On 13/06/2023 15:07, Christopher Schultz wrote:
On 6/12/23 15:52, Mark Thomas wrote:
On 12/06/2023 19:13, jonmcalexan...@wellsfargo.com.INVALID wrote:
I'm asking because we are doing a review of our base settings. We are
using the CIS Benchmarks as a verification. One of these states to
set matadata-complete to true. We have never used this setting in the
past and I am worried about potential application breakage causing
outages if we suddenly start setting this setting. Is there any
potential issue with using this and if so what?
I know it's a convoluted question, but trying to mitigate risk as
much as possible.
I've just done a quick review of the v1.2.0 benchmark for Tomcat 9.
<snip/>
Sounds like
https://cwiki.apache.org/confluence/display/TOMCAT/Community+Review+of+DISA+STIG
Shall we put together a community response to the CIS benchmarks?
No objection to anything I've written here to being copied to the wiki.
Not sure I'll have too much time to contribute beyond that at the moment.
<snip/>
In terms of the recommendation, I'd ignore the metadata-complete
suggestion. If your application does use fragments and/or annotations
stuff will break.
+1
The metadata-complete thing isn't really a security control. IMHO it's
much more of a performance optimization like "I know for sure I don't
scatter my configuration around, so don't bother going to scan for it."
Good point. The more often you start the web app, the more impact this
will have.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
