Changes to $CATALINA_HOME/bin/ folder must be logged.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-222998 | TCAT-AS-001590 | SV-222998r961827_rule | CCI-000172 | medium |
| Description | ||||
| The $CATALINA_HOME/bin folder contains startup and control scripts for the Tomcat Catalina server. To provide forensic evidence in the event of file tampering, changes to content in this folder must be logged. For Linux OS flavors other than Ubuntu, use the relevant OS commands. This can be done on the Ubuntu OS via the auditctl command. Using the -p wa flag set the permissions flag for a file system watch and logs file attribute and content change events into syslog. | ||||
| STIG | Date | |||
| Apache Tomcat Application Server 9 Security Technical Implementation Guide | 2025-02-11 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AU-12
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.3.1
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.3.2
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000172
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-222998r961827_chk)
Run the following commands From the Tomcat server as a privileged user:
Identify the home folder for the Tomcat server.
sudo grep -i -- 'catalina_home\|catalina_base' /etc/systemd/system/tomcat.service
Check the audit rules for the Tomcat folders.
sudo auditctl -l $CATALINA_HOME/bin |grep -i bin
If the results do not include -w $CATALINA_HOME/bin -p wa -k tomcat, or if there are no results, this is a finding.
Fix Text (F-24659r426439_fix)
From the Tomcat server as a privileged user, use the auditctl command.
sudo auditctl -w $CATALINA_HOME/bin -p wa -k tomcat
Validate the audit watch was created.
sudo auditctl -l
The user should see:
-w $CATALINA_HOME/ -p wa -k tomcat