4.13 Restrict access to Tomcat tomcat-users.xml

Information

tomcat-users.xml contains authentication information for Tomcat applications. It is recommended that access to this file properly protect from unauthorized changes.

Rationale:

Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat's security policy.

Solution

Perform the following to restrict access to tomcat-users.xml:

Set the ownership of the $CATALINA_HOME/conf/tomcat-users.xml to tomcat_admin:tomcat.

# chown tomcat_admin:tomcat $CATALINA_HOME/conf/tomcat-users.xml

Set the permissions of the $CATALINA_HOME/conf/tomcat-users.xml to 600

# chmod 600 $CATALINA_HOME/conf/tomcat-users.xml

Default Value:

The default permissions of the top-level directories are 600.

See Also

https://workbench.cisecurity.org/benchmarks/11652

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 38c621f988b5eaa4ca8db2e4a2f25b2433329bd86bbdfefa2a89f1ee3d9197b8