Robert, While Mark Thomas will have a more detailled answer to this...
The finding behind this test is valid (information disclosure with server version in responses), though the remediation listed here is from looong time ago, when the was no ErrorReportValve to purge the version info. So the CIS Tomcat 8(!) Guide is pretty outdated! Probably in more than this spot... Peter > Am 05.09.2023 um 14:03 schrieb Robert Turner <rtur...@e-djuster.ca>: > > While I think I know the answer to my question, I wanted to double-check > with the group to confirm. > > I have been asked to perform the CIS Apache Tomcat 8 Benchmark (v1.1.0) on > our production Tomcat installation, and I am looking through the questions > / information extraction requests, and I suspect they are not really > evaluating what they think they are, and furthermore encouraging bad > practices. > > For instance, the first entry I have in the spreadsheet I was provided is > listed as follows: > > CIS Control: > 2.1 Alter the Advertised server.info String (Scored) > > Description: > The server.info attribute contains the name of the application service. > This value is presented to Tomcat clients when clients connect to the > tomcat server. > > Audit Procedures: > Perform the following to determine if the server.info value has been > changed: > Extract the ServerInfo.properties file and examine the server.info > attribute. > $ cd $CATALINA_HOME/lib > $ jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties > $ grep server.info org/apache/catalina/util/ServerInfo.properties > > > So, other than a few issues with the audit procedures, etc. This seems to > be doing the following: > > a) evaluating a default value which I believe can be overridden and thus > may not actually reflect the value the server may provide to external > clients > b) encouraging the modification of the catalina.jar contents to correct the > default value > > There are a few similar items (for server.number, server.built) (2.2, 2.3). > > > Thoughts / comments from "those in the know"? > > Thanks, > > Robert --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
