cis apache cassandra 3.11 benchmark v1.0.0 · this document, cis apache cassandra benchmark,...
Post on 20-May-2020
89 Views
Preview:
TRANSCRIPT
1|P a g e
TermsofUsePlease see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/
2|P a g e
TableofContents
TermsofUse...................................................................................................................................................................1
Overview..........................................................................................................................................................................4
IntendedAudience..................................................................................................................................................4
ConsensusGuidance..............................................................................................................................................4
TypographicalConventions...............................................................................................................................5
ScoringInformation...............................................................................................................................................5
ProfileDefinitions...................................................................................................................................................6
Acknowledgements................................................................................................................................................8
Recommendations.......................................................................................................................................................9
1InstallationandUpdates..................................................................................................................................9
1.1EnsureaseparateuserandgroupexistforCassandra(NotScored)......................9
1.2EnsurethelatestversionofJavaisinstalled(Scored).................................................11
1.3EnsurethelatestversionofPythonisinstalled(Scored)...........................................13
1.4EnsurelatestversionofCassandraisinstalled(Scored)............................................15
1.5EnsuretheCassandraserviceisrunasanon-rootuser(Scored)..........................17
1.6Ensureclocksaresynchronizedonallnodes(NotScored).......................................19
2AuthenticationandAuthorization............................................................................................................21
2.1EnsurethatauthenticationisenabledforCassandradatabases(Scored).........21
2.2EnsurethatauthorizationisenabledforCassandradatabases(Scored)...........23
3AccessControl/PasswordPolicies.........................................................................................................25
3.1Ensurethecassandraandsuperuserrolesareseparate(Scored).........................25
3.2Ensurethatthedefaultpasswordchangedforthecassandrarole(Scored)....27
3.3Ensuretherearenounnecessaryrolesorexcessiveprivileges(NotScored)..29
3.4EnsurethatCassandraisrunusinganon-privileged,dedicatedserviceaccount(Scored)......................................................................................................................................................31
3.5EnsurethatCassandraonlylistensfornetworkconnectionsonauthorizedinterfaces(NotScored).......................................................................................................................33
3.6ReviewUser-DefinedRoles(NotScored)...........................................................................35
3.7ReviewSuperuser/AdminRoles(NotScored).................................................................37
4AuditingandLogging......................................................................................................................................39
3|P a g e
4.1Ensurethatloggingisenabled.(Scored)............................................................................39
4.2Ensurethatauditingisenabled(NotScored)...................................................................41
5Encryption............................................................................................................................................................43
5.1Inter-nodeEncryption(Scored)..............................................................................................43
5.2ClientEncryption(Scored)........................................................................................................45
Appendix:SummaryTable....................................................................................................................................47
Appendix:ChangeHistory.....................................................................................................................................48
4|P a g e
OverviewThisdocument,CISApacheCassandraBenchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforApacheCassandraversion3.11.ThisguidewastestedagainstApacheCassandrarunningonCentOSLinux7,butappliestootherLinuxdistributionsaswell.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,pleasewriteusatfeedback@cisecurity.org.
Intended Audience
Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateApacheCassandra.
Consensus Guidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://workbench.cisecurity.org/.
5|P a g e
Typographical Conventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospace font Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
Scoring Information
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
6|P a g e
Profile Definitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1-Cassandra
ItemsinthisprofileapplytoApacheCassandraandintendto:
o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.
Note:TheintentofthisprofileistoincludechecksthatcanbeassessedbyremotelyconnectingtoPostgreSQL.Therefore,filesystem-relatedchecksarenotcontainedinthisprofile.
• Level2-Cassandra
Thisprofileextendsthe“Level1-Cassandra”profile.ItemsinthisprofileapplytoApacheCassandraandexhibitoneormoreofthefollowingcharacteristics:
o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.
Note:TheintentofthisprofileistoincludechecksthatcanbeassessedbyremotelyconnectingtoPostgreSQL.Therefore,filesystem-relatedchecksarenotcontainedinthisprofile.
• Level1-CassandraonLinux
Thisprofileextendsthe“Level1-Cassandra”profile.ItemsinthisprofileapplytoApacheCassandrarunningonLinuxandintendto:
o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.
