Rule ID
SV-222999r1193098_rule
Version
V3R4
CCIs
CCI-000172
The $CATALINA_BASE/conf folder contains configuration files for the Tomcat Catalina server. To provide forensic evidence in the event of file tampering, changes to contents in this folder must be logged. For Linux OS flavors other than Ubuntu, use the relevant OS commands. This can be done on the Ubuntu OS via the auditctl command. Using the -p wa flag set the permissions flag for a file system watch and logs file attribute and content change events into syslog.
Check the audit rules for the Tomcat folders. Run the following command from the Tomcat server as a privileged user: sudo auditctl -l | grep $CATALINA_HOME/conf If the results do not include "-w $CATALINA_BASE/conf -p wa -k tomcat" or if there are no results, this is a finding.
From the Tomcat server as a privileged user: 1. Identify the home folder for the Tomcat server: #grep -i -- 'catalina_home\|catalina_base' /etc/systemd/system/tomcat.service Lines similar to the following should be returned: Environment="CATALINA_HOME=/opt/tomcat" Environment="CATALINA_BASE=/opt/tomcat" where /opt/tomcat in the example will be referred to as <homefolderpath> 2. Add rules to a rules file. These files will typically be /etc/audit/rules.d/audit.rules or stig.rules. Open the rules file <rulesfile> in a text editor. 3. Alter or add the following line to the rules file, replacing <homefolderpath> with the actual path. (e.g., /opt/tomcat): -w <homefolderpath>/conf -p wa -k tomcat 4. Load the rules, replacing <rulesfile> with the actual filename (e.g., audit.rules): #auditctl -R <rulesfile> 5. Make the rules persistent: #augenrules --load