Mark,
On 10/29/24 04:03, Mark Thomas wrote:
On 28/10/2024 21:44, Leroy Mims wrote:
My place of work prefers DISA STIGed software. I contacted DISA about
STIGs
for Tomcat 10.1 and they said that the organization that produces the
software has to request that it be STIGed. The idea of applyingTomcat 9
STIGs to Tomcat 10.1 was rejected and DISA STIGs are preferable to CIS
Benchmarks.
Thank you.
Leroy Mims
I am not aware of any plans for the Tomcat team to request a STIG
assessment for Tomcat 10. Should such a proposal be made, I would argue
strongly NOT to make such a request.
-0
I kinda feel like if they want to write another guide that doesn't
provide any security, they can go ahead. I don't know why "the vendor"
needs to make a request. We certainly didn't make a request for Tomcat 9
that I can recall and yet it seems to exist.
My personal recommendation is to avoid the STIG recommendations at all
costs. The last time I reviewed the latest STIG for Tomcat it contained
a large amount of utter nonsense. I've just looked up the latest
recommendations (2024-05-23) for Tomcat 9 and it still contains this
howler:
https://www.stigviewer.com/stig/
apache_tomcat_application_server_9/2024-05-23/finding/V-222950
That such a finding was written, reviewed and approved gives me zero
confidence in the entire STIG process.
+1
We started a community review of the previous Tomcat 9 STIG:
https://cwiki.apache.org/confluence/display/TOMCAT/
Community+Review+of+DISA+STIG
I lost interest after the first half-dozen or so issues due to the sheer
volume of problems I was finding and that no-one else seemed interested
in either contributing or in the results.
Same here. After a while it just turned into reading "security controls"
that didn't provide any security and/or completely misunderstood the
settings. It seemed to miss a lot of things I would have in a decent
runbook.
The CIS benchmarks appear to be of better quality but they still contain
some issues such as not fully accounting for the correct secure
connector settings when running Tomcat behind a reverse proxy.
I did reach out to the CIS benchmark folks to point out some of the
errors I found but their response was rather disappointing. It was -
essentially - join our review team and provide all the corrections for
free (so we can then sell benchmark to commercial customers).
I don't mind contributing to community resources - I wouldn't be
contributing to open source if I did - but I do object to being asked to
provide my time at zero cost to support someone else's commercial product.
I 100% agree with this. We are happy to provide community support, but
I'm not going to work for free for a commercial company to sell my work.
What I do recommend is start with the security how-to in the Tomcat docs
and then ask any questions you have here.
While I agree with this, it's not going to make Leroy's employer any
happier. They want a DISA STIG, they're gonna demand a DISA STIG.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
