ࡱ> ^] g2\p Sain, Joe Ba==-`c-8X@"1Arial1Arial1Arial1Arial1Arial1Arial1Arial1Arial1Arial1Arial1BCalibri1 BCalibri1BCalibri14BCalibri1 BCalibri1BCalibri1$BArial1BCalibri1,>BCalibri1>BCalibri1>BCalibri1'BArial1>BCalibri14BCalibri1<BCalibri1?BCalibri1h>BCambria1BCalibri1 BCalibri"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)"Yes";"Yes";"No""True";"True";"False""On";"On";"Off"],[$ -2]\ #,##0.00_);[Red]\([$ -2]\ #,##0.00\)                                                                      ff + ) , *      P  P         `             a   H 8 )8  @ @  @ )8  h )8 )8 )8 )8  (0  (  )8 )x x )x )x )x+ x+ )x+ )x+  (p+ )x+ (p+ )x+ )x/ x/ )x/ (p/ )x/ )x/ ||a'}A} 00_)ef[$ -}A} 00_)ef[$ -}A} 00_)ef[$ -}A} 00_)ef[$ -}A} 00_)ef[$ -}A} 00_)ef [$ -}A} 00_)L[$ -}A} 00_)L[$ -}A} 00_)L[$ -}A} 00_)L[$ -}A} 00_)L[$ -}A} 00_)L [$ -}A} 00_)23[$ -}A} 00_)23[$ -}A} 00_)23[$ -}A} 00_)23[$ -}A}  00_)23[$ -}A}! 00_)23 [$ -}A}" 00_)[$ -}A}# 00_)[$ -}A}$ 00_)[$ -}A}% 00_)[$ -}A}& 00_)[$ -}A}' 00_) [$ -}A}( 00_)[$ -}}) }00_)[$ -##0.  }}* 00_)[$ -???##0.??? ??? ???}-}/ 00_)}(}0  00_)}A}1 a00_)[$ -}A}2 00_)[$ -}A}3 00_)?[$ -}A}4 00_)23[$ -}-}5 00_)}(}6  00_)}}7 ??v00_)̙[$ -##0.  }A}8 }00_)[$ -}A}9 e00_)[$ -}x};00_)[$##  }}< ???00_)[$???## ???  ??? ???}-}> 00_)}U}? 00_)[$## }-}@ 00_)}(}OL00_)}(}PL00_)}(}QL00_)}(}RL00_)}(}S2300_)}(}T2300_)}(}U2300_)}(}V2300_)}(}W2300_)}(}X2300_)}(}Y2300_)}(}Z2300_)}(}[ef 00_)}(}\ef 00_)}(}]ef 00_)}(}^ef 00_)}(}_ef 00_)}(}`ef 00_) 20% - Accent1M 20% - Accent1 ef % 20% - Accent2M" 20% - Accent2 ef % 20% - Accent3M& 20% - Accent3 ef % 20% - Accent4M* 20% - Accent4 ef % 20% - Accent5M. 20% - Accent5 ef % 20% - Accent6M2 20% - Accent6  ef % 40% - Accent1M 40% - Accent1 L % 40% - Accent2M# 40% - Accent2 L渷 % 40% - Accent3M' 40% - Accent3 L % 40% - Accent4M+ 40% - Accent4 L % 40% - Accent5M/ 40% - Accent5 L % 40% - Accent6M3 40% - Accent6  Lմ % 60% - Accent1M 60% - Accent1 23 % 60% - Accent2M$ 60% - Accent2 23ږ % 60% - Accent3M( 60% - Accent3 23כ % 60% - Accent4M, 60% - Accent4 23 % 60% - Accent5M0 60% - Accent5 23 %! 60% - Accent6M4 60% - Accent6  23 % "Accent1AAccent1 O % #Accent2A!Accent2 PM % $Accent3A%Accent3 Y % %Accent4A)Accent4 d % &Accent5A-Accent5 K % 'Accent6A1Accent6  F %(Bad9Bad  %) Calculation Calculation  }% * Check Cell Check Cell  %????????? ???+ Comma,( Comma [0]-&Currency.. Currency [0]/Explanatory TextG5Explanatory Text %0 F Followed Hyperlink   1Good;Good  a%2 Heading 1G Heading 1 I}%O3 Heading 2G Heading 2 I}%?4 Heading 3G Heading 3 I}%235 Heading 49 Heading 4 I}%64 Hyperlink   7InputuInput ̙ ??v% 8 Linked CellK Linked Cell }% 9NeutralANeutral  e%"Normal: Normal 10 2 ;Noteb Note   <OutputwOutput  ???%????????? ???=$Percent >Title1Title I}% ?TotalMTotal %OO@ Warning Text? Warning Text %XTableStyleMedium9PivotStyleMedium48dq:F3ffff̙̙3f3fff3f3f33333f33333\`wTomcat58 CCE IDCCE DescriptionCCE ParametersCCE Technical MechanismsMThe Java Security Manager (JSM) should be enabled or disabled as appropriate.