Allow Hardening

[Poil]

Hi,

Proposed feature

Allow to harden the instance by default

Rationale

Security

Additional context

Actually I do this, dunno how we can integrate this

---
- name: Hardening
  block:
    - name: Init hardening_todo fact to False
      ansible.builtin.set_fact:
        hardening_todo: false

    - name: "Test if default webapps are present"
      ansible.builtin.stat:
        path: '/opt/tomcat/webapps/{{ item }}'
      with_items:
        - docs
        # - ROOT  # Already managed by the role
        - examples
      register: is_hardening_done

    - name: Set hardening_todo fact to true if a directory exists
      ansible.builtin.set_fact:
        hardening_todo: true
      with_items: "{{ is_hardening_done.results }}"
      when: item.stat.exists == true

    - name: "Test if hide version is present"
      ansible.builtin.stat:
        path: '/opt/tomcat/lib/org/apache/catalina/util/ServerInfo.properties'
      register: is_hardening_done

    - name: Set hardening_todo fact to true if hide version is not present
      ansible.builtin.set_fact:
        hardening_todo: true
      when: is_hardening_done.stat.exists == false

    - name: Stop Tomcat
      ansible.builtin.service:
        name: "tomcat"
        enabled: true
        state: stopped
      when:
        - hardening_todo

    - name: Remove default webapps
      ansible.builtin.file:
        path: '/opt/tomcat/webapps/{{ item }}'
        state: absent
      with_items:
        - docs
        # - ROOT  # Already managed by the role
        - examples

    - name: Hide Tomcat version - Directories
      ansible.builtin.file:
        dest: '/opt/tomcat/{{ item }}'
        state: directory
      with_items:
        - lib
        - lib/org
        - lib/org/apache
        - lib/org/apache/catalina
        - lib/org/apache/catalina/util

    - name: Hide Tomcat version
      ansible.builtin.copy:
        dest: '/opt/tomcat/lib/org/apache/catalina/util/ServerInfo.properties'
        content: 'server.info={{ custom_version_string | default("Apache Tomcat")  }}'

    - name: Start Tomcat
      ansible.builtin.service:
        name: "tomcat"
        enabled: true
        state: started
      when:
        - hardening_todo

And in the web.xml, add a block showServerInfo

    <servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
        <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>showServerInfo</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

Best regards

[smierz]

I know this issue is old, but I think this would be great to have in an additional tasks file tomcat-security.yml or alternatively in a separate ansible role tomcat-security that you can run after the tomcat installation