UCF STIG Viewer Logo

$CATALINA_HOME/bin folder permissions must be set to 750.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222948 TCAT-AS-000390 SV-222948r754841_rule Medium
Description
Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root with group Tomcat. While root has read/write privileges, group only has read permissions, and world has no permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with a umask of 0027 to maintain these permissions. Note that running Tomcat in a Docker environment can impact how file permissions and user ownership settings are applied. Due to associated Docker configuration complexities, the STIG is scoped for standalone rather than virtual Docker deployments. Satisfies: SRG-APP-000121-AS-000081, SRG-APP-000122-AS-000082, SRG-APP-000123-AS-000083, SRG-APP-000340-AS-000185
STIG Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide 2021-12-27

Details

Check Text ( C-24620r426288_chk )
Access the Tomcat server from the command line and execute the following OS command:

sudo find $CATALINA_HOME/bin -follow -maxdepth 0 -type d \( \! -perm 750 \) -ls

If no folders are displayed, this is not a finding.

If results indicate the $CATALINA_HOME/bin folder permissions are not set to 750, this is a finding.
Fix Text (F-24609r426289_fix)
Run the following command on the Tomcat server:

sudo find $CATALINA_HOME/bin -follow -maxdepth 0 -type d -print0 | sudo xargs chmod 750 $CATALINA_HOME/bin