(1) exist/not exist-(1) catalina.policy file under Catalina HomeSDID: AST0560 Category: 1 VULID: V0006215 MAC/Confidentiality Levels: MAC I  CSP, MAC II  CSP, MAC III  CSP IA Controls: ECRC-1 SDID Description: Application Security Manager is not turned on. Reference: Application Services STIG, Appendix B.3.5 ZTomcat should be configured to run with or without the Java Security Manager upon startup.h(1) '-security' command-line parameter on Tomcat startup -Djava.security.manager command line parameter6The Tomcat server port number should be set correctly.(1) port number;(1) ' >' element in server.xml,SDID: APS0560 Category: II VULID: V0012322 MAC/Confidentiality Levels: MAC I  CSP, MAC II  CSP, MAC III  CSP IA Controls: DCFA-1 SDID Description: Interfaces between the application server and external systems are not identified and secured. Reference: Application Services STIG, Section 3.2.6 TThe Tomcat Legacy JK AJP 1.3 connector should be enabled or disabled as appropriate.i(1) '' element in server.xmlNThe Tomcat Legacy JK AJP 1.3 connectors should listen on the specified ports.(1) 'port' attribute inside '' element in server.xmlRThe Tomcat Legacy HTTP/1.1 connector should be enabled or disabled as appropriate.t(1) '' element in server.xmlKThe Tomcat Legacy HTTP/1.1 connectors should listen on the specified ports.(1) 'port' attribute inside '' element in server.xml?The Tomcat login authentication method should be set correctly.!(1) BASIC/FORM/DIGEST/CLIENT_CERT/(1) Value of '' element in web.xml$SDID: APS0140 Category: II VULID: V0006202 MAC/Confidentiality Levels: MAC I  CSP, MAC II  CSP, MAC III  CSP IA Controls: IAIA-1, ECLO-2 SDID Description: Application server s client authentication process is inadequate. Reference: Application Services STIG, Appendix B.4.2, B.4.3, B.4.4BSecurity roles for the Tomcat manager app should be set correctly.(1) security role name](1) '' element inside '' element in the admin.xml file under TomcatSDID: AST0820 Category: II VULID: V0006225 MAC/Confidentiality Levels: MAC I  CSP, MAC II  CSP, MAC III  CSP IA Controls: ECLP-1 SDID Description: Admin and Manager Web Applications are not adequately restrictive. Reference: Application Services STIG, Section 3.4.1 @Security roles for the Tomcat admin app should be set correctly._(1) '' element inside '' element in the manager.xml file under Tomcat?Access to the Tomcat Admin app should be denied as appropriate.(1) list of IPs@Access to the Tomcat Admin app should be allowed as appropriate.AAccess to the Tomcat manager app should be denied as appropriate.BAccess to the Tomcat manager app should be allowed as appropriate.?The owner of the Tomcat home directory should be set correctly. (1) owner (1) via chownSDID: AST0340 Category: II VULID: V0006207 MAC/Confidentiality Levels: MAC I  CSP, MAC II  CSP, MAC III  CSP IA Controls: ECCR-1, ECCR-2 SDID Description: OS level file permissions are not adequately restrictive. Reference: Application Services STIG, Appendix B.2 ?The group of the Tomcat home directory should be set correctly. (1) group (1) via chgrpFThe permissions for the Tomcat home directory should be set correctly.