Tomcat user account must be set to nologin.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-222983 | TCAT-AS-001050 | SV-222983r961353_rule | CCI-002235 | medium |
| Description | ||||
| When installing Tomcat, a user account is created on the OS. This account is used in order for Tomcat to be able to operate on the OS but does not require the ability to actually log in to the system. Therefore when the account is created, the account must not be provided access to a login shell or other program on the system. This is done by specifying the "nologin" parameter in the command/shell field of the passwd file. | ||||
| STIG | Date | |||
| Apache Tomcat Application Server 9 Security Technical Implementation Guide | 2025-02-11 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-6(10)
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.7
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002235
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-222983r961353_chk)
From the command line of the Tomcat server type the following command:
sudo cat /etc/passwd|grep -i tomcat
If the command/shell field of the passwd file is not set to "/usr/sbin/nologin", this is a finding.
Fix Text (F-24644r426394_fix)
From the Tomcat command line type the following command:
sudo usermod -s /usr/sbin/nologin tomcat