STIGQter STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Files in the $CATALINA_BASE/logs/ folder must have their permissions set to 640.

DISA Rule

SV-222944r615938_rule

Vulnerability Number

V-222944

Group Title

SRG-APP-000118-AS-000078

Rule Version

TCAT-AS-000361

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If operational/application requirements specify different file permissions, obtain ISSM risk acceptance and set permissions according to risk acceptance.

Run the following command on the Tomcat server:

sudo find $CATALINA_BASE/logs/* -follow -maxdepth 0 -type f -print0 | sudo xargs chmod 640 $CATALINA_BASE/logs/*

Check Contents

Access the Tomcat server from the command line and execute the following OS command:

sudo find $CATALINA_BASE/logs/* -follow -maxdepth 0 -type f \( \! -perm 640 \) -ls

If ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance.

If no files are displayed, this is not a finding.

If results indicate any of the file permissions contained in the $CATALINA_BASE/logs folder are not set to 640, this is a finding.

Vulnerability Number

V-222944

Documentable

False

Rule Version

TCAT-AS-000361

Severity Override Guidance

Access the Tomcat server from the command line and execute the following OS command:

sudo find $CATALINA_BASE/logs/* -follow -maxdepth 0 -type f \( \! -perm 640 \) -ls

If ISSM risk acceptance specifies deviation from requirement based on operational/application needs, this is not a finding if the permissions are set in accordance with the risk acceptance.

If no files are displayed, this is not a finding.

If results indicate any of the file permissions contained in the $CATALINA_BASE/logs folder are not set to 640, this is a finding.

Check Content Reference

M

Target Key

4094

Comments