Check: TCAT-AS-001592
Apache Tomcat Application Server 9 STIG:
TCAT-AS-001592
(in versions v2 r7 through v1 r1)
Title
Changes to $CATALINA_HOME/lib/ folder must be logged. (Cat II impact)
Discussion
The $CATALINA_HOME/lib folder contains library files for the Tomcat Catalina server. These are in the form of java archive (jar) files. To provide forensic evidence in the event of file tampering, changes to contents in this folder must be logged. For Linux OS flavors other than Ubuntu, use the relevant OS commands. This can be done on the Ubuntu OS via the auditctl command. Using the -p wa flag set the permissions flag for a file system watch and logs file attribute and content change events into syslog.
Check Content
Run the following commands From the Tomcat server as a privileged user: Identify the home folder for the Tomcat server. sudo grep -i -- 'catalina_home\|catalina_base' /etc/systemd/system/tomcat.service Check the audit rules for the Tomcat folders sudo auditctl -l $CATALINA_HOME/bin |grep -i lib If the results do not include -w $CATALINA_HOME/lib -p wa -k tomcat, or if there are no results, this is a finding.
Fix Text
From the Tomcat server as a privileged user, use the auditctl command. sudo auditctl -w $CATALINA_HOME/lib -p wa -k tomcat Validate the audit watch was created. sudo auditctl -l The user should see: -w $CATALINA_HOME/ -p wa -k tomcat
Additional Identifiers
Rule ID: SV-223000r879875_rule
Vulnerability ID: V-223000
Group Title: SRG-APP-000504-AS-000229
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
Controls
Number | Title |
---|---|
AU-12 |
Audit Generation |