7.4 Ensure directory in context.xml is a secure location - permissions

Information

The directory attribute tells Tomcat where to store logs. It is recommended that the location referenced by the directory attribute be secured.

Rationale:

Securing the log location will help ensure the integrity and confidentiality of web application activity.

Solution

Perform the following:

Add the following statement into the $CATALINA_BASE/webapps/<app_name>/META-INF/context.xml file if it does not already exist.

<Valve className='org.apache.catalina.valves.AccessLogValve'
directory='$CATALINA_HOME/logs/'
prefix='access_log' fileDateFormat='yyyy-MM-dd.HH' suffix='.log' pattern='%h %t %H cookie:%{SESSIONID}c request:%{SESSIONID}r %m %U %s %q %r'
/>

Set the location pointed to by the directory attribute to be owned by tomcat_admin:tomcat with permissions of o-rwx.

# chown tomcat_admin:tomcat $CATALINA_HOME/logs
# chmod o-rwx $CATALINA_HOME/logs

Default Value:

Does not exist by default

See Also

https://workbench.cisecurity.org/files/4103