4.3 Restrict access to Tomcat configuration directory

Information

The Tomcat $CATALINA_HOME/conf directory contains Tomcat configuration files. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permissions on this directory deny read, write, and execute for the world (o-rwx) and deny write access to the group (g-w).

Rationale:

Restricting access to these directories will prevent local users from maliciously or inadvertently altering Tomcat's configuration.

Solution

Perform the following to restrict access to Tomcat configuration files:

Set the ownership of the $CATALINA_HOME/conf to tomcat_admin:tomcat.

# chown tomcat_admin:tomcat $CATALINA_HOME/conf

Remove write permissions for the group and read, write, and execute permissions for the world.

# chmod g-w,o-rwx $CATALINA_HOME/conf

Default Value:

The default permissions of the top-level directories are 770.

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|3.1, CSCv7|14.6

Plugin: Unix

Control ID: 8bbd24946de0fb8dba6005809f3ec0cca1e6f971aa1c009c7721c1bbdc653a87