UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Changes to $CATALINA_HOME/lib/ folder must be logged.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223000 TCAT-AS-001592 SV-223000r615938_rule Medium
Description
The $CATALINA_HOME/lib folder contains library files for the Tomcat Catalina server. These are in the form of java archive (jar) files. To provide forensic evidence in the event of file tampering, changes to contents in this folder must be logged. For Linux OS flavors other than Ubuntu, use the relevant OS commands. This can be done on the Ubuntu OS via the auditctl command. Using the -p wa flag set the permissions flag for a file system watch and logs file attribute and content change events into syslog.
STIG Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide 2021-12-27

Details

Check Text ( C-24672r426444_chk )
Run the following commands From the Tomcat server as a privileged user:

Identify the home folder for the Tomcat server.

sudo grep -i -- 'catalina_home\|catalina_base' /etc/systemd/system/tomcat.service

Check the audit rules for the Tomcat folders

sudo auditctl -l $CATALINA_HOME/bin |grep -i lib

If the results do not include -w $CATALINA_HOME/lib -p wa -k tomcat, or if there are no results, this is a finding.
Fix Text (F-24661r426445_fix)
From the Tomcat server as a privileged user, use the auditctl command.

sudo auditctl -w $CATALINA_HOME/lib -p wa -k tomcat

Validate the audit watch was created.
sudo auditctl -l

The user should see:
-w $CATALINA_HOME/ -p wa -k tomcat