Hi All
I have a query and not sure where to find this info. Can someone guide me in the right direction?
"According to our ISO (Security) team policy we need to know if applicable to implement the below CIS apache Tomcat Benchmarks on Service Desk or not
1 Remove Extraneous Resources
1.1 Remove extraneous files and directories
1.2 Disable Unused Connectors (Not Scored)
2 Limit Server Platform Information Leaks
2.1 Alter the Advertised server.info String
2.2 Alter the Advertised server.number String
2.3 Alter the Advertised server.built Date
2.4 Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors
2.5 Disable client facing Stack Traces
2.6 Turn off TRACE
3 Protect the Shutdown Port
3.1 Set a nondeterministic Shutdown command value
3.2 Disable the Shutdown port (Not Scored)
4 Protect Tomcat Configurations
4.1 Restrict access to $CATALINA_HOME
4.2 Restrict access to $CATALINA_BASE
4.3 Restrict access to Tomcat configuration directory
4.5 Restrict access to Tomcat logs directory
4.6 Restrict access to Tomcat temp directory
4.7 Restrict access to Tomcat binaries directory
4.8 Restrict access to Tomcat web application directory
4.9 Restrict access to Tomcat catalina.policy
4.10 Restrict access to Tomcat catalina.properties
4.11 Restrict access to Tomcat context.xml
4.12 Restrict access to Tomcat logging.properties
4.13 Restrict access to Tomcat server.xml
4.14 Restrict access to Tomcat tomcat-users.xml
4.15 Restrict access to Tomcat web.xml
5 Configure Realms
5.1 Use secure Realms
5.2 Use LockOut Realms
6 Connector Security
6.1 Setup Client-cert Authentication
6.2 Ensure SSLEnabled is set to TRUE for Sensitive Connectors (Not Scored)
6.3 Ensure scheme is set accurately
6.4 Ensure secure is set to TRUE only for SSL-enabled Connectors
6.5 Ensure SSL Protocol is set to TLS for Secure Connectors
7 Establish and Protect Logging Facilities
7.1 Application specific logging
7.2 Specify file handler in logging.properties files
7.3 Ensure className is set correctly in context.xml
7.4 Ensure directory in context.xml is a secure location
7.5 Ensure pattern in context.xml is correct
7.6 Ensure directory in logging.properties is a secure location
7.7 Configure log file size limit
8 Configure Catalina Policy
8.1 Restrict runtime access to sensitive packages
9 Application Deployment
9.1 Starting Tomcat with Security Manager
9.2 Disabling auto deployment of applications
9.3 Disable deploy on startup of applications
10 Miscellaneous Configuration Settings
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files (Not
10.2 Restrict access to the web administration (Not Scored)
10.3 Restrict manager application (Not Scored)
10.4 Force SSL when accessing the manager application
10.5 Rename the manager application
10.6 Enable strict servlet Compliance
10.7 Turn off session façade recycling
10.8 Do not allow additional path delimiters
10.9 Do not allow custom header status messages
10.10 Configure connectionTimeout
10.11 Configure maxHttpHeaderSize
10.12 Force SSL for all applications
10.13 Do not allow symbolic linking
10.14 Do not run applications as privileged
10.15 Do not allow cross context requests
10.16 Do not resolve hosts on logging valves
10.17 Enable memory leak listener
10.18 Setting Security Lifecycle Listener
10.19 use the logEffectiveWebXml and metadata-complete settings for deploying applications in production"
Regards,
Kaveek