Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Tomcat user account must be a non-privileged user.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-222984 | TCAT-AS-001060 | SV-222984r615938_rule | Medium |
| Description |
|---|
| Use a distinct non-privileged user account for running Tomcat. If Tomcat processes are compromised and a privileged user account is used to operate the Tomcat server processes, the entire system becomes compromised. Sample passwd file: tomcat:x:1001:1001::/opt/tomcat/usr/sbin/nologin The user ID is stored in field 3 of the passwd file. |
| STIG | Date |
|---|---|
| Apache Tomcat Application Sever 9 Security Technical Implementation Guide | 2021-12-27 |
Details
| Check Text ( C-24656r426396_chk ) |
|---|
| Run the following command to identify the Tomcat process UID: ps -ef | { head -1; grep catalina; } | cut -f1 -d" " Run the following command to obtain the OS user ID tied to the Tomcat process: cat /etc/passwd|grep -i If the user ID field of the passwd file is set to < 1000 or = 0, this is a finding. |
| Fix Text (F-24645r426397_fix) |
|---|
| From the Tomcat server, create a tomcat user by adding a new non-privileged user OS account with the following command: sudo useradd tomcat Edit the systemd tomcat.service file or create one if it does not exist. Use the new "tomcat" user account by setting; USER=tomcat Location of the file should be /etc/systemd/system/tomcat.service. Enable the Tomcat service: sudo restorecon /etc/systemd/system/tomcat.service sudo chmod 644 /etc/systemd/system/tomcat.service sudo systemctl enable tomcat.service Start Tomcat: sudo systemctl start tomcat |