Check: TCAT-AS-001200
Apache Tomcat Application Server 9 STIG:
TCAT-AS-001200
(in versions v2 r7 through v1 r1)
Title
$CATALINA_HOME folder must be owned by the root user, group tomcat. (Cat II impact)
Discussion
Tomcat file permissions must be restricted. The standard configuration is to have the folder where Tomcat is installed owned by the root user with the group set to tomcat. The $CATALINA_HOME environment variable should be set to the location of the root directory of the "binary" distribution of Tomcat.
Check Content
Access the Tomcat server from the command line and execute the following OS command: sudo find $CATALINA_HOME -follow -maxdepth 0 \( ! -user root -o ! -group tomcat \) -ls If no folders are displayed, this is not a finding. If results indicate the $CATALINA_HOME folder ownership and group membership is not set to root:tomcat, this is a finding.
Fix Text
Run the following commands on the Tomcat server: sudo find $CATALINA_HOME -maxdepth 0 \( ! -user root \) | sudo xargs chown root sudo find $CATALINA_HOME -maxdepth 0 \( ! -group tomcat \) | sudo xargs chgrp tomcat
Additional Identifiers
Rule ID: SV-222986r879753_rule
Vulnerability ID: V-222986
Group Title: SRG-APP-000380-AS-000088
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001813 |
The information system enforces access restrictions. |
Controls
Number | Title |
---|---|
CM-5 (1) |
Automated Access Enforcement / Auditing |