Open-source middleware tomcat server security configuration baseline Guide

This document defines the security setting standards that the Information System Department maintains and manages Tomcat WEB servers. This document aims to guide system administrators in the secure configuration of Tomcat WEB servers. This article applies to tomcat Web servers 4.X, 5.x, and 6.x.
Chapter 4 account management and authentication and authorization
1.1 account
1.1.1 shared Account Management
Security baseline project name Tomcat shared account management security baseline requirements items security baseline No. SBL-Tomcat-02-01-01 security baseline items description should be allocated to users. Avoid sharing accounts between different users. Avoid account sharing for communication between user accounts and devices. Check operation step 1. Refer to configuration operations
Modify the tomcat/conf/tomcat-users.xml configuration file, modify or add an account.
<User username = "tomcat" password = "Tomcat! 234 "roles =" admin ">
2. Supplemental operation instructions
1. Different names are used for different users.
2. By default, the admin. xml configuration file does not exist in Tomcat 4.1.37, 5.5.27, and 6.0.18 versions. Baseline conformity judgment basis 1. Judgment Conditions
All accounts can log on to the Tomcat Web server as normal.
2. detection operations
Visit the http: // ip: 8080/manager/html Management page to add remarks on Tomcat server management.1.1.2 unrelated Account Management
Security baseline project name Tomcat unrelated account management security baseline requirements items security baseline No. SBL-Tomcat-02-01-02 security baseline items description should delete or lock accounts unrelated to device operation, maintenance, etc. Check operation step 1. Refer to configuration operations
Modify the tomcat/conf/tomcat-users.xml configuration file to delete work-independent accounts.
For example, tomcat1 is irrelevant to operations and maintenance. delete an account:
<User username = "tomcat1" password = "tomcat" roles = "admin"> baseline compliance judgment basis 1. Judgment Conditions
The account that has been deleted and has nothing to do with work cannot be logged on normally.
2. detection operations
Access the http: // ip: 8080/manager/html Management page and use the deleted account to log on. Remarks1.2 Password
1.2.1 Password Complexity
Security baseline project name Tomcat Password Complexity security baseline requirements items security baseline number SBL-Tomcat-02-02-01 security baseline items description for devices using static password authentication technology, the password length should be at least 8 bits, there are at least two types of characters including numbers, lowercase letters, uppercase letters, and special characters. Check operation step 1. Refer to configuration operations
Set a password in the tomcat/conf/tomcat-user.xml configuration file
<User username = "tomcat" password = "Tomcat! 234 "roles =" admin ">
2. Supplemental operation instructions
Password requirements: The password must be at least 8 characters long and contain at least 2 types of numbers, lowercase letters, uppercase letters, and special characters. Baseline conformity judgment basis 1. Judgment Conditions
Check whether the account password in the tomcat/conf/tomcat-user.xml configuration file meets the complexity requirements for moving through password configuration.
2. detection operations
(1) manually check whether the account password in the configuration file meets the requirements;
(2) Use the tomcat weak password scanning tool to regularly perform remote scanning on the Tomcat Web server to check whether a weak password account exists.
3. Additional instructions
When using the weak password scanning tool for inspection, you should pay attention to the number of scanning threads and other aspects to avoid unnecessary resource consumption on the server; when the server load is low, you should perform scanning inspection. Remarks1.2.2 Password History
Security baseline project name Tomcat Password History security baseline requirements items security baseline No. SBL-Tomcat-02-02-02 security baseline items description for devices using static password authentication technology, password lifetime configuration by day should be supported, the account password is not longer than 90 days. Check operation step 1. Refer to configuration operations
Regularly modify the account password for managing Tomcat Web servers. The interval is no longer than 90 days. Baseline conformity judgment basis 1. Judgment Conditions
Login Attempts with the original account password after 90 days are unsuccessful;
2. detection operations
Use the account password that has been used for more than 90 days to log on. The remarks apply to all versions 4.X, 5.x, and 6.x.1.3 authorization
1.3.1 user rights assignment
Security baseline project name Tomcat user rights assignment security baseline requirements item security baseline No. SBL-Tomcat-02-03-01 security baseline items describe the minimum permissions required to configure a user based on business needs within the device permission configuration capability. Check operation step 1. Refer to configuration operations
Edit tomcat/conf/tomcat-user.xml profile and modify user role Permissions
Authorize tomcat to have remote management permissions:
<User username = "tomcat" password = "chinamobile"
Roles = "admin, manager">
2. Supplemental operation instructions
1. Tomcat 4.x and 5.x user roles are divided into four types: role1, tomcat, admin, and manager.
Role1: has read permission;
Tomcat: has read and run permissions;
Admin: has read, run, and write permissions;
Manager: Has Remote Management permissions.
Tomcat 6.0.18 has only admin and manager roles, and admin users have manager Management permissions.
2. Tomcat 4.1.37, 5.5.27, and later versions do not have manager Management permissions by default, except for admin users. Baseline conformity judgment basis 1. Judgment Conditions
Log on to the remote management page and use the tomcat account to log on. The logon is successful.
2. detection operations
Log on to the http: // ip: 8080/manager/html page and log on to the tomcat account for remote management. RemarksChapter 3 log configuration operations
2.1 log Configuration
2.1.1 Audit Logon
Security baseline project name Tomcat audit login security baseline requirements items security baseline No. SBL-Tomcat-03-01-01 security baseline items description the device should be configured with the log function to record user login, including the user login account, whether the logon is successful, the logon time, and the IP address used by the user during Remote logon. Check operation step 1. Refer to configuration operations
Edit the server. xml configuration file and add the logging function to the <HOST> tab.
