How to Configure UMASK in Tomcat (V-222949)
Article ID: 219700
Updated On:
Products
CA Spectrum
Issue/Introduction
For secure sites, tomcat servers are required to use UMASK 0027 for file permissions.
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-222949 | TCAT-AS-000450 | SV-222949r615938_rule | Medium |
Tomcat user UMASK must be set to 0027. (stigviewer.com)
Rule Title: Tomcat user UMASK must be set to 0027.
Discussion: For Unix-based systems, umask settings affect file creation permissions. If the permissions are too loose, newly created log files and applications could be accessible to unauthorized users via the file system. Ensure the Tomcat OS user account has the correct file creation permission settings by validating the OS umask settings for the Tomcat user. Setting umask to 0027 gives the Tomcat user full rights, group users r-x permission and all others no access. Tomcat will most likely be running as a systemd service. Locate the systemd service file for Tomcat. The default location for the link to the service file is in /etc/systemd/system folder. The service file name should be indicative of the Tomcat process so tomcat.service is the logical name for the service file and is the name referenced by the STIG.
Check Text: Reference the system documentation and make relevant changes to the following commands if the system differs:
From the Tomcat server command line run the following command:
sudo cat /etc/systemd/system/tomcat.service | grep -i umask
If the umask is not = 0027, this is a finding.
From the Tomcat server command line run the following command:
sudo cat /etc/systemd/system/tomcat.service | grep -i umask
If the umask is not = 0027, this is a finding.
Fix Text: From the Tomcat server as a privileged user:
Use a file editor like nano or vi and edit the /etc/systemd/system/tomcat.service file.
Change the "UMask=" setting to 0027.
UMask =0027
Use a file editor like nano or vi and edit the /etc/systemd/system/tomcat.service file.
Change the "UMask=" setting to 0027.
UMask =0027
Environment
Release : 20.2 / 21.2.1
Component : Spectrum OneClick
Resolution
1. Created a file named setenv.sh in $SPECROOT/tomcat/bin/
2. Added the following to the setenv.sh
#!/bin/sh
export UMASK="0027"
example
3. Restart tomcat
cd $SPECROOT/tomcat/bin/
./stopTomcat.sh
./startTomcat.sh
Feedback
Yes
No
Powered by
