STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Tomcat user account must be set to nologin.

DISA Rule

SV-222983r615938_rule

Vulnerability Number

V-222983

Group Title

SRG-APP-000340-AS-000185

Rule Version

TCAT-AS-001050

Severity

CAT II

CCI(s)

• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

From the Tomcat command line type the following command:

sudo usermod -s /usr/sbin/nologin tomcat

Check Contents

From the command line of the Tomcat server type the following command:

sudo cat /etc/passwd|grep -i tomcat

If the command/shell field of the passwd file is not set to "/usr/sbin/nologin", this is a finding.

Vulnerability Number

V-222983

Documentable

False

Rule Version

TCAT-AS-001050

Severity Override Guidance

From the command line of the Tomcat server type the following command:

sudo cat /etc/passwd|grep -i tomcat

If the command/shell field of the passwd file is not set to "/usr/sbin/nologin", this is a finding.

Check Content Reference

M

Target Key

4094

Comments