чт, 6 июн. 2024 г. в 17:49, Christopher Schultz <ch...@christopherschultz.net>: > > All, > > Tomcat's SecurityLifecycleListener currently checks the current working > user's name, the umask and not much else at the moment. > > I'd like to add "administrator" as another username to look for. (The > documentation says that "root" is the only current username checked.) > > I would also like to add several items from the DISA STIG document found > here: > https://www.stigviewer.com/stig/apache_tomcat_application_sever_9/2021-12-27/ > > I haven't decided exactly which items to implement, but I will probably > do this as a PR with separate commits for each item. > > Are there any objections to be starting this work?
1. Generally, the checks (including the 3 already implemented) are of an "audit" kind. An "audit" is something that produces a report. I wonder whether a listener that operates on a "before init" event is a good technology for those checks. Whether it is a good entry point, whether it produces a visible report, whether it can be run regularly. Whether it is worth delaying start time to make those checks. In the case of an "umask" check we already depend on a "3rd party": on a feature of our startup scripts. 2. Requirements and implementation details depend on an operating system. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
