4.9 Restrict access to Tomcat catalina.policy

Information

The catalina.policy file is used to configure security policies for Tomcat. It is recommended that access to this file has the proper permissions to properly protect from unauthorized changes.

Rationale:

Restricting access to this file will prevent local users from maliciously or inadvertently altering Tomcat's security policy.

Solution

Perform the following to restrict access to $CATALINA_HOME/conf/catalina.policy.

Set the owner and group owner of the contents of $CATALINA_HOME/conf/catalina.policy to tomcat_admin:tomcat.

# chown tomcat_admin:tomcat $CATALINA_HOME/conf/catalina.policy

Set the permissions of the $CATALINA_HOME/conf/catalina.policy file to 600.

# chmod 600 $CATALINA_HOME/conf/catalina.policy

Default Value:

The default permissions of catalina.policy are 600.

See Also

https://workbench.cisecurity.org/files/4107

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 8c6e16f853be2b9c0873dce0fd2e956037bbebff4f97cd337bcb7ab64f39b760