On 06/06/2024 18:13, Konstantin Kolinko wrote:
чт, 6 июн. 2024 г. в 17:49, Christopher Schultz <ch...@christopherschultz.net>:
All,
Tomcat's SecurityLifecycleListener currently checks the current working
user's name, the umask and not much else at the moment.
I'd like to add "administrator" as another username to look for. (The
documentation says that "root" is the only current username checked.)
I would also like to add several items from the DISA STIG document found
here:
https://www.stigviewer.com/stig/apache_tomcat_application_sever_9/2021-12-27/
I haven't decided exactly which items to implement, but I will probably
do this as a PR with separate commits for each item.
Are there any objections to be starting this work?
1. Generally, the checks (including the 3 already implemented) are of
an "audit" kind.
An "audit" is something that produces a report.
I wonder whether a listener that operates on a "before init" event is
a good technology for those checks.
Whether it is a good entry point, whether it produces a visible
report, whether it can be run regularly.
Whether it is worth delaying start time to make those checks.
In the case of an "umask" check we already depend on a "3rd party": on
a feature of our startup scripts.
2. Requirements and implementation details depend on an operating system.
This got me wondering if we might want general checks and OS specific
checks and whether that had any impact on implementation.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
