Re: Tomcat 10.1 STIGing

Tue, 29 Oct 2024 01:03:20 -0700 

On 28/10/2024 21:44, Leroy Mims wrote:

My place of work prefers DISA STIGed software. I contacted DISA about STIGs
for Tomcat 10.1 and they said that the organization that produces the
software has to request that it be STIGed. The idea of applyingTomcat 9
STIGs to Tomcat 10.1 was rejected and DISA STIGs are preferable to CIS
Benchmarks.
Thank you.
Leroy Mims



I am not aware of any plans for the Tomcat team to request a STIG 
assessment for Tomcat 10. Should such a proposal be made, I would argue 
strongly NOT to make such a request.



My personal recommendation is to avoid the STIG recommendations at all 
costs. The last time I reviewed the latest STIG for Tomcat it contained 
a large amount of utter nonsense. I've just looked up the latest 
recommendations (2024-05-23) for Tomcat 9 and it still contains this howler:


https://www.stigviewer.com/stig/apache_tomcat_application_server_9/2024-05-23/finding/V-222950


That such a finding was written, reviewed and approved gives me zero 
confidence in the entire STIG process.


We started a community review of the previous Tomcat 9 STIG:

https://cwiki.apache.org/confluence/display/TOMCAT/Community+Review+of+DISA+STIG


I lost interest after the first half-dozen or so issues due to the sheer 
volume of problems I was finding and that no-one else seemed interested 
in either contributing or in the results.



The CIS benchmarks appear to be of better quality but they still contain 
some issues such as not fully accounting for the correct secure 
connector settings when running Tomcat behind a reverse proxy.



I did reach out to the CIS benchmark folks to point out some of the 
errors I found but their response was rather disappointing. It was - 
essentially - join our review team and provide all the corrections for 
free (so we can then sell benchmark to commercial customers).



I don't mind contributing to community resources - I wouldn't be 
contributing to open source if I did - but I do object to being asked to 
provide my time at zero cost to support someone else's commercial product.



What I do recommend is start with the security how-to in the Tomcat docs 
and then ask any questions you have here.


Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to