STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Tomcat user account must be a non-privileged user.

DISA Rule

SV-222984r615938_rule

Vulnerability Number

V-222984

Group Title

SRG-APP-000340-AS-000185

Rule Version

TCAT-AS-001060

Severity

CAT II

CCI(s)

• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

From the Tomcat server, create a tomcat user by adding a new non-privileged user OS account with the following command:

sudo useradd tomcat

Edit the systemd tomcat.service file or create one if it does not exist. Use the new "tomcat" user account by setting; USER=tomcat

Location of the file should be /etc/systemd/system/tomcat.service.

Enable the Tomcat service:
sudo restorecon /etc/systemd/system/tomcat.service
sudo chmod 644 /etc/systemd/system/tomcat.service
sudo systemctl enable tomcat.service

Start Tomcat:
sudo systemctl start tomcat

Check Contents

Run the following command to identify the Tomcat process UID:
ps -ef | { head -1; grep catalina; } | cut -f1 -d" "

Run the following command to obtain the OS user ID tied to the Tomcat process:
cat /etc/passwd|grep -i <UID>|cut -f3 -d:

If the user ID field of the passwd file is set to < 1000 or = 0, this is a finding.

Vulnerability Number

V-222984

Documentable

False

Rule Version

TCAT-AS-001060

Severity Override Guidance

Run the following command to identify the Tomcat process UID:
ps -ef | { head -1; grep catalina; } | cut -f1 -d" "

Run the following command to obtain the OS user ID tied to the Tomcat process:
cat /etc/passwd|grep -i <UID>|cut -f3 -d:

If the user ID field of the passwd file is set to < 1000 or = 0, this is a finding.

Check Content Reference

M

Target Key

4094

Comments