7.4 Ensure directory in context.xml is a secure location - configuration

Information

The directory attribute tells Tomcat where to store logs. It is recommended that the location referenced by the directory attribute be secured.

Rationale:

Securing the log location will help ensure the integrity and confidentiality of web application activity.

Solution

Perform the following:

Add the following statement into the $CATALINA_HOME/webapps/<app name>/META-INF/context.xml file if it does not already exist.

<Valve className='org.apache.catalina.valves.AccessLogValve'
directory='$CATALINA_HOME/logs/'
prefix='access_log' fileDateFormat='yyyy-MM-dd.HH' suffix='.log' pattern='%t %H cookie:%{SESSIONID}c
request:%{SESSIONID}r %m %U %s %q %r'/>

Set the location pointed to by the directory attribute to be owned by tomcat_admin:tomcat with permissions of o-rwx.

# chown tomcat_admin:tomcat $CATALINA_HOME/logs
# chmod o-rwx $CATALINA_HOME/logs

Default Value:

Does not exist by default

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv7|14.6

Plugin: Unix

Control ID: 090131aec11cd08877f625c92de3a5e27df006546e81c9ff0fe47c874b382b15