Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

All work

Select view

Select search mode

 
11 of 11

[CLONE] Harden Tomcat according to CIS guidelines

Description

The Center for Internet Security (CIS) publishes guidelines for security Tomcat instances.
The guidelines are available online at the following link, and PDF attached to this ticket.

https://www.cisecurity.org/benchmark/apache_tomcat/

These guidelines should be reviewed and implemented as needed.

--------

1.1 Remove extraneous files and directories $CATALINA_HOME/webapps/docs, webapps/examples 1.2 Disable unused connectors from: $CATALINA_HOME/conf/server.xml e.g. <Connector className="org.apache.catalina.connector.http.HttpConnector"... 2.0 Scrub tomcat's self-identification info 2.1,2.2,2.3 Change: ./org/apache/catalina/util/ServerInfo.properties server.info=WebServer server.number=1.0.0 server.built= ### blank date is okay 2.4 Remove Powered-By info remove xpoweredBy property if present in server.xml (is not present) <Connector ... xpoweredBy="false" /> $CATALINA_HOME/conf/server.xml 2.5 Disable client-facing Stack Traces Ensure an <error-page> element is defined in each $CATALINA_HOME/conf/web.xml Ensure the <error-page> element has an <exception-type> child element with a value of java.lang.Throwable Ensure the <error-page> element has a <location> child element 2.6 Turn of TRACE For each app (webapps) connector: Ensure each Connector does not have a allowTrace attribute or if the allowTrace attribute is not set true. server.xml : <Connector ... allowTrace="false" /> 3.0 Protect the Shutdown port 3.1 Update the shutdown attribute in $CATALINA_HOME/conf/server.xml <Server port="8005" shutdown="NONDETERMINISTICVALUE"> 3.2 Disable shutdown port $CATALINA_HOME/conf/server.xml <Server port="-1" shutdown="SHUTDOWN"> 4.0 Protect Tomcat config files 4.1,4.2 secure home folder (CATALINA_HOME and CATALINA_BASE) Set the ownership of the $CATALINA_HOME to tomcat_admin:tomcat Remove read, write, and execute permissions for the world Remove write permissions for the group chmod g-w,o-rwx $CATALINA_HOME 4.3,4.4,4.5,4.6,4.7 Protect Tomcat directories webapps, config, logs, temp, bin directory tomcat/conf, tomcat/logs, tomcat/temp, tomcat/bin, tomcat/webapps e.g. Set the ownership of the $CATALINA_HOME/conf to tomcat_admin:tomcat Remove read, write, and execute permissions for the world Remove read, write, and execute permissions for the world chmod g-w,o-rwx $CATALINA_HOME/conf 4.8 Protect catalina.policy, catalina.properties, context.xml, logging.properties, server.xml, tomcat-users.xml, conf/web.xml e.g. chmod 770 $CATALINA_HOME/conf/catalina.policy chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.policy chown tomcat_admin:tomcat $CATALINA_HOME/conf/context.xml chmod g-w,o-rwx $CATALINA_HOME/conf/context.xml 5.0 Do not use inappropriate realms ( MemoryRealm, JDBCRealm) Note Pentaho's archive install uses: UserDatabaseRealm in tomcat/conf/server.xml 5.1 Use a lock-out realm for repeated attacks $CATALINA_HOME/conf/server.xml Realm className="org.apache.catalina.realm.LockOutRealm" 6.0 Connector security 6.1 Client Certificate (use https) $CATALINA_HOME/conf/server.xml <Connector port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"; clientAuth="true" sslProtocol="TLS"/> 6.2, 6.3, 6.4, 6.5 Use secure attributes in connector (<Connector>) $CATALINA_HOME/conf/server.xml SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" 7.0, 7.1 Protect logging ./tomcat/conf/logging.properties /tomcat/webapps/pentaho/WEB-INF/classes/logging.properties Ensure logging is not off and set the logging level to the desired level such as: org.apache.juli.FileHandler.level=FINEST 7.3 Verify correct classname exists in logger Valve in each $CATALINA_BASE\webapps\<app name>\META-INF\context.xml <Valve className="org.apache.catalina.valves.AccessLogValve" ... 7.4 Secure the CATALINA_HOME/logs directory chown tomcat_admin:tomcat $CATALINA_HOME/logs chmod o-rwx $CATALINA_HOME/logs 7.5 Ensure that logger pattern is correct tomcat/conf/server.xml Also add: webapps/pentaho/META-INF/context.xml e.g. <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="access_log" fileDateFormat="yyyy-MM-dd.HH" suffix=".log" pattern="%h %t %H cookie:% {SESSIONID}c request:%{SESSIONID} r %m %U %s %q %r" /> 7.6 Direct logs to a secure folder ./conf/logging.properties ./webapps/pentaho/WEB-INF/classes/logging.properties <application_name>.org.apache.juli.FileHandler.directory=<log_location> <application_name>.org.apache.juli.FileHandler.prefix=<application_name> 7.7 Configure log size limits ./conf/logging.properties ./webapps/pentaho/WEB-INF/classes/logging.properties java.util.logging.FileHandler.limit=10000 8.1 restrict Catalina package access to only specific packages: $CATALINA_BASE/conf/catalina.properties package.access = sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat., org.apache.jasper 9.1 run apps with SecurityManager add to startup CATALINA_HOME/bin/catalina.sh start -security (Unix) 9.2 disable autoDeploy tomcat/conf/server.xml <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"> 9.3 disable deployOnStartup tomcat/conf/server.xml change host deployOnStartup="false" default=true 10.1 put web content (webapps) on separate partition from tomcat mv tomcat/webapps /opt/pentaho-webapps vi tomcat/conf/server.xml appBase="/opt/pentaho-webapps" 10.2 restrict access to admin app RemoteAddressValve in web admin app conf/server.xml <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1"/> 10.3 Limit manager application to only those with a required needed. <Context path="/manager" docBase="$ {catalina.home} /webapps/manager" debug="0" privileged="true"> <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="127\.0\.0\.1"/> 10.4 Use SSL for manager app 10.5 rename the manager app #NOTE: not present on archive build mv $CATALINA_HOME/webapps/host-manager/manager.xml $CATALINA_HOME/webapps/host-manager/new-name.xml 10.6 use Tomcat STRICT_SERVLET_COMPLIANCE EDIT CATALINA_OPTS in start-pentaho.sh ADD: -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true 10.7 set Tomcat RECYCLE_FACADES to true. EDIT CATALINA_OPTS in start-pentaho.sh -Dorg.apache.catalina.connector.RECYCLE_FACADES=true 10.8 turn off Tomcat path-delimeters EDIT CATALINA_OPTS in start-pentaho.sh -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=false -Dorg.apache.tomcat.util.buf. 10.9 turn off Tomcat USE_CUSTOM_STATUS_MSG_IN_HEADER EDIT CATALINA_OPTS in start-pentaho.sh -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false 10.10 close idle Tomcat sockets tomcat/conf/server.xml recommended: connectionTimeout="60000" #Pentaho is already: connectionTimeout="20000" 10.11 Limit Tomcat header sizes Add to Connectors ( 8080 and 8443 ) in conf/server.xml maxHttpHeaderSize="8192" 10.12 if SSL, make sure transport-guarantee is on tomcat/webapps/manager/WEB-INF/web.xml <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> <user-data-constraint> 10.13 turn off symbolic linking in each context.xml: ( tomcat/conf/context.xml) <Context ... <Resources ... allowLinking=”false” /> ... </Context> By default, allowLinking has a value of false 10.14 turn off privleged execution in each context.xml: ( tomcat/conf/context.xml) <Context ... privileged=”false” /> By default, privileged has a value of false. NOTE: had to turn this back on 10.15 turn off Tomcat cross context execution in each context.xml: ( tomcat/conf/context.xml) <Context ... crossContext=”false” By default, crossContext has a value of false. 10.16 turn off resolving hosts during logging valves in tomcat/conf/server.xml <Connector ... enableLookups="false" /> By default, DNS lookups are disabled 10.17 make sure memory leak listener is on in tomcat/conf/server.xml #NOTE IT is already is: <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> 10.18 turn on Tomcat security listeners tomcat/conf/server.xml do not run root <Listener className="org.apache.catalina.security.SecurityListener" checkedOsUsers="root,pentaho-tomcat" minimumUmask="0007" /> 10.19 use the logEffectiveWebXml and metadata-complete NOTE: the metadata-complete property is not valid in web-app container <web-app metadata-complete="true" ... Added to webapps/pentaho/WEB-INF/web.xml Added to webapps/pentaho-style/WEB-INF/web.xml Added to /opt/pentaho-webapps/ROOT/WEB-INF/web.xml Added to /opt/pentaho-webapps/sw-style/WEB-INF/web.xml

