4.1 Restrict access to $CATALINA_HOME

Information

$CATALINA_HOME is the environment variable which holds the path to the root Tomcat directory. It is important to protect access to this in order to protect the Tomcat binaries and libraries from unauthorized modification. It is recommended that the ownership of $CATALINA_HOME be tomcat_admin:tomcat. It is also recommended that the permission on $CATALINA_HOME block read, write, and execute for the world (o-rwx) and block write access to the group (g-w).

Rationale:

The security of processes and data which traverse or depend on Tomcat may become compromised if the $CATALINA_HOME is not secured.

Solution

Perform the following to establish the recommended state:

Set the ownership of the $CATALINA_HOME to tomcat_admin:tomcat.

# chown tomcat_admin.tomcat $CATALINA_HOME

Remove write permissions for the group and read, write, and execute permissions for the world

# chmod g-w,o-rwx $CATALINA_HOME

See Also

https://workbench.cisecurity.org/benchmarks/11652

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 943687250c3b47af5c213f9baeb1e83454813a518d3ddc0955a76181b60e0908