Tomcat user account must be a non-privileged user.

An XCCDF Rule

Description

Use a distinct non-privileged user account for running Tomcat. If Tomcat processes are compromised and a privileged user account is used to operate the Tomcat server processes, the entire system becomes compromised. Sample passwd file: tomcat:x:1001:1001::/opt/tomcat/usr/sbin/nologin The user ID is stored in field 3 of the passwd file.

ID: SV-222984r961353_rule
Version: TCAT-AS-001060
Severity: Medium
References: CCI-002235
Updated: 15 days ago

Remediation Templates

From the Tomcat server, create a tomcat user by adding a new non-privileged user OS account with the following command:
  
sudo useradd tomcat

Edit the systemd tomcat.service file or create one if it does not exist. Use the new "tomcat" user account by setting; USER=tomcat
Location of the file should be /etc/systemd/system/tomcat.service.

Enable the Tomcat service:
sudo restorecon /etc/systemd/system/tomcat.service
sudo chmod 644 /etc/systemd/system/tomcat.service
sudo systemctl enable tomcat.service

Start Tomcat:
sudo systemctl start tomcat

Tomcat user account must be a non-privileged user.

Description

Remediation Templates

A Manual Procedure