Check: TCAT-AS-001050
Apache Tomcat Application Server 9 STIG:
TCAT-AS-001050
(in versions v2 r7 through v1 r1)
Title
Tomcat user account must be set to nologin. (Cat II impact)
Discussion
When installing Tomcat, a user account is created on the OS. This account is used in order for Tomcat to be able to operate on the OS but does not require the ability to actually log in to the system. Therefore when the account is created, the account must not be provided access to a login shell or other program on the system. This is done by specifying the "nologin" parameter in the command/shell field of the passwd file.
Check Content
From the command line of the Tomcat server type the following command: sudo cat /etc/passwd|grep -i tomcat If the command/shell field of the passwd file is not set to "/usr/sbin/nologin", this is a finding.
Fix Text
From the Tomcat command line type the following command: sudo usermod -s /usr/sbin/nologin tomcat
Additional Identifiers
Rule ID: SV-222983r879717_rule
Vulnerability ID: V-222983
Group Title: SRG-APP-000340-AS-000185
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002235 |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
Controls
Number | Title |
---|---|
AC-6 (10) |
Prohibit Non-Privileged Users From Executing Privileged Functions |