(1) permissionsEThe owner of the Tomcat home/conf/ directory should be set correctly.EThe group of the Tomcat home/conf/ directory should be set correctly.LThe permissions for the Tomcat home/conf/ directory should be set correctly.?The owner of the tomcat-users.xml file should be set correctly.?The group of the tomcat-users.xml file should be set correctly.FThe permissions for the tomcat-users.xml file should be set correctly.pThe password digest algorithm for JDBCRealm (database) connections should be enabled or disabled as appropriate.k(1) 'digest' attribute inside '' element in server.xmlSDID: AST0310 Category: II VULID: V0006204 MAC/Confidentiality Levels: MAC I  CSP, MAC II  CSP, MAC III  CSP IA Controls: ECCR-1, ECCR-2 SDID Description: Sensitive application data is not adequately protected at rest. Reference: Application Services STIG, Appendix B.3 JThe JDBCRealm (database) password digest algorithm should be set correctly(1) SHA/MD2/MD5lThe password digest algorithm for JNDIRealm (LDAP) connections should be enabled or disabled as appropriate.k(1) 'digest' attribute inside '' element in server.xmlHThe JNDIRealm (LDAP) password digest should be configured appropriately._The secure attribute should be set as appropriate for the specified Tomcat HTTP/1.1 connectors.$(1) TARGET: connector (2) true/falseGThe Tomcat WARP connector should be enabled or disabled as appropriate.dGranting of all permissions to Tomcat web applications should be enabled or disabled as appropriate.d(1) 'permission java.security.AllPermission' line(s) inside 'grant{}' statement in catalina.policy 5The example files should be installed as appropriate."(1) located in /examples directorySDID: AST0610 Category: II VULID: V0006217 MAC/Confidentiality Levels: MAC I  CSP, MAC II  CSP, MAC III  CSP IA Controls: DCSQ-1 SDID Description: Application server default content has not been removed. Reference: Application Services STIG, Appendix B.6 2The WebDAV app should be installed as appropriate. (1) located in /webdav directory3The Tomcat-docs should be installed as appropriate.%(1) located in /tomcat-docs directory4The Balancer app should be installed as appropriate."(1) located in /balancer directory?The example server.xml file should be installed<l as appropriate..(1) located in the Tomcat home/conf/ directory/Tomcat should be run by the appropriate account&SDID: ASG0520 Category: II VULID: V0006211 MAC/Confidentiality Levels: MAC I  CSP, MAC II  CSP, MAC III  CSP IA Controls: ECLP-1 SDID Description: The application server process runs with privileges not necessary for proper operation. Reference: Application Services STIG, Appendix B.3.5 ;Tomcat should be run with the appropriate group membership.Apache Tomcat 5.5 Security Manager HOW-TO Standard Permissions http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.htmljTomcat web application JVM property read permissions should be set correctly for the specified properties.(1) TARGET: JVM propertyf(1) 'permission java.util.PropertyPermission' line(s) inside 'grant{}' statement in catalina.policy kTomcat web application JVM property write permissions should be set correctly for the specified properties.