Details

The Security Lifecycle Listener performs a number of security checks when Tomcat starts and prevents Tomcat from starting if they fail.

Rationale:

When enabled, the Security Lifecycle Listener can

Enforce a blacklist of OS users that must not be used to start Tomcat.

Set the least restrictive umask before Tomcat start

Solution

Uncomment the listener in $CATALINA_BASE/conf/server.xml. If the operating system supports umask then the line in $CATALINA_HOME/bin/catalina.sh that obtains the umask also needs to be uncommented.
Within Server elements add:

checkedOsUsers: A comma separated list of OS users that must not be used to start Tomcat. If not specified, the default value of root is used.

minimumUmask: The least restrictive umask that must be configured before Tomcat will start. If not specified, the default value of 0007 is used.

Default Value:

The Security Lifecycle Listener is not enabled by default. For checkedOsUsers, the default value is root. For minimumUmask, the default value is 0007.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3090

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-6
• CSCv7|5.1

Source

• Tenable.com/audits