On 11/02/2016 19:20, Edward Hart (c) wrote: > Q1: Can Tomcat be configured to 'roll back' if a patch update causes a TC > failure on a production server?
The question makes no sense since there is no such thing as a patch update for Tomcat. > Q2: Can TC be configured to fail to a known safe state in the event of > server failure during operation? Define "server failure". Define "safe state". Generally if Tomcat ever entered an "unsafe state" that would be a security vulnerability. > I am developing a Security Technical Implement Guide (STIG) for Tomcat. A > STIG is essentially a detailed checklist for hardening a given technology. > DoD uses them to provide cyber defense. > > Finding configurable ways to satisfy the below 2 requirements is proving > difficult. > > Req 1 : The web server must augment re-creation to a stable and known > baseline. > > Req 2 : The web server must be built to fail to a known safe state if system > initialization fails, shutdown fails, or aborts fail. Define "an abort" > Req 1 is intended to provide a means to roll back to a last known stable > environment in case a patch fails. One could argue that is met by using separate $CATALINA_HOME and $CATALINA_BASE (see RUINNING.txt). One could also argue that since all configuration is in the $CATALINA_BASE/conf directory, integration with the DoD configuration management system of choice should be trivial > Req 2 is intended to provide fail safe environments in case something > (perhaps an attacker) causes system failure. See comment above regarding unsafe states. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org