10.18 Setting Security Lifecycle Listener - check for umask present in startup

Information

The Security Lifecycle Listener performs a number of security checks when Tomcat starts and prevents Tomcat from starting if they fail.

Rationale:

When enabled, the Security Lifecycle Listener can

Enforce a blacklist of OS users that must not be used to start Tomcat.

Set the least restrictive umask before Tomcat starts.

Solution

Uncomment the listener in $CATALINA_HOME/conf/server.xml. If the operating system supports umask then the line in $CATALINA_HOME/bin/catalina.sh that obtains the umask also needs to be uncommented.

Within Server elements add:

checkedOsUsers: A comma separated list of OS users that must not be used to start Tomcat. If not specified, the default value of root is used.

minimumUmask: The least restrictive umask that must be configured before Tomcat will start. If not specified, the default value of 0007 is used.

<Listener className='org.apache.catalina.security.SecurityListener' checkedOsUsers='alex,bob' minimumUmask='0007' />

Default Value:

The Security Lifecycle Listener is not enabled by default. For checkedOsUsers, the default value is root. For minimumUmask, the default value is 0007.

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/listeners.html#Security_Lifecycle_Listener_-_org.apache.catalina.security.SecurityListener

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: 353e0411d81c3aa392229d5b9e073638b7903b3c24350a834b923999feb76b5c