4.2 Restrict access to $CATALINA_BASE

Information

$CATALINA_BASE is the environment variable that specifies the base directory which most relative paths are resolved. $CATALINA_BASE is usually used when there are multiple instances of Tomcat running. It is important to protect access to this in order to protect the Tomcat-related binaries and libraries from unauthorized modification. It is recommended that the ownership of $CATALINA_BASE be tomcat_admin:tomcat. It is also recommended that the permission on $CATALINA_BASE block read, write, and execute for the world (o-rwx) and block write access to the group (g-w).

Rationale:

The security of processes and data which traverse or depend on Tomcat may become compromised if the $CATALINA_BASE is not secured.

Solution

Perform the following to establish the recommended state:

Set the ownership of the $CATALINA_BASE to tomcat_admin:tomcat.

# chown tomcat_admin.tomcat $CATALINA_BASE

Remove write permissions for the group and read, write, and execute permissions for the world

# chmod g-w,o-rwx $CATALINA_BASE

See Also

https://workbench.cisecurity.org/benchmarks/11652

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 19d05178b90971ab590eb1bf36a53aead48ce5529ec3c68ad11c73728f08d453