4.6 Restrict access to Tomcat bin directory

Information

The Tomcat $CATALINA_HOME/bin directory contains executes that are part of the Tomcat run-time. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permission on this directory deny read, write, and execute for the world (o-rwx) and deny write access to the group (g-w).

Rationale:

Restricting access to these directories will prevent local users from maliciously or inadvertently affecting the integrity of Tomcat processes.

Solution

Perform the following to restrict access to Tomcat bin directory:

Set the ownership of the $CATALINA_HOME/bin to tomcat_admin:tomcat.

# chown tomcat_admin:tomcat $CATALINA_HOME/bin

Remove read, write, and execute permissions for the world

# chmod g-w,o-rwx $CATALINA_HOME/bin

Default Value:

The default permissions of the top-level directories are 770.

See Also

https://workbench.cisecurity.org/benchmarks/11652

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: ff45115df7314741a20959012d1509ade9b0a59c79212eb93c31b75c1ef54b0e