forked from HydrologicEngineeringCenter/TomcatRPM
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserverxml-stig.patch
121 lines (116 loc) · 5.21 KB
/
serverxml-stig.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
--- apache-tomcat-9.0.82/conf/server.xml.orig 2023-10-11 06:15:08.000000000 -0700
+++ apache-tomcat-9.0.82/conf/server.xml 2023-11-01 15:10:46.070928865 -0700
@@ -19,13 +19,14 @@
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
-<Server port="8005" shutdown="SHUTDOWN">
+<Server port="-1" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!-- APR library loader. Documentation at /docs/apr.html -->
- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+ <!-- NOTE: ONLY TURN FIPS MODE ON IF YOU HAVE AN SSL CONNECTOR ENABLED; this is likely not true during your initial setup -->
+ <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="off" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
@@ -70,7 +71,10 @@
connectionTimeout="20000"
redirectPort="8443"
maxParameterCount="1000"
- />
+ xpoweredby="false"
+ server="webthing"
+ address="admin must fill in"
+ />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
@@ -78,6 +82,9 @@
connectionTimeout="20000"
redirectPort="8443"
maxParameterCount="1000"
+ xpoweredby="false"
+ server="webthing"
+ address="admin must fill in"
/>
-->
<!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443
@@ -89,8 +96,11 @@
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
- maxThreads="150" SSLEnabled="true"
+ maxThreads="150" SSLEnabled="true" SLEnabledProtocols="TLSv1.2"
maxParameterCount="1000"
+ xpoweredby="false"
+ server="webthing"
+ address="admin must fill in"
>
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
@@ -106,8 +116,11 @@
-->
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
- maxThreads="150" SSLEnabled="true"
+ maxThreads="150" SSLEnabled="true" SLEnabledProtocols="TLSv1.2"
maxParameterCount="1000"
+ xpoweredby="false"
+ server="webthing"
+ address="admin must fill in"
>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
@@ -119,16 +132,6 @@
</Connector>
-->
- <!-- Define an AJP 1.3 Connector on port 8009 -->
- <!--
- <Connector protocol="AJP/1.3"
- address="::1"
- port="8009"
- redirectPort="8443"
- maxParameterCount="1000"
- />
- -->
-
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
@@ -149,30 +152,26 @@
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
- <Realm className="org.apache.catalina.realm.LockOutRealm">
- <!-- This Realm uses the UserDatabase configured in the global JNDI
- resources under the key "UserDatabase". Any edits
- that are performed against this UserDatabase are immediately
- available for use by the Realm. -->
- <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
- resourceName="UserDatabase"/>
+ <Realm className="org.apache.catalina.realm.LockOutRealm" failureCount="5" lockOutTime="600">
+
</Realm>
<Host name="localhost" appBase="webapps"
- unpackWARs="true" autoDeploy="true">
+ unpackWARs="true" autoDeploy="false">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
-
+ <Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false"/>
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
- pattern="%h %l %u %t "%r" %s %b" />
+ pattern="%h %l %u %t "%r" %s %b"
+ requestAttributesEnabled="true" />
</Host>
</Engine>