Web Server Hardening - Apache Tomcat
Reference: https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html
Removing sample resources
C:\xampp\Tomcat\webapps\docs
C:\xampp\Tomcat\webapps\examples
Removing Manager Application if not using
C:\xampp2\Tomcat\webapps\host-manager
C:\xampp2\Tomcat\webapps\manager
C:\xampp2\Tomcat\conf\Catalina\localhost\manager.xml
Disable unused Connector
C:\xampp2\tomcat\conf\server.xml
Remediation:
Affected file: $CATALINA_HOME/conf/server.xml
Remediation:
<Connector
...
xpoweredBy="false"
allowTrace="false"/>
https://tomcat.apache.org/tomcat-8.0-doc/config/http.html
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error.jsp</location>
</error-page>
Vulnerable:
<Server port="8005" shutdown="SHUTDOWN">
Remediation - set a nondeterministic value for the shutdown attribute:
<Server port="8005" shutdown="asequenceofrandomcharacters">
catalina.policy)
catalina.properties
Audit (If the ownership and permission are set correctly, no output should be displayed):
Remediation:
Remediation:
<Realm className="org.apache.catalina.realm.LockOutRealm"
failureCount="3" lockOutTime="600" cacheSize="1000"
cacheRemovalWarningTime="3600">
<Realm
className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName=... />
</Realm>
https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html
(Review the Connector configuration in server.xml)
Audit:
Ensure the clientAuth parameter is set to true
Remediation:
<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="true" sslProtocol="TLS"/>
Audit:
Remediation:
<Connector
...
SSLEnabled="true"
secure="true"
sslProtocol="TLS"
scheme="https"
...
/>
Audit (Ensure <transport-guarantee> attribute set to CONFIDENTIAL):
Remediation:
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
<user-data-constraint>
</security-constraint>
Audit:
Ensure a logging.properties file is locate at $CATALINA_BASE\webapps\<app_name>\WEB-INF\classes
(By default, installing Tomcat places a logging.properties file in $CATALINA_HOME\conf.
This file can be used as base for an application specific logging properties file)
Remediation:
Create a logging.properties file and place that into your application WEB-INF\classes directory.
$ CATALINA_BASE\webapps\<app name>\WEB-INF\classes\logging.properties
$ grep handlers $CATALINA_BASE\conf\logging.properties
Remediation:
handlers=org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
org.apache.juli.FileHandler.level=FINEST
Audit:
Remediation:
<Valve
className="org.apache.catalina.valves.AccessLogValve"
directory="$CATALINA_HOME/logs/"
prefix="access_log"
fileDateFormat="yyyy-MM-dd.HH"
suffix=".log"
pattern="%t %H cookie:%{SESSIONID}c request:%{SESSIONID}r %m %U %s %q %r"
/>
Audit:
Review the startup configuration in /etc/init.d
Remediation:
$ $CATALINA_HOME/bin/catalina.sh start -security (Unix)
C:\> %CATALINA_HOME%\bin\catalina start -security (Windows)
# grep "autoDeploy" $CATALINA_HOME/conf/server.xml
Remediation:
autoDeploy="false"
Affected File: $CATALINA_HOME/conf/server.xml
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1"/>
$CATALINA_HOME/conf/Catalina/localhost/manager.xml
$CATALINA_HOME/webapps/host-manager/manager.xml
$CATALINA_HOME/webapps/manager
Remediation:
1. mv $CATALINA_HOME/webapps/host-manager/manager.xml \ $CATALINA_HOME/webapps/host-manager/new-name.xml
2. Update the docBase attribute within $CATALINA_HOME/webapps/host-manager/new-name.xml to ${catalina.home}/webapps/new-name
3. Move $CATALINA_HOME/webapps/manager to $CATALINA_HOME/webapps/new-name
$ mv $CATALINA_HOME/webapps/manager $CATALINA_HOME/webapps/new-name
Ensure the above parameter is added to the startup script which by default is located at $CATALINA_HOME/bin/catalina.sh
-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true
-- Turn off session façade recycling
grep transport-guarantee $CATALINA_HOME/webapps/manager/WEB-INF/web.xml
Affected File: $CATALINA_HOME/webapps/manager/WEB-INF/web.xml
Remediation
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
<user-data-constraint>
</security-constraint>
1. Remove Extraneous Resources
Removing sample resources
C:\xampp\Tomcat\webapps\docs
C:\xampp\Tomcat\webapps\examples
Removing Manager Application if not using
C:\xampp2\Tomcat\webapps\host-manager
C:\xampp2\Tomcat\webapps\manager
C:\xampp2\Tomcat\conf\Catalina\localhost\manager.xml
Disable unused Connector
C:\xampp2\tomcat\conf\server.xml
cat server.xml | grep "Connector"
2. Limit Server Platform Information Leaks
Alter the Advertised server information
Audit:cd $CATALINA_HOME/lib
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
grep server.info org/apache/catalina/util/ServerInfo.properties
Remediation:
server.info=<SomeWebServer>
server.number=<someversion>
server.built=
Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors
Turn off TRACEAffected file: $CATALINA_HOME/conf/server.xml
Remediation:
<Connector
...
