During a STIG assessment of VMware services, a finding flags the Workspace ONE Access directory tree permissions, stating they must be in an "out of the box" state.

The assessment checks for accounts on the web server and flags files within /opt/vmware/horizon/workspace/webapps/ that are not owned by the horizon user or the www group.

The STIG check runs the following command:

find /opt/vmware/horizon/workspace/webapps/ -xdev -type f -a '(' -not -user horizon -o -not -group www ')' -exec ls -ld {} \;

If the command produces output (e.g., showing files owned by root:www), the STIG recommends changing the ownership using the following command:

chown horizon:www <file_name>

Example of flagged files showing default root:www ownership:

-rw-r--r-- 1 root www 238 Jan 11 2023 '/opt/vmware/horizon/workspace/webapps/mtkadmin/WEB-INF/classes/com/vmware/kdc/admin/CertificateUtils$1.class'
-rw-r--r-- 1 root www 3014 Jan 11 2023 /opt/vmware/horizon/workspace/webapps/mtkad

VMware Identity Manager 3.3.x (Workspace One)

This is expected behavior. The automated STIG check flags these files because the web user (horizon) does not own them. However, the current configuration is an intentional security design that enforces the Principle of Least Privilege.

The application (Tomcat) runs as the horizon user, which is part of the www group. The core application files (such as compiled .class files and .xml configs) are intentionally owned by root:www with read-only permissions for the group. This ensures the horizon user can read and execute the application but cannot modify the application's own core binaries.

Changing the ownership to horizon:www as recommended by the STIG would grant the web service account write access to its own executables. In the event of a remote code execution (RCE) vulnerability, an attacker who compromises the system within the context of the horizon user would gain the ability to overwrite core files, modify web shells, and potentially compromise the authentication subsystems.

Do not change the default file permissions.

Altering these default permissions will put the appliance in an unsupported state and will cause future patch and upgrade automation (via Lifecycle Management / LCM) to fail.

You should document this finding as a False Positive or Documented Exception (POAM), citing that the vendor-provided configuration successfully mitigates the control's core objective by enforcing root-level ownership and the Principle of Least Privilege.

For more details on appliance customization policies, see VMware virtual appliances and customization.