Maxie, You're probably referring to a DoD or similar security requirement. In the Web Server STIG, Rule ID SV-2236r8 says, "Installation of compilers on production web server is prohibited." The explanation provided is, "The presence of a compiler on a production server facilitates the malicious user's task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker's code can be uploaded and compiled on the server under attack."
There are exceptions to this rule, The same STIG says, "This check does not prohibit the use of the .Net Framework or the Java compiler for Oracle", and "An exception is the Java Development Kit installed in conjunction with a WebSphere service or Java Server Page (JSP)". You need to push back and tell your Security Auditors that the Java and Jasper compilers are required for Tomcat. Provide any documentation they require. Steve -----Original Message----- From: users-return-237320-STEVEN.J.ADAMUS=saic....@tomcat.apache.org [mailto:users-return-237320-STEVEN.J.ADAMUS=saic....@tomcat.apache.org] On Behalf Of Wiley, Maxie Sent: Monday, October 22, 2012 6:18 AM To: users-subscr...@tomcat.apache.org; users@tomcat.apache.org Subject: tomcat question ALL, Is it possible to remove an installation of a compiler on a production web server(tomcat)? If there is a way to remove the compiler or is it required in order for the system to function properly. Could you please send me a precise summary of why and any steps that can be taken to mitigate any potential risk associated with the compiler remaining in place.This is for s security issue on my production system. Thanks for your time and support! Maxie Wiley III --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