7|P a g e
• Level2-CassandraonLinux
Thisprofileextendsthe“Level1-CassandraonLinux”profile.ItemsinthisprofileapplytoApacheCassandrarunningonLinuxandexhibitoneormoreofthefollowingcharacteristics:
o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.
8|P a g e
Acknowledgements
This benchmark exemplifies the great things a community of users, vendors, and subject matter experts can accomplish through consensus collaboration. The CIS community thanks the entire consensus team with special recognition to the following individuals who contributed greatly to the creation of this guide:
AuthorJosephTestaEditorTimHarrisonCISSP,ICP,CenterforInternetSecurity
9|P a g e
Recommendations1 Installation and Updates
ThissectioncontainsrecommendationsrelatedtoinstallingandpatchingCassandra.
1.1 Ensure a separate user and group exist for Cassandra (Not Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
CreateseparateuseridandgroupforCassandra.
Rationale:
Allprocessesneedtorunasauserwithleastprivilege.Thismitigatesthepotentialimpactofmalwaretothesystem.
Audit:
LogontotheserverwhereCassandraisinstalled.Toconfirmexistenceofthegroup,executethefollowingcommand:
$ getent group | grep cassandra
Toconfirmexistenceoftheuser,executethefollowingcommand:
$ getent passwd | grep cassandra
Ifeitherthegrouporuserdonotexist,oriftheuserisnotamemberofthegroup,thisisafinding.
Remediation:
Createagroupforcassandra(ifitdoesnotalreadyexist)
sudo groupadd cassandra
CreateauserwhichisonlyusedforrunningCassandraanditsrelatedprocesses.
10|P a g e
sudo useradd -m -d /home/cassandra -s /bin/bash -g cassandra -u <USERID_NUMBER> cassandra
Replacing<USERID_NUMBER>withanumbernotalreadyusedontheserver
References:
1.
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
Version7
4ControlledUseofAdministrativePrivilegesControlledUseofAdministrativePrivileges
11|P a g e
1.2 Ensure the latest version of Java is installed (Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
AprerequisitetoinstallingCassandraistheinstallationofJava.TheversionofJavainstalledshouldbethemostrecentthatiscompatiblewiththeorganization'soperationalneeds.
Rationale:
UsingthemostrecentJavaSDKversioncanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.Ensureyouareusingareleasethatiscoveredbyalevelofsupportwhichincludesregularupdatestoaddressvulnerabilities.
Audit:
Toverifythatyouhavethecorrectversionofjavainstalled:
# java -version java version "1.8.0_172" Java(TM) SE Runtime Environment (build 1.8.0_172-b11)
Ifanold/unsupportedversionofJavaisinstalledthisisafinding.
Remediation:
1. Uninstalltheold/unsupportedversionofJava,ifpresent.2. DownloadthelatestcompatiblereleaseoftheJavaJDK,orOpenJDK.3. Followtheprovidedinstallationinstructionstocompletetheinstall.
References:
1. http://www.oracle.com/technetwork/java/javase/downloads/index-jsp-138363.html#javasejdk
2. http://openjdk.java.net/3. http://openjdk.java.net/install/index.html4. http://cassandra.apache.org/doc/latest/getting_started/installing.html#prerequisit
es
12|P a g e
5. https://www.java.com/en/download/help/index_installing.xml?os=All+Platforms&j=8&n=20
CISControls:
Version6
2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware
Version7
18.4OnlyUseUp-to-dateAndTrustedThird-PartyComponentsOnlyuseup-to-dateandtrustedthird-partycomponentsforthesoftwaredevelopedbytheorganization.
13|P a g e
1.3 Ensure the latest version of Python is installed (Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
AprerequisitetoinstallingCassandraistheinstallationofPython.TheversionofPythoninstalledshouldbethemostrecentthatiscompatiblewiththeorganizations'operationalneeds.
Rationale:
UsingthemostrecentPythoncanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.Ensureyouareusingareleasethatiscoveredbyalevelofsupportwhichincludesregularupdatestoaddressvulnerabilities.
Audit:
Toverifythatyouhavethecorrectversionofpythoninstalled:
# python -V
Ifanold/unsupportedversionofPythonisinstalledthisisafinding.
