CIS benchmark script

The CIS benchmark for Tomcat has a set of recommendations for hardening a default Tomcat installation to secure it against known vulnerabilities.  I see a bash script out there that lists the output based on those recommendations.

Question - Is there another script that actually fixes or applies the recommendations by doing things like modifying the server.xml, removing the default webapps (e.g. ROOT, manager, etc.) and such?

How do you approach this? Is there any concern that applying these recommendations may break a webapp?

Thanks

It's east to remove unwanted webapps. Shut down Tomcat, cd to the TOMCAT_HOME/webapps directory and simply delete the directories and/or WAR files you don't want. For example:

rm -rf ./ROOT

On a stock distro, that deletes the default webapp, which should be the management console, I believe.

Once that's done, restart Tomcat.

The Tomcat server files should be secured by standard OS-level file access rules, so that varies by OS. Anything that you don't want accessible via URL on a given webapp (for example, page templates) should be placed under the webapp's /WEB-INF directory subtree. Note that since scripts and images are normally static resources, they CANNOT be placed under /WEB-INF, as they are fetched via URL requests.

That should cover basic security. Stuff like cross-site scripting protection is a different matter.

A further security consideration is http versus https. Unless you're only making this server available to trusted users on a LAN, you shouldn't be able to access anything in the app via HTTP, only HTTPS. It's a real pain to set up https (SSL/TLS) in Tomcat and so for general outside client access, I recommend that you front it wih a reverse proxy such as Apache or Nginx. They are much easier to secure and offer the additional advantage that they don't have to run under admin security rules to use ports 80 and 443.

A good authentication and authorization system is a must as well. DON'T try to invent one. It WILL be hackable. Instead use the JEE built-in container A&A system of a well-tested third party system like Spring Security.