TCAT-AS-000360 - $CATALINA_BASE/logs folder permissions must be set to 750.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions.

Solution

If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance.

Run the following command on the Tomcat server:

sudo find $CATALINA_BASE/logs -follow -maxdepth 0 -type d -print0 | sudo xargs chmod 750 $CATALINA_BASE/logs

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R4_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000162, Rule-ID|SV-222943r615938_rule, STIG-ID|TCAT-AS-000360, STIG-Legacy|SV-111415, STIG-Legacy|V-102469, Vuln-ID|V-222943

Plugin: Unix

Control ID: 091a81a6429ae10f2bd679c2ab305efad9ab850ba794060f8fc62d002659fee2