CABI: V-222943 $CATALINA_BASE/logs folder permissions must be set to 750
search cancel

CABI: V-222943 $CATALINA_BASE/logs folder permissions must be set to 750

book

Article ID: 246002

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction


The /opt/CA/SharedComponents/CABI/apache-tomcat/logs/ folder permissions are set to 777 and this violates STIG Rule V-222943.

Can permissions be changed to 750 without impact?

Environment

Release : 22.2

Component : Jaspersoft for CA Spectrum

Cause


V-222943 - $CATALINA_BASE/logs folder permissions must be set to 750.


Tomcat file permissions must be restricted. The standard configuration is to have all Tomcat files owned by root
   with group Tomcat. While root has read/write privileges, group only has read permissions, and world has no
   permissions. The exceptions are the logs, temp, and work directories that are owned by the Tomcat user rather
   than root. This means that even if an attacker compromises the Tomcat process, they cannot change the Tomcat
   configuration, deploy new web applications, or modify existing web applications. The Tomcat process runs with
   a umask of 0027 to maintain these permissions.

Resolution

A  defect (DE540219) has been raised to have CABI's apache-tomcat/logs folder permissions changed to 750.

The permissions can manually be set to 750 on the log folder


cd /opt/CA/SharedComponents/CABI
./stopServers.sh tomcat

cd apache-tomcat
chmod 750 logs/

cd ../
./startServers.sh tomcat

Additional Information


V-222943 - $CATALINA_BASE/logs folder permissions must be set to 750.
https://stigviewer.com/stig/apache_tomcat_application_sever_9/2021-06-15/finding/V-222943

Powered by Wolken Software