tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Brookes <cabb...@hotmail.com>
Subject RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager
Date Mon, 04 May 2009 23:31:26 GMT

Yeah the OWASP guide was pretty good, there was one there for Tomcat 5.5, that was part of
the base for my guide along with a couple of other key resources The DISA Tomcat checklist
titled "Web Checklist Tomcat Version 6 Release 1.5" at http://iase.disa.mil/stigs/checklist/
was also pretty good. 
 
As far as enabling security manager is concerned, my guide does say that the rules in catalina.policy
need to be assessed against the business requirements of the application and that the default
catalina.policy provides limited protection which needs to be assessed on an application by
application basis. Thanks for the tip on Database connections with security manager
 
Chris

> Date: Mon, 4 May 2009 10:20:13 +0100
> From: p@pidster.com
> To: users@tomcat.apache.org
> Subject: Re: Tomcat 6.0.18 on Win32 - Enabling Security Manager
> 
> Chris Brookes wrote:
>> Thanks for your assistance, I will give that a try.
>> 
>>> I must say that the nature of your questions leaves me with some concern about
the content of your guide...
>> 
>> Hmmm, I wont bite but I will provide a little more information on what I am doing.

> 
> www.owasp.org
> 
> p
> 
> 
> 
>> The guide is specifically being written for Tomcat on Windows, which in my searching
of the web there is very few resources available, and even fewer that provide collated recommendations.
>> 
>> As you may have guessed (and is eluded to in the response below) I am not an expert
at Tomcat or Java however I need to put together a guide that can be delivered to infrastructure
managers whose primary goal is to 'get it working' without considering security. 
>> 
>> So as part of the information security team I have to provide recommendations to
those Infrastructure managers on how to secure the infrastructure (as well as every other
application and piece of infrastructure that is being deployed). The majority of the guide
is focused on management of the Tomcat server. Things like running tomcat as an unprivileged
user (and getting the appropriate Windows permissions to allow that to work properly), Separation
of tomcat directories from program files, segregation of duties for Wep-app content and Infrastructure
admins, removing or limiting access to default or manager applications, limiting access to
sensitive (or dangerous) Windows files and folders, etc, etc, etc.
>> 
>> I also give some configuration advice based on research from the internet such as:
Setting up SSL to use an approved set of Ciphers, some configuration options in server.xml
and web.xml
>> 
>> And most importantly for them, I am combining this into a single document that they
can follow, rather then having to rely on them to find the information on the web.
>> 
>> Again thanks for your assistance, I will give it a try when I can
>> 
>> Chris
>> 
>> 
>> ----------------------------------------
>>> From: Chuck.Caldarale@unisys.com
>>> To: users@tomcat.apache.org
>>> Date: Sun, 3 May 2009 21:19:08 -0500
>>> Subject: RE: Tomcat 6.0.18 on Win32 - Enabling Security Manager
>>>
>>>> From: Chris Brookes [mailto:cabby80@hotmail.com]
>>>> Subject: Tomcat 6.0.18 on Win32 - Enabling Security Manager
>>>> However, when I install Tomcat there is no such program as "catalina"
>>>> in the bin directory so I can't run it like that.
>>> The .bat scripts are only part of the .zip download, not the .exe (for unexplained
reasons). One normally uses the startup.bat script to launch Tomcat, which does some necessary
setup, then calls the catalina.bat script, which does the real work of getting Tomcat going.
>>>
>>>> Using the Tomcat monitor application there is a tab for startup and
>>>> there is an input box for arguments that by default contains 'start'
>>>> but if I try to add '-security' to this argument text box the service
>>>> fails to start at all.
>>> As it should. To use the Java tab in tomcat6w.exe, you must specify the appropriate
JVM arguments, rather than the options for the scripts. In other words, set the following:
>>>
>>> -Djava.security.manager
>>> -Djava.security.policy=
>>>
>>> The standard Tomcat policy is located in Tomcat's conf/catalina.policy file,
but you're free to specify whatever location you need.
>>>
>>>> I am writing a Tomcat 6 on Windows hardening guide
>>> I must say that the nature of your questions leaves me with some concern about
the content of your guide...
>>>
>>> - Chuck
>>>
>>>
>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL
and is thus for use only by the intended recipient. If you received this in error, please
contact the sender and delete the e-mail and its attachments from all computers.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>> 
>> _________________________________________________________________
>> View photos of singles in your area Click Here
>> http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fdating%2Eninemsn%2Ecom%2Eau%2Fsearch%2Fsearch%2Easpx%3Fexec%3Dgo%26tp%3Dq%26gc%3D2%26tr%3D1%26lage%3D18%26uage%3D55%26cl%3D14%26sl%3D0%26dist%3D50%26po%3D1%26do%3D2%26trackingid%3D1046138%26r2s%3D1&_t=773166090&_r=Hotmail_Endtext&_m=EXT
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
_________________________________________________________________
Looking to move somewhere new this winter? Let ninemsn property help
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Edomain%2Ecom%2Eau%2F%3Fs%5Fcid%3DFDMedia%3ANineMSN%5FHotmail%5FTagline&_t=774152450&_r=Domain_tagline&_m=EXT
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message