8.1 Restrict runtime access to sensitive packages

Information

package.access grants or revokes access to listed packages during runtime. It is recommended that application access to certain packages be restricted.

Rationale:

Prevent web applications from accessing restricted or unknown packages which may be malicious or dangerous to the application.

Solution

Edit $CATALINA_BASE/conf/catalina.properties by adding allowed packages to the package.access list:

package.access = sun.,org.apache.catalina.,org.apache.coyote.,org.apache.jasper.,org.apache.tomcat.

Default Value:

The default package.access value within $CATALINA_BASE/conf/catalina.properties is:

package.access = sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat., org.apache.jasper.

See Also

https://workbench.cisecurity.org/benchmarks/11652

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: e3c9f55bdaaa863688691989aac243628e1eb319a68b8dce58728c29adfdcf57