xpoweredBy="false"
allowTrace="false"/>
https://tomcat.apache.org/tomcat-8.0-doc/config/http.html
Disable client facing Stack Traces
Affected file: $CATALINA_HOME/conf/web.xml<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error.jsp</location>
</error-page>
3 Protect the Shutdown Port
Set a nondeterministic Shutdown command value
Vulnerable:
<Server port="8005" shutdown="SHUTDOWN">
Remediation - set a nondeterministic value for the shutdown attribute:
<Server port="8005" shutdown="asequenceofrandomcharacters">
4 Protect Tomcat Configurations
Restrict access to Tomcat dDirectories
($CATALINA_HOME, $CATALINA_BASE, configuration, logs, temp, binaries, web applicationcatalina.policy)
catalina.properties
Audit (If the ownership and permission are set correctly, no output should be displayed):
# cd $CATALINA_HOME
# find . -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find logs -follow -maxdepth 0 \( -perm /o+rwx -o ! -user tomcat_admin -o ! - group tomcat \) -ls
# find temp -follow -maxdepth 0 \( -perm /o+rwx -o ! -user tomcat_admin -o ! - group tomcat \) -ls
# find bin -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find webapps -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# cd $CATALINA_HOME/conf
# find . -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find catalina.policy -follow -maxdepth 0 \( -perm /o+rwx -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find catalina.properties -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find context.xml -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find logging.properties -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find server.xml -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find tomcat-users.xml -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# find web.xml -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
# cd $CATALINA_BASE
# find . -follow -maxdepth 0 \( -perm /o+rwx,g=w -o ! -user tomcat_admin -o ! -group tomcat \) -ls
Remediation:
- Set the ownership to tomcat_admin:tomcat
- Remove write permissions (g-w) for the group
- Remove read, write, and execute permissions (o-rwx) for the world
# chown tomcat_admin.tomcat $CATALINA_HOME
# chmod g-w,o-rwx $CATALINA_HOME
# chown tomcat_admin:tomcat $CATALINA_HOME/logs
# chmod o-rwx $CATALINA_HOME/logs
# chown tomcat_admin:tomcat $CATALINA_HOME/temp
# chmod o-rwx $CATALINA_HOME/temp
# chown tomcat_admin:tomcat $CATALINA_HOME/bin
# chmod g-w,o-rwx $CATALINA_HOME/bin
# chown tomcat_admin:tomcat $CATALINA_HOME/webapps
# chmod g-w,o-rwx $CATALINA_HOME/webapps
# chown tomcat_admin:tomcat $CATALINA_HOME/conf
# chmod g-w,o-rwx $CATALINA_HOME/conf
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.policy
# chmod 770 $CATALINA_HOME/conf/catalina.policy
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.properties
# chmod g-w,o-rwx $CATALINA_HOME/conf/catalina.properties
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/context.xml
# chmod g-w,o-rwx $CATALINA_HOME/conf/context.xml
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/logging.properties
# chmod g-w,o-rwx $CATALINA_HOME/conf/logging.properties
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/server.xml
# chmod g-w,o-rwx $CATALINA_HOME/conf/server.xml
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/tomcat-users.xml
# chmod g-w,o-rwx $CATALINA_HOME/conf/tomcat-users.xml
# chown tomcat_admin:tomcat $CATALINA_HOME/conf/web.xml
# chmod g-w,o-rwx $CATALINA_HOME/conf/web.xml
# chown tomcat_admin.tomcat $CATALINA_BASE
# chmod g-w,o-rwx $CATALINA_BASE
5 Configure Realms
Tomcat realm is a database of usernames and passwords used to identify valid users of web applicationsUse secure Realms
Audit (The below commands should not emit any output)# grep "Realm className" $CATALINA_HOME/conf/server.xml | grep MemoryRealm
# grep "Realm className" $CATALINA_HOME/conf/server.xml | grep JDBCRealm
# grep "Realm className" $CATALINA_HOME/conf/server.xml | grep UserDatabaseRealm
# grep "Realm className" $CATALINA_HOME/conf/server.xml | grep JAASRealm
Use LockOut Realms
Audit (To check to see if a LockOut realm is being used)# grep "LockOutRealm" $CATALINA_HOME/conf/server.xml
Remediation:
<Realm className="org.apache.catalina.realm.LockOutRealm"
failureCount="3" lockOutTime="600" cacheSize="1000"
cacheRemovalWarningTime="3600">
<Realm
className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName=... />
</Realm>
https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html
6 Connector Security
(Review the Connector configuration in server.xml)
Setup Client-cert Authentication
Audit:
Ensure the clientAuth parameter is set to true
Remediation:
- Ensure SSLEnabled is set to True for Sensitive Connectors
- Ensure scheme is set accurately
- Ensure secure is set to true only for SSL-enabled Connectors
- Ensure SSL Protocol is set to TLS for Secure Connectors
<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="true" sslProtocol="TLS"/>
Audit:
- Ensure SSLEnabled attribute set to true
- ensure the secure attribute is set to true for those Connectors having SSLEnabled set to true
- set the sslProtocol attribute to "TLS" for Connectors having SSLEnabled set to true
- Ensure the Connector’s scheme attribute is set to https for Connectors operating over HTTPS
Remediation:
<Connector
...