Mark the comments of the following content <! ----> Cancel
<Valve classname = "org. apache. catalina. valves. AccessLogValve"
Directory = "logs" prefix = "localhost_access_log." suffix1_.txt"
Pattern = "common" resloveHosts = "false"/>
2. Supplemental operation instructions
Classname: This MUST be set
Org. apache. catalina. valves. AccessLogValve to use the default access log valve. & <60
Directory: Directory where log files are stored. There is a logs folder under tomcat, which is specially placed in the log file and can be changed to another path;
Prefix: the Prefix of the log file. The log name is localhost_access_log.2008-10-22.txt. The Prefix is localhost_access_log.
Suffix: file Suffix
Pattern: In the common mode, add the recorded access source IP address, local server IP address, log server IP address, access method, number of sent bytes, local receiving port, and access URL address to the log file.
ResolveHosts: If the value is true, tomcat will convert the Server IP address to the host name through DNS. If the value is false, it will directly write the Server IP address baseline compliance judgment basis 1. Judgment Conditions
View the relevant Log File Content in the logs directory. The record is complete.
2. detection operations
View related logging in localhost_access_log.2008-10-22.log
3. RemarksChapter 4 Security Configuration of IP protocol
3.1IP Protocol
3.1.1 encryption protocols supported
Security baseline project name Tomcat support encryption protocol security baseline requirements item security baseline number SBL-Tomcat-04-01-01 security baseline items description for devices that are remotely maintained over HTTP, devices should support encryption protocols such as HTTPS. Check operation step 1. Refer to configuration operations
(1) Use the built-in JDK keytool to generate a certificate
JAVA_HOME/bin/keytool-genkey-alias tomcat-keyalgRSA
-Keystore/path/to/my/keystore
(2) modify the tomcat/conf/server. xml configuration file to Use https. Add the following lines:
Connector classname = "org. apache. catalina. http. HttpConnector"
Port = "8443" minProcessors = "5" maxprocessors = "100"
EnableLookups = "true" acceptCount = "10" debug = "0"
Scheme = "https" secure = "true">
Factory classname = "org. apache. catalina. SSLServerSocketFactory"
ClientAuth = "false"
KeystoreFile = "/path/to/my/keystore" keystorePass = "runway"
Protocol = "TLS"/>
/Connector>
The keystorePass value is the password entered when the keystore is generated.
(3) Judgment basis for restarting tomcat service baseline compliance 1. Judgment Conditions
Log on to the tomcat server page using https. The logon is successful.
2. detection operations
Use https to log on to the tomcat server management pageChapter 4 other device configuration operations
4.1 Security Management
4.1.1 timed logout
Security baseline project name Tomcat timed logout security baseline requirements items security baseline No. SBL-Tomcat-05-01-01 security baseline items description for devices with character interaction interfaces should support timed account automatic logout. After logging out, you must log on again to access the system. Check operation step 1. Refer to configuration operations
Edit the tomcat/conf/server. xml configuration file to 30 seconds.
<Connector
Port = "8080" maxHttpHeaderSize = "8192" maxThreads = "150"
MinSpareThreads = "25" maxSpareThreads = "75 ",
EnableLookups = "false" redirectPort = "8443" acceptCount = "100"
ConnectionTimeout = "300" disableUploadTimeout = "true"/>
2. Supplemental operation instructions
Baseline conformity judgment basis 1. Judgment Conditions
Log out automatically within 30 seconds.
2. detection operations
Log on to the tomcat default page http: // ip: 8080/manager/html and log on with the management account.
3. Remarks4.1.2 change the default port
Security baseline project name Tomcat run port security baseline requirements items security baseline No. SBL-Tomcat-05-01-02 security baseline item description change tomcat server default port detection procedure 1. Reference configuration operations
(1) modify the tomcat/conf/server. xml configuration file and change the default Management port to 8800.
<Connector
Port = "8800" maxHttpHeaderSize = "8192" maxThreads = "150"
MinSpareThreads = "25" maxSpareThreads = "75 ",
EnableLookups = "false" redirectPort = "8443" acceptCount = "100"
ConnectionTimeout = "300" disableUploadTimeout = "true"/>
(2) restart the tomcat Service
2. Supplemental operation instructions
Baseline conformity judgment basis 1. Judgment Conditions
Port 8800 is successfully used to log on to the page.
2. detection operations
Log on to http: // ip: 8800
3. Remarks4.1.3 error page handling
Security baseline project name Tomcat error page security baseline requirements items security baseline No. SBL-Tomcat-05-01-03 security baseline items description Tomcat error page redirection detection procedure 1. Reference configuration operations (1) view tomcat/conf/web. xml file:
<Error-page>
<Error-code> 404 </error-code>
<Location>/noFile.htm </location>
</Error-page>
...............
<Error-page>
<Exception-type> java. lang. NullPointerException </exception-type>
<Location>/error. jsp </location>
</Error-page>

Baseline conformity judgment basis 1. Judgment Conditions
The requirements include the following parts:
Remarks4.1.4 directory list access restrictions
Security baseline project name Tomcat directory list security baseline requirements items security baseline No. SBL-Tomcat-05-01-04 security baseline item description disable tomcat list display file detection operation step 1. Refer to configuration operations
(1) edit the tomcat/conf/web. xml configuration file,
<Init-param>
<Param-name> listings </param-name>
<Param-value> true </param-value>
</Init-param>
Change true to false.
(2) Judgment basis for restarting tomcat service baseline compliance 1. Judgment Conditions
The contents of directories are not listed when no objects such as index.html or index. jsp are found in the web directory.
2. detection operations
Access http: // ip: 8800/webadd remarks directly