>http://tomcat.apache.org/tomcat-4.1-doc/config/connectors.html<The Tomcat HTTP/1.1 connector should be enabled or disabled.(1) exists/ not existYThe Tomcat HTTP/1.1 connector should be configured appropriately for the specified ports.-(1) TARGET: port number (2) exists/ not existL(1) secure attribute in a line in server.xmleThe secure attribute should be set as appropriate for the specified Tomcat JK/JK2 AJP 1.3 connectors.6(1) '' element in server.xmlUThe Tomcat WARP connector should be configured appropriately for the specified ports.M(1) 'port' attribute inside '' element in server.xmlJJULI container level logging should be enabled or disabled as appropriate.The Apache Tomcat 5.5 Servlet/JSP Container Logging in Tomcat java.util.logging http://tomcat.apache.org/tomcat-5.5-doc/logging.htmlbThe Tomcat Legacy JK AJP 1.3 connector should be configured appropriately for the specified ports.QThe Tomcat JK/JK2 AJP 1.3 connector should be enabled or disabled as appropriate._The Tomcat JK/JK2 AJP 1.3 connector should be configured appropriately for the specified ports.qApache Tomcat Configuration Reference The HTTP Connector http://tomcat.apache.org/tomcat-5.5-doc/config/http.html(1) logging.properties file`The JULI FileHandler save directory should be configured appropriately for the specified classes(1) TARGET: class (2) directoryG(1) .org.apache.juli.FileHandler.directory in logging.propertiesWThe JULI FileHandler threshold level should be set correctly for the specified classes.B(1) TARGET: class (2) FINEST/FINER/FINE/CONFIG/INFO/WARNING/SEVERED(1) .org.apache.juli.FileHandler.level in logging.propertiesD(1) .org.apache.juli.FileHandler.prefix in logging.properties[The JULI FileHandlerlog file name prefix should be set correctly for the specified classes.(1) TARGET: class (2) prefix8Apache Software Foundation Apache Tomcat 4 Documentation:Apache Software Foundation Apache Tomcat 5.5 DocumentationDThe Tomcat user account should be locked or unlocked as appropriate.(1) locked/unlocked(1) via passwd/Using a Non-root User in the chroot Jail pg 145cTomcat The Definitive Guide Ch 6 Tomcat Security http://oreilly.com/catalog/tomcat/chapter/ch06.pdf(1) '' element inside the '' element in the manager.xml file under Tomcat(1) '' element inside the '' element in the manager.xml file under Tomcat(1) '' element inside the '' element in the admin.xml file under Tomcat(1) '' element inside the '' element in the admin.xml file under Tomcat:(1) '' element in server.xmlR(1) 'port' attribute inside '' element in server.xml;(1) '' element in server.xmlS(1) 'port' attribute inside '' element in server.xmlT(1) security attribute inside '' element in server.xmlh(1) '' element in server.xml(1) 'port' attribute inside '' element in server.xml~APPLICATION SERVICES SECURITY CHECKLIST Version 1, Release 1.1 31 July 2006 Section 3A App_sService_Checklist_Sec3A_V1R1-1.doc CCE-27473-8 CCE-27687-3 CCE-27749-1 CCE-27391-2 CCE-27398-7 CCE-27706-1 CCE-27614-7 CCE-27704-6 CCE-27615-4 CCE-27754-1 CCE-27644-4 CCE-27723-6 CCE-27746-7 CCE-27269-0 CCE-27624-6 CCE-27532-1 CCE-27751-7 CCE-27524-8 CCE-27747-5 CCE-27376-3 CCE-27113-0 CCE-27538-8 