TCAT-AS-001591 - Changes to $CATALINA_BASE/conf/ folder must be logged.

Information

The $CATALINA_BASE/conf folder contains configuration files for the Tomcat Catalina server. To provide forensic evidence in the event of file tampering, changes to contents in this folder must be logged. For Linux OS flavors other than Ubuntu, use the relevant OS commands. This can be done on the Ubuntu OS via the auditctl command. Using the -p wa flag set the permissions flag for a file system watch and logs file attribute and content change events into syslog.

Solution

From the Tomcat server as a privileged user, use the auditctl command.

sudo auditctl -w $CATALINA_BASE/conf -p wa -k tomcat

Validate the audit watch was created.
sudo auditctl -l

The user should see:
-w $CATALINA_HOME/ -p wa -k tomcat

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V3R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|II, CCI|CCI-000172, Rule-ID|SV-222999r961827_rule, STIG-ID|TCAT-AS-001591, STIG-Legacy|SV-111521, STIG-Legacy|V-102581, Vuln-ID|V-222999

Plugin: Unix

Control ID: 48100e4b5c9385d420b56d0193673bce0b59fd35eb3ea2c591abfb30c3f615be