To secure an HTTP.ĭefaultServlet must be set to readonly for PUT and DELETE. The unencrypted HTTP protocol does not protect data from interception or alteration which can subject users to eavesdropping, tracking, and the modification of received data. $CATALINA_BASE/logs folder permissions must be set to 750. When log processing fails, the events during the. Logs are essential to monitor the health of the system, investigate changes that occurred to the system, or investigate a security incident.
The application server must alert the SA and ISSO, at a minimum, in the event of a log processing failure. The access logfile format is defined within a Valve that implements the .AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The '%r'. The first line of request must be logged.
While root has read/write privileges, group only has read.ĪccessLogValve must be configured per each virtual host.Īpplication servers utilize role-based access controls in order to specify the individuals who are allowed to configure application component loggable events. The standard configuration is to have all Tomcat files owned by root with group Tomcat. Tomcat file permissions must be restricted. $CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat. The access logfile format is defined within a Valve that implements the .AccessLogValve interface within the /opt/tomcat/server.xml configuration file: The %t pattern. This account is used in order for Tomcat to be able to operate on the OS but does not require the ability to actually log in to the. When installing Tomcat, a user account is created on the OS. Tomcat user account must be set to nologin. Setting the failureCount attribute to 5 will lock out a user account after 5 failed attempts. LockOutRealms failureCount attribute must be set to 5 failed logins for admin users.Ī LockOutRealm adds the ability to lock a user out after multiple failed logins. LockOutRealm is an implementation of the Tomcat Realm interface that extends the CombinedRealm to provide user lock. LockOutRealms must be used for management of Tomcat.Ī LockOutRealm adds the ability to lock a user out after multiple failed logins. The standard configuration is to have Tomcat files contained in the conf/ folder as members of the "tomcat" group. $CATALINA_BASE/conf/ folder must be owned by root, group tomcat. The standard configuration is to have the folder where Tomcat is installed owned by the root user with the group set to tomcat. $CATALINA_HOME folder must be owned by the root user, group tomcat. If Tomcat processes are compromised and a privileged user account is used to operate the Tomcat server processes, the entire system. Use a distinct non-privileged user account for running Tomcat. Tomcat user account must be a non-privileged user. Tomcat must use FIPS-validated ciphers on secured connectors.Ĭonnectors are how Tomcat receives requests over a network port, passes them to hosted web applications via HTTP or AJP, and then sends the results back to the requestor. The realm's connection to the directory is defined by the. Tomcat uses the JNDIRealm to look up users in an LDAP directory server. JNDIRealm is an implementation of the Tomcat Realm interface. Java Management Extensions (JMX) provides the means for enterprises to remotely manage the Java VM and can be used in place of the local manager application that comes with Tomcat. The JKS format is Java's standard "Java KeyStore" format, and is the format created by the keytool command-line utility. Tomcat currently operates only on JKS, PKCS11, or PKCS12 format keystores.
#Apache tomcat 9 password#
Findings (MAC III - Administrative Sensitive) Finding IDĭefault password for keystore must be changed.