Detections
Analytics

TCAT-AS-001060 - Tomcat user account must be a non-privileged user.

Information

Use a distinct non-privileged user account for running Tomcat. If Tomcat processes are compromised and a privileged user account is used to operate the Tomcat server processes, the entire system becomes compromised.

Sample passwd file:
tomcat:x:1001:1001::/opt/tomcat/usr/sbin/nologin

The user ID is stored in field 3 of the passwd file.

Solution

From the Tomcat server, create a tomcat user by adding a new non-privileged user OS account with the following command:

sudo useradd tomcat

Edit the systemd tomcat.service file or create one if it does not exist. Use the new 'tomcat' user account by setting; USER=tomcat

Location of the file should be /etc/systemd/system/tomcat.service.

Enable the Tomcat service:
sudo restorecon /etc/systemd/system/tomcat.service
sudo chmod 644 /etc/systemd/system/tomcat.service
sudo systemctl enable tomcat.service

Start Tomcat:
sudo systemctl start tomcat

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V3R3_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10), CAT|II, CCI|CCI-002235, Rule-ID|SV-222984r961353_rule, STIG-ID|TCAT-AS-001060, STIG-Legacy|SV-111491, STIG-Legacy|V-102551, Vuln-ID|V-222984

Plugin: Unix

Control ID: 45a18130b05e365c3868b4eab20aa6b1762a8be98eb601d76ff5b404ee91b12e