Details

Configure applications to run in a sandbox using the Security Manager. The Security Manager restricts what classes Tomcat can access thus protecting your server from mistakes, Trojans, and malicious code.

Rationale:

By running Tomcat with the Security Manager, applications are run in a sandbox which can prevent untrusted code from accessing files on the file system.

Solution

The security policies implemented by the Java SecurityManager are configured in the $CATALINA_HOME/conf/catalina.policy file. Once you have configured the catalina.policy file for use with a SecurityManager, Tomcat can be started with a SecurityManager in place by using the –security option:

On Unix:

$ $CATALINA_HOME/bin/catalina.sh start -security

On Windows:

C:> %CATALINA_HOME%bincatalina start -security

Default Value:

By default the -security option is not utilized.

References:

https://tomcat.apache.org/tomcat-8.0-doc/security-manager-howto.html

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2506

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-6
• CSCv6|3.1
• CSCv7|5.1

Source

• Tenable.com/audits