Tomcat user account must be a non-privileged user.

An XCCDF Rule

Description

<VulnDiscussion>Use a distinct non-privileged user account for running Tomcat. If Tomcat processes are compromised and a privileged user account is used to operate the Tomcat server processes, the entire system becomes compromised. Sample passwd file: tomcat:x:1001:1001::/opt/tomcat/usr/sbin/nologin The user ID is stored in field 3 of the passwd file.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-222984r961353_rule
Severity: Medium
References: CCI-002235
Updated: 17 days ago

From the Tomcat server, create a tomcat user by adding a new non-privileged user OS account with the following command:
  
sudo useradd tomcat

Edit the systemd tomcat.service file or create one if it does not exist. Use the new "tomcat" user account by setting; USER=tomcat
Location of the file should be /etc/systemd/system/tomcat.service.

Enable the Tomcat service:
sudo restorecon /etc/systemd/system/tomcat.service
sudo chmod 644 /etc/systemd/system/tomcat.service
sudo systemctl enable tomcat.service

Start Tomcat:
sudo systemctl start tomcat

Tomcat user account must be a non-privileged user.

Description

Remediation - Manual Procedure