While I think I know the answer to my question, I wanted to double-check with the group to confirm.
I have been asked to perform the CIS Apache Tomcat 8 Benchmark (v1.1.0) on our production Tomcat installation, and I am looking through the questions / information extraction requests, and I suspect they are not really evaluating what they think they are, and furthermore encouraging bad practices. For instance, the first entry I have in the spreadsheet I was provided is listed as follows: CIS Control: 2.1 Alter the Advertised server.info String (Scored) Description: The server.info attribute contains the name of the application service. This value is presented to Tomcat clients when clients connect to the tomcat server. Audit Procedures: Perform the following to determine if the server.info value has been changed: Extract the ServerInfo.properties file and examine the server.info attribute. $ cd $CATALINA_HOME/lib $ jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties $ grep server.info org/apache/catalina/util/ServerInfo.properties So, other than a few issues with the audit procedures, etc. This seems to be doing the following: a) evaluating a default value which I believe can be overridden and thus may not actually reflect the value the server may provide to external clients b) encouraging the modification of the catalina.jar contents to correct the default value There are a few similar items (for server.number, server.built) (2.2, 2.3). Thoughts / comments from "those in the know"? Thanks, Robert
