Tomcat user account must be a non-privileged user.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222984	TCAT-AS-001060	SV-222984r961353_rule		Medium

Description
Use a distinct non-privileged user account for running Tomcat. If Tomcat processes are compromised and a privileged user account is used to operate the Tomcat server processes, the entire system becomes compromised. Sample passwd file: tomcat:x:1001:1001::/opt/tomcat/usr/sbin/nologin The user ID is stored in field 3 of the passwd file.

STIG	Date
Apache Tomcat Application Server 9 Security Technical Implementation Guide	2024-05-23

Details

Check Text ( C-24656r944934_chk )
Run the following command to identify the Tomcat process UID: ps -ef \| { head -1; grep catalina; } \| cut -f1 -d" " Run the following command to obtain the OS user ID tied to the Tomcat process: cat /etc/passwd\|grep -i \|cut -f3 -d: Unless operationally necessary, the Tomcat process should not be tied to a privileged OS user ID. Depending on the operating system, privileged OS user IDs will typically be assigned user ID values <500 or <1000. If the Tomcat process is running as a privileged user and is not documented and approved, this is a finding. If the user ID field of the passwd file is set to 0, this is a finding.

Check Text ( C-24656r944934_chk )

Run the following command to identify the Tomcat process UID:
ps -ef | { head -1; grep catalina; } | cut -f1 -d" "

Run the following command to obtain the OS user ID tied to the Tomcat process:
cat /etc/passwd|grep -i |cut -f3 -d:

Unless operationally necessary, the Tomcat process should not be tied to a privileged OS user ID. Depending on the operating system, privileged OS user IDs will typically be assigned user ID values <500 or <1000.

If the Tomcat process is running as a privileged user and is not documented and approved, this is a finding.

If the user ID field of the passwd file is set to 0, this is a finding.

Fix Text (F-24645r426397_fix)
From the Tomcat server, create a tomcat user by adding a new non-privileged user OS account with the following command: sudo useradd tomcat Edit the systemd tomcat.service file or create one if it does not exist. Use the new "tomcat" user account by setting; USER=tomcat Location of the file should be /etc/systemd/system/tomcat.service. Enable the Tomcat service: sudo restorecon /etc/systemd/system/tomcat.service sudo chmod 644 /etc/systemd/system/tomcat.service sudo systemctl enable tomcat.service Start Tomcat: sudo systemctl start tomcat

Fix Text (F-24645r426397_fix)

From the Tomcat server, create a tomcat user by adding a new non-privileged user OS account with the following command:

sudo useradd tomcat

Edit the systemd tomcat.service file or create one if it does not exist. Use the new "tomcat" user account by setting; USER=tomcat

Location of the file should be /etc/systemd/system/tomcat.service.

Enable the Tomcat service:
sudo restorecon /etc/systemd/system/tomcat.service
sudo chmod 644 /etc/systemd/system/tomcat.service
sudo systemctl enable tomcat.service

Start Tomcat:
sudo systemctl start tomcat