict runtime access to sensitive packages",
"description": "catalina.properties should grant Java SecurityManager access only to required packages.",
"rational": "Without package restrictions a hostile webapp can introspect or call internal Catalina classes.",
"remediation": "Configure `package.access` and `package.definition` lists in $CATALINA_BASE/conf/catalina.properties.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "grep -hE '^package\\.access' /etc/tomcat*/catalina.properties /opt/tomcat*/conf/catalina.properties 2>/dev/null",
"selement": "OUTPUT",
"condition": "NOT EQUALS",
"sinput": ""
}
],
"applicability": []
},
{
"external_id": "9d3dd321970fe0b156726eeed0fc67e5",
"name": "9.2 — Disable auto deployment of applications",
"description": "autoDeploy on the Host element should be false in production.",
"rational": "Auto-deploy reads /webapps/ for new WAR files and silently expands them — anyone who can drop a file there gains code execution.",
"remediation": "Set `autoDeploy=\"false\"` on the element in server.xml.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "grep -hE 'autoDeploy=\"false\"' /etc/tomcat*/server.xml /opt/tomcat*/conf/server.xml /usr/share/tomcat*/conf/server.xml /var/lib/tomcat*/conf/server.xml 2>/dev/null",
"selement": "OUTPUT",
"condition": "NOT EQUALS",
"sinput": ""
}
],
"applicability": []
},
{
"external_id": "ae279ef0d5bab9b2aba577369afd3758",
"name": "9.3 — Disable deploy on startup of applications",
"description": "deployOnStartup on the Host element should be false in production.",
"rational": "deployOnStartup will load every WAR in /webapps/ at boot — restricting it forces explicit deployment.",
"remediation": "Set `deployOnStartup=\"false\"` on the element in server.xml.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "grep -hE 'deployOnStartup=\"false\"' /etc/tomcat*/server.xml /opt/tomcat*/conf/server.xml /usr/share/tomcat*/conf/server.xml /var/lib/tomcat*/conf/server.xml 2>/dev/null",
"selement": "OUTPUT",
"condition": "NOT EQUALS",
"sinput": ""
}
],
"applicability": []
},
{
"external_id": "2ebb33ca886a52ef85aa969d791ce2a9",
"name": "10.10 — Configure connectionTimeout",
"description": "Connectors should have an explicit connectionTimeout in the low-thousands of milliseconds.",
"rational": "Without a bounded timeout, idle connections accumulate and can be used in slow-loris style DoS.",
"remediation": "Set `connectionTimeout=\"20000\"` (or lower) on each in server.xml.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "grep -hE 'connectionTimeout=\"[0-9]+\"' /etc/tomcat*/server.xml /opt/tomcat*/conf/server.xml /usr/share/tomcat*/conf/server.xml /var/lib/tomcat*/conf/server.xml 2>/dev/null",
"selement": "OUTPUT",
"condition": "NOT EQUALS",
"sinput": ""
}
],
"applicability": []
},
{
"external_id": "91b93e187613405e153a8551f46e998e",
"name": "10.13 — Do not allow symbolic linking",
"description": "Webapp Context elements should set allowLinking=\"false\".",
"rational": "Symbolic links inside the webapp directory let attackers serve arbitrary files from outside it.",
"remediation": "Set `` (the default) in context.xml.",
"severity": "Medium",
"filter": null,
"app_filter": null,
"conditions": [
{
"type": "condition",
"element": "CMD",
"input": "grep -hE 'allowLinking=\"true\"' /etc/tomcat*/context.xml /opt/tomcat*/conf/context.xml 2>/dev/null",
"selement": "OUTPUT",
"condition": "EQUALS",
"sinput": ""
}
],
"applicability": []
}
]
}