Check: TCAT-AS-000370
Apache Tomcat 9 STIG:
TCAT-AS-000370
(in version v1 r0.1)
Title
Files in the $CATALINA_HOME/conf/ folder must have their permissions set to 640. (Cat II impact)
Discussion
Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user group tomcat rather than root user group tomcat. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions.
Check Content
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_HOME/conf/* -follow -maxdepth 0 -type f \( \! -perm 640 \) -ls If no files are displayed, this is not a finding. If results indicate any of the file permissions contained in the $CATALINA_HOME/conf folder are not set to 640, this is a finding.
Fix Text
Run the following command on the Tomcat server: sudo find $CATALINA_HOME/conf/* -follow -maxdepth 0 -type f -print0 | sudo xargs chmod 640 $CATALINA_HOME/conf/*
Additional Identifiers
Rule ID: TCAT-AS-000370_rule
Vulnerability ID: TCAT-AS-000370
Group Title: SRG-APP-000119-AS-000079
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000163 |
The information system protects audit information from unauthorized modification. |
Controls
Number | Title |
---|---|
AU-9 |
Protection Of Audit Information |