Details

The Tomcat $CATALINA_HOME/webapps directory contains web applications that are deployed through Tomcat. It is recommended that the ownership of this directory be tomcat_admin:tomcat. It is also recommended that the permission on $CATALINA_HOME/webapps deny read, write, and execute for the world (o-rwx) and deny write access to the group (g-w).

Rationale:

Restricting access to these directories will prevent local users from maliciously or inadvertently affecting the integrity of web applications.

Solution

Perform the following to restrict access to Tomcat webapps directory:

Set the ownership of the $CATALINA_HOME/webapps to tomcat_admin:tomcat.

# chown tomcat_admin:tomcat $CATALINA_HOME/webapps

Remove read, write, and execute permissions for the world.

# chmod g-w,o-rwx $CATALINA_HOME/webapps

Default Value:

The default permissions of the top-level directories are 770.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2506

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• CSCv6|3.1
• CSCv7|14.6

Source

• Tenable.com/audits