Information
The directory attribute tells Tomcat where to store logs. The directory value should be a secure location with restricted access.
Securing the log location will help ensure the integrity and confidentiality of web application activity records.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Perform the following:
- Add the following properties into your logging.properties file if they do not exist <application_name>.org.apache.juli.AsyncFileHandler.directory=<log_location><application_name>.org.apache.juli.AsyncFileHandler.prefix=<application_name>
- Set the location pointed to by the directory attribute to be owned by tomcat_admin:tomcat with permissions of o-rwx # chown tomcat_admin:tomcat <log_location># chmod o-rwx <log_location>