CCE-27689-9 CCE-27159-3 CCE-27760-8 CCE-27681-6 CCE-27717-8 CCE-27429-0 CCE-27673-3 CCE-27738-4 CCE-27758-2 CCE-27450-6 CCE-27402-7 CCE-27551-1 CCE-27665-9 CCE-27729-3 CCE-27467-0 CCE-27637-8 CCE-27703-8 CCE-27552-9 CCE-27488-6 CCE-27539-6 CCE-26982-9 CCE-27603-0 CCE-27504-0 CCE-27585-9 CCE-27543-8 CCE-27527-1 CCE-27478-7 CCE-27655-0 CCE-27493-6 CCE-27629-5 CCE-27028-0 CCE-27659-2Last modfied: 2013-02-11Version: 5.20130214o3 O4M:y= @CEAHLN ORnVYy[2^ a` b@eG&gghvhh_Vii?cc PK![Content_Types].xmlN0EH-J@%ǎǢ|ș$زULTB l,3;rØJB+$G]7O٭VMԯNDJ++2a,/$nECA6٥D-ʵ? dXiJF8,nx (MKoP(\HbWϿ})zg'8yV#x'˯?oOz3?^?O?~B,z_=yǿ~xPiL$M>7Ck9I#L nꎊ)f>\<|HL|3.ŅzI2O.&e>Ƈ8qBۙ5toG1sD1IB? }J^wi(#SKID ݠ1eBp{8yC]$f94^c>Y[XE>#{Sq c8 >;-&~ ..R(zy s^Fvԇ$*cߓqrB3' }'g7t4Kf"߇ފAV_] 2H7Hk;hIf;ZX_Fڲe}NM;SIvưõ[H5Dt(?]oQ|fNL{d׀O&kNa4%d8?L_H-Ak1h fx-jWBxlB -6j>},khxd׺rXg([x?eޓϲكkS1'|^=aѱnRvPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 0_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!0ktheme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK]  g2 LxNB  dMbP?_*+%&?'?(?)?"d,,??&U} } I9C} $C} 2C} A} %[}  S} mS} O} C} L  ;` ` B @                             N N B B B B G \ To Tp Pu H I J IG ]UVQKKK M I J I G ]UVQKKK M I J I G ]UVQKKK M I J I G] WUVQKKK M J J I G] WUVQKKK M I J I G] WUVQKKK M J J I G] WU VQKKK M I I I G ^ UVQKKK M I I I G ] UVQKKK M I I I  G ] UVQKKK M I! I" Jx G ] UVQKKK M I# I" JyG ]UVQKKK M I$ I" JvG ]UVQKKK M I% I" JwG ]UVQKKK M I& I' I(G ])UVQKKK M I* I+ I,G ])UVQKKK M I- I. I(G ])UVQKKK M I/ I' I(G ])UVQKKK M I0 I+ I,G ])UVQKKK M I1 I. I(G ])UVQKKK M I2 I' I(G ])UVQKKK M I3 I+ I,G ])UVQKKK M I4 I. I(G ])UVQKKK M I5 I I6G ]7UVQKKK M I8 I9 I6G ]7UVQKKK M I: I I;G ]7UVQKKK M I< I9 I;G ]7UVQKKK M IV IW I| G]U XdQKKK M IX IY J} G]U XdQKKK Dl~fffhhhhffffffffffffffffffffh ! " # $ % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?  M I= I> JZ G]U Xd QKKK !M !Jb !J !Jz !G]U !Xd!QKKK "M "Jc "J "J{ "G]U "Xd"QKKK #M #I[ #J #J~ #G]U #Xd#QKKK $M $I $J $I $G] $UU$VQKKK %M %Ia %J %I %G] %UU%VQKKK &M &I? &J &I\ &G] &UU&VQKKK 'M 'I] 'J 'I^ 'G] 'UU'VQKKK (M (I_ (JW (Je (G]U (Y`(QKKK )M )Ji )Jj )Jk )G]U )Y`)QKKK *M *Jf *Jg *Jh *G]U *Y`*QKKK +M +Jm +Jn +Jl +G]U +Y`+QKKK ,M ,J@ ,J ,JA ,G]U ,YP,QKKK -M -IB -I -IC-G -]D-UVQKKK .M .IE .I .IF.G .]D.UVQKKK /M /IG /I /IH/G /]D/UVQKKK 0M 0II 0I 0IJ0G 0]D0UVQKKK 1M 1IK 1I 1IL1G 1]D1UVQKKK 2M 2IM 2I 2I(2G 2]N2UVQKKK 3M 3IO 3I 3I,3G 3]N3UVQKKK 4M 4LQ 4LR 4LS 4G^V 4YP4QKKK 5M 5LT 5LR 5LS 5G_V 5YP5QKKK 6M 6KM 6K 6K(6G 6^N6VVQKKK 7M 7KO 7K 7K,7G 7^N7VVQKKK 8M 8Kq 8Kr 8Ks8G_VV 8Qt 8 KKK 9EFFF9`ZZRFFF :D;D<D=D>D?DD lhhhhhhhhhhhhhfffffffhhffh* @ABCDEFGHIJK@DADBDCDDDEDFDGDHDIDJDKDh >@CBA  Identify Technical MechanismsEach technical meachanism should be identifed by a number. Therefore text in this cell should always begin with '(1) ', and additional technical mechanisms should be called out by '(#)'.FL@Bs(1) @  45ggD@ Oh+'0@H`t Sain, Joseph A. Sain, JoeMicrosoft Macintosh Excel@`s,@V՜.+,0HP X`hp x  Tomcat5  Worksheets  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLNOPQRSTVWXYZ[\Root Entry F;±WorkbookSSummaryInformation(MDocumentSummaryInformation8U