Tomcat
QY. Tomcat Technical Specification
© Copyright IBM Corporation, 2006, 2007 - All Rights Reserved
Version 4.3u – May 28, 2007
Version - Release Levels: Tomcat Version 4.x (from Apache) and higher
QY.1 System Setup
QY.1.1 Initial System Setup
QY.1.1.1 System Settings
Not applicable
QY.1.1.2 Network Settings
Not applicable
QY.1.2 System Controls
QY.1.2.1 Logging
Not applicable
QY.1.2.2 Identify and Authenticate Users
System Value/ Parameter
Description
Recommended Setting
Proposed to Setting
Reference
Tomcat id
An operating system ID having full system or security administration authority for the OSR of the Tomcat installation.
This is also the OS id that the Tomcat application will run as.
Must not be a personal user id
Must not have system privileged such as root/ administrator
Must not have system privileges beyond what the deployed application requires to run
A new group (Tomcat group) may be created which the Tomcat id is a member of
As recommended
2.1.1
Tomcat administrator
A web ID having access to the Tomcat configuration via the Tomcat web administration tool. This user id is not an OS id and is defined in the tomcat-users.xml file.
Must not be a personal user id.
Password must be changed directly after the installation.
As recommended
2.1.1
QY.1.2.3 Protecting Resources –OSRs
System Value/ Parameter
Recommended Setting
Proposed to Setting
Reference
Logs
No read access for general users
As recommended
2.2.4
$TOMCAT_HOME
The directory where the Tomcat is installed
The $TOMCAT_HOME and everything under it must be owned by the Tomcat id. The Tomcat group may have read access to it.
As recommended
$TOMCAT_HOME/conf/*
The files in this directory must be exclusively accessible only for Tomcat id. The Tomcat group must not have access to this directory.
As recommended
Sample Application
Must not be deployed or must be disabled
As recommended
QY.1.2.4 Protecting Resources - User Resources
System Value/Parameter
Recommended Setting
Proposed to
© Copyright IBM Corporation, 2006, 2007 - All Rights Reserved
Version 4.3u – May 28, 2007
Version - Release Levels: Tomcat Version 4.x (from Apache) and higher
QY.1 System Setup
QY.1.1 Initial System Setup
QY.1.1.1 System Settings
Not applicable
QY.1.1.2 Network Settings
Not applicable
QY.1.2 System Controls
QY.1.2.1 Logging
Not applicable
QY.1.2.2 Identify and Authenticate Users
System Value/ Parameter
Description
Recommended Setting
Proposed to Setting
Reference
Tomcat id
An operating system ID having full system or security administration authority for the OSR of the Tomcat installation.
This is also the OS id that the Tomcat application will run as.
Must not be a personal user id
Must not have system privileged such as root/ administrator
Must not have system privileges beyond what the deployed application requires to run
A new group (Tomcat group) may be created which the Tomcat id is a member of
As recommended
2.1.1
Tomcat administrator
A web ID having access to the Tomcat configuration via the Tomcat web administration tool. This user id is not an OS id and is defined in the tomcat-users.xml file.
Must not be a personal user id.
Password must be changed directly after the installation.
As recommended
2.1.1
QY.1.2.3 Protecting Resources –OSRs
System Value/ Parameter
Recommended Setting
Proposed to Setting
Reference
Logs
No read access for general users
As recommended
2.2.4
$TOMCAT_HOME
The directory where the Tomcat is installed
The $TOMCAT_HOME and everything under it must be owned by the Tomcat id. The Tomcat group may have read access to it.
As recommended
$TOMCAT_HOME/conf/*
The files in this directory must be exclusively accessible only for Tomcat id. The Tomcat group must not have access to this directory.
As recommended
Sample Application
Must not be deployed or must be disabled
As recommended
QY.1.2.4 Protecting Resources - User Resources
System Value/Parameter
Recommended Setting
Proposed to