7.4 Ensure directory in context.xml is a secure location - permissions

Information

The directory attribute tells Tomcat where to store logs. It is recommended that the location pointed to by the directory attribute is secured.

Solution

1. Add the following statement into the $CATALINA_BASEwebapps<app-name>META-INFcontext.xml file if it does not already exist.
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="$CATALINA_HOME/logs/" prefix="access_log" fileDateFormat="yyyy-MM-dd.HH" suffix=".log" pattern="%t %H cookie:%{SESSIONID}c request:%{SESSIONID}r %m %U %s %q %r" />
2. Set the location pointed to by the directory attribute to be owned by tomcat_admin:tomcat with permissions of o-rwx.
# chown tomcat_admin:tomcat $CATALINA_HOME/logs
# chmod o-rwx $CATALINA_HOME/logs

See Also

https://workbench.cisecurity.org/files/266