Environment

None

Test Cases

None

Steps to Reproduce

None

Workaround

None

Details

Assignee

Reporter

Edit Screen Preamble

<div class="notify info" style="margin-bottom: 10px;">
If you are a Pentaho customer, please use the <a href="http://support.pentaho.com">Customer Support portal</a> to log issues.
<p />
This system is used for logging bugs and enhancement requests only. Please use our <a href="https://community.pentaho.com">community at https://community.pentaho.com</a> if you have questions, configuration issues, or have an issue with a marketplace plugin as Pentaho does not support marketplace plugins unless written by Pentaho.
<p />
Lastly, when creating a bug, please provide as much detail as possible. To prevent unnecessary delays in reviewing your issue, please attach complete server logs, SQL/MDX logs where applicable, schemas, etc. Also, screen-shots and screen-cams are especially helpful in demonstrating the issue.
<p />
Thank-you so much,<br />
The Pentaho Team
</div>

Notice

<div class="notify info" style="margin-bottom: 10px;">
When an issue is open, the "Fix Version/s" field conveys a target, not necessarily a commitment. When an issue is closed, the "Fix Version/s" field conveys the version that the issue was fixed in.
</div>

Story Points

Fix versions

Affects versions

Priority

Created June 25, 2021 at 2:11 PM
Updated March 3, 2023 at 6:44 PM

Activity

Flag notifications