SSLEnabled="true"
secure="true"
sslProtocol="TLS"
scheme="https"
...
/>
Force SSL when accessing the manager application
Audit (Ensure <transport-guarantee> attribute set to CONFIDENTIAL):
# grep transport-guarantee $CATALINA_HOME/webapps/manager/WEB-INF/web.xml
Remediation:
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
<user-data-constraint>
</security-constraint>
7 Establish and Protect Logging Facilities
Application specific logging
Audit:
Ensure a logging.properties file is locate at $CATALINA_BASE\webapps\<app_name>\WEB-INF\classes
(By default, installing Tomcat places a logging.properties file in $CATALINA_HOME\conf.
This file can be used as base for an application specific logging properties file)
Remediation:
Create a logging.properties file and place that into your application WEB-INF\classes directory.
Specify file handler in logging.properties files
$ grep handlers \$ CATALINA_BASE\webapps\<app name>\WEB-INF\classes\logging.properties
$ grep handlers $CATALINA_BASE\conf\logging.properties
Remediation:
handlers=org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
org.apache.juli.FileHandler.level=FINEST
Ensure className is set correctly in context.xml
Audit:
# grep org.apache.catalina.valves.AccessLogValve $CATALINA_BASE\webapps\<appname>\META-INF\context.xml
Remediation:
<Valve
className="org.apache.catalina.valves.AccessLogValve"
directory="$CATALINA_HOME/logs/"
prefix="access_log"
fileDateFormat="yyyy-MM-dd.HH"
suffix=".log"
pattern="%t %H cookie:%{SESSIONID}c request:%{SESSIONID}r %m %U %s %q %r"
/>
Ensure directory in context.xml is a secure location
9 Application Deployment
Starting Tomcat with Security Manager
Audit:
Review the startup configuration in /etc/init.d
Remediation:
$ $CATALINA_HOME/bin/catalina.sh start -security (Unix)
C:\> %CATALINA_HOME%\bin\catalina start -security (Windows)
Disabling auto deployment of applications
Audit:# grep "autoDeploy" $CATALINA_HOME/conf/server.xml
Remediation:
autoDeploy="false"
10 Miscellaneous Configuration Settings
Restrict access to the web administration
Remediation:Affected File: $CATALINA_HOME/conf/server.xml
<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1"/>
Rename the manager application
Audit (Ensure the following directories and files do not exsist):$CATALINA_HOME/conf/Catalina/localhost/manager.xml
$CATALINA_HOME/webapps/host-manager/manager.xml
$CATALINA_HOME/webapps/manager
Remediation:
1. mv $CATALINA_HOME/webapps/host-manager/manager.xml \ $CATALINA_HOME/webapps/host-manager/new-name.xml
2. Update the docBase attribute within $CATALINA_HOME/webapps/host-manager/new-name.xml to ${catalina.home}/webapps/new-name
3. Move $CATALINA_HOME/webapps/manager to $CATALINA_HOME/webapps/new-name
$ mv $CATALINA_HOME/webapps/manager $CATALINA_HOME/webapps/new-name
Enable strict servlet Compliance
Audit:Ensure the above parameter is added to the startup script which by default is located at $CATALINA_HOME/bin/catalina.sh
-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true
-- Turn off session façade recycling
Force SSL when accessing the manager application
Audit:grep transport-guarantee $CATALINA_HOME/webapps/manager/WEB-INF/web.xml
Affected File: $CATALINA_HOME/webapps/manager/WEB-INF/web.xml
Remediation
<security-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
<user-data-constraint>
</security-constraint>