STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Apache Tomcat Application Server 9 Security Technical Implementation Guide

V-222983

CAT II (Medium)

Tomcat user account must be set to nologin.

Rule ID

SV-222983r961353_rule

STIG

Apache Tomcat Application Server 9 Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-002235

Discussion

When installing Tomcat, a user account is created on the OS. This account is used in order for Tomcat to be able to operate on the OS but does not require the ability to actually log in to the system. Therefore when the account is created, the account must not be provided access to a login shell or other program on the system. This is done by specifying the "nologin" parameter in the command/shell field of the passwd file.

Check Content

From the command line of the Tomcat server type the following command:

sudo cat /etc/passwd|grep -i tomcat

If the command/shell field of the passwd file is not set to "/usr/sbin/nologin", this is a finding.

Fix Text

From the Tomcat command line type the following command:

sudo usermod -s /usr/sbin/nologin tomcat