Thanks Peter. Just to be clear that I have no concern about the goal of the test -- only the method for obtaining the information, and the "implied" correction.
After going through the rest of the document I was provided, it seems to "get more modern" as the questions go on -- suggesting the method of improvement is additive, and possibly not corrective. On Tue, Sep 5, 2023 at 9:36 AM Peter Kreuser <l...@kreuser.name> wrote: > Robert, > > While Mark Thomas will have a more detailled answer to this... > > The finding behind this test is valid (information disclosure with server > version in responses), though the remediation listed here is from looong > time ago, when the was no ErrorReportValve to purge the version info. > > So the CIS Tomcat 8(!) Guide is pretty outdated! Probably in more than > this spot... > > Peter > > > Am 05.09.2023 um 14:03 schrieb Robert Turner <rtur...@e-djuster.ca>: > > > > While I think I know the answer to my question, I wanted to double-check > > with the group to confirm. > > > > I have been asked to perform the CIS Apache Tomcat 8 Benchmark (v1.1.0) > on > > our production Tomcat installation, and I am looking through the > questions > > / information extraction requests, and I suspect they are not really > > evaluating what they think they are, and furthermore encouraging bad > > practices. > > > > For instance, the first entry I have in the spreadsheet I was provided is > > listed as follows: > > > > CIS Control: > > 2.1 Alter the Advertised server.info String (Scored) > > > > Description: > > The server.info attribute contains the name of the application service. > > This value is presented to Tomcat clients when clients connect to the > > tomcat server. > > > > Audit Procedures: > > Perform the following to determine if the server.info value has been > > changed: > > Extract the ServerInfo.properties file and examine the server.info > > attribute. > > $ cd $CATALINA_HOME/lib > > $ jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties > > $ grep server.info org/apache/catalina/util/ServerInfo.properties > > > > > > So, other than a few issues with the audit procedures, etc. This seems to > > be doing the following: > > > > a) evaluating a default value which I believe can be overridden and thus > > may not actually reflect the value the server may provide to external > > clients > > b) encouraging the modification of the catalina.jar contents to correct > the > > default value > > > > There are a few similar items (for server.number, server.built) (2.2, > 2.3). > > > > > > Thoughts / comments from "those in the know"? > > > > Thanks, > > > > Robert > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
