10.19 Setting Security Lifecycle Listener (check for umask uncommented in startup)

Information

The Security Lifecycle Listener performs a number of security checks when Tomcat starts and prevents Tomcat from starting if they fail.

Solution

To enable it uncomment the listener in $CATALINA_BASE/conf/server.xml. If the operating system supports umask then the line in $CATALINA_HOME/bin/catalina.sh that obtains the umask also needs to be uncommented.

Within Server elements add:
- checkedOsUsers: A comma separated list of OS users that must not be used to start Tomcat. If not specified, the default value of root is used.
- minimumUmask: The least restrictive umask that must be configured before Tomcat will start. If not specified, the default value of 0007 is used.

<Listener className="org.apache.catalina.security.SecurityListener" checkedOsUsers="alex,bob" minimumUmask="0007" />

See Also

https://workbench.cisecurity.org/files/266

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3(4)(d)

Plugin: Unix

Control ID: 69327896a7b3c63f5468b4d9a6df0667cd5c5b083fe4bed5352a357f9ae878f5