www.bonsaiframework.com
Page tree

Versions Compared

Old Version 29

changes.mady.by.user Tin Pham

Saved on

compared with

New Version Current

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Bonsai Framework also provides a pre-packaged portable and secured version of Tomcat. This document outlines the hardening steps taken.

Unzip

The steps begin with a tar.gz version of Tomcat from the Apache website and the setup begins in the serveradmin home directory.

...

Code Block
languagebash
cd apache
mv apache-tomcat-6.0.32 tomcat.0

Change Folder and File Permissions

Only svradm and members of the staff group should have access to work with Tomcat. As a sudo enabled user,

Code Block
languagebash
sudo chown -R serveradmin:staff ./tomcat.0/ 
sudo chmod 750 ./tomcat.0/

Remove Unnecessary Files

Delete sample applications,

...

Info

Per p9 of Center for Internet Security, Security Configuration Benchmark for Apache Tomcat 5.5/6.0 Version 1.0.0.

Remove Unnecessary Ports

By default Tomcat listens to the following ports,

...

Info

Per p11 of Center for Internet Security, Security Configuration Benchmark for Apache Tomcat 5.5/6.0 Version 1.0.0.

Remove Server Information Details

By default Tomcat broadcasts server details to clients through the server.info string stored in catalina.jar. This information could be used by an attacker to determine vulnerabilities.

Temporarily Setup Java Development Kit

To work with catalina.jar, we will use the jre command provided with the Java Development Kit (JDK). Assuming the JDK is not installed on your Ubuntu server refer to the 9.0 Zero Footprint Java on Ubuntu to temporarily setup your JDK directory java in the serveradmin home directory.

Update Property File

Code Block
languagebash
export PATH=$PATH:~/java/bin # Temporarily add the JDK execution directory to serveradmin path.
cd ~/apache/tomcat.0/lib
jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

...

Code Block
languagebash
cd ~/apache/tomcat.0/lib
jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties
rm -rf ./org/ # Clean up unnecessary directory.

Verify Changes

...

Disable Client Facing Stack Traces

When an exception occurs, Tomcat will display debugging information. This information can be used to get insight into the application.

Tip

You should use this feature only in Production environments. In testing environments this is very useful to the developers, otherwise you will need to grant them access to the Tomcat logs. Ensure that your your development and support teams are aware of this variance in Production.

 

Clear Text Passwords

When configuring resources such as JDBC, Tomcat only supports clear text username and password in server.xml. By default, if untarred per the BonsaiFramework instructions, server.xml will only be readable by serveradmin.

...

Note

I actually can think of a solution that uses the system's own hardware and a password to bind the encrypted value to the system.

References

http://blogs.mulesoft.org/is-your-tomcat-secure/ - looks like a good lead.

...