4.14 Restrict access to Tomcat web.xml

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The Tomcat configuration file web.xml stores application configuration settings. It is recommended that access to this file properly protect from unauthorized changes.


Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat's security policy.


Perform the following to restrict access to web.xml:

Set the ownership of the $CATALINA_HOME/conf/web.xml to tomcat_admin:tomcat.

# chown tomcat_admin:tomcat $CATALINA_HOME/conf/web.xml

Set the permissions for the $CATALINA_HOME/conf/web.xml file to 400.

# chmod 400 $CATALINA_HOME/conf/web.xml

Default Value:

The default permissions of web.xml are 400.

See Also