Remediation:
1. Uninstalltheold/unsupportedversionofPython,ifpresent.2. DownloadthelatestcompatiblereleaseofthePython:
https://www.python.org/downloads/3. Followtheprovidedinstallationinstructionstocompletetheinstall.
References:
1. https://www.python.org/downloads/2. http://cassandra.apache.org/doc/latest/getting_started/installing.html#prerequisit
es
CISControls:
Version6
14|P a g e
2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware
Version7
18.4OnlyUseUp-to-dateAndTrustedThird-PartyComponentsOnlyuseup-to-dateandtrustedthird-partycomponentsforthesoftwaredevelopedbytheorganization.
15|P a g e
1.4 Ensure latest version of Cassandra is installed (Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
TheCassandrainstallationversion,alongwiththepatches,shouldbethemostrecentthatiscompatiblewithorganization'soperationalneeds.Whenobtainingandinstallingsoftwarepackages(typicallyviaapt-getoryoucancompilethesourcecode),it'simperativethatpackages(orthesourcecode,tarball)aresourcedonlyfromvalidandauthorizedrepositories.
ForCassandra,ashortlistofvalidrepositoriesmayinclude:
• Theofficialapachecassandrawebsite:http://cassandra.apache.org/• DataStaxEnterprise:https://www.datastax.com/
Rationale:
UsingthemostrecentversionofCassandracanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.Ensureyouareusingareleasethatiscoveredbyalevelofsupportwhichincludesregularupdatestoaddressvulnerabilities.
Audit:
ToverifytheversionofCassandrayouhaveinstalled:
cassandra -v 3.11.2 (as of 6/8/2018)
Ifanold/unsupportedversionofCassandraisinstalledthisisafinding.
Remediation:
UpgradetothelatestversionoftheCassandrasoftware:Foreachnodeinthecluster:
1. UsingthenodetooldraincommandtopushallmemtablesdatatoSSTables.2. StopCassandraservices.
16|P a g e
3. BackupthedatasetandallofyourCassandraconfigurationfiles.4. Download/UpdateJavaifneeded.5. Download/UpdatePythonifneeded.6. DownloadthebinariesforthelatestCassandrarevisionfromtheCassandra
DownloadPage.7. InstallnewversionofCassandra.8. ConfigurenewversionofCassandra,takingintoaccountallofyourprevious
settingsinyourconfigfiles(cassandra.yml,cassandrea-env.sh,etc).9. StartCassandraservices.10. Checklogsforwarnings,errors.11. UsingthenodetooltoupgradeyourSSTables.12. Usingthenodetoolcommandtocheckstatusofcluster.
References:
1. http://cassandra.apache.org/doc/latest/getting_started/installing.html#prerequisites
CISControls:
Version6
2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware
Version7
18.4OnlyUseUp-to-dateAndTrustedThird-PartyComponentsOnlyuseup-to-dateandtrustedthird-partycomponentsforthesoftwaredevelopedbytheorganization.
17|P a g e
1.5 Ensure the Cassandra service is run as a non-root user (Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
ThoughCassandradatabasemayberunasroot,itshouldrunasanothernon-rootuser.
Rationale:
Oneofthebestwaystoreduceyourexposuretoattackistocreateaunique,unprivilegeduserandgroupfortheserverapplication.Abestpracticeistofollowisensuringprocessesrunwithauserwithleastprivilege.
Audit:
LogontotheserverwhereCassandraisrunningandrunthefollowingcommand
ps -aef | grep cassandra | grep java | cut -d' ' -f1
ThiswillshowwhoisrunningtheCassandrabinary.Iftheuserisrootorhasexcessiveprivilegesthenthisisafinding.
Remediation:
Createagroupforcassandra(ifitdoesnotalreadyexist)
sudo groupadd cassandra
CreateauserwhichisonlyusedforrunningCassandraanditsrelatedprocesses.
sudo useradd -m -d <DIRECTORY_WHERE_CASSANDRA_INSTALLED> -s /bin/bash -g cassandra -u <USERID_NUMBER> cassandra
Replacing<DIRECTORY_WHERE_CASSANDRA_INSTALLED>withthefullpathofwhereCassandrabinariesareinstalled.
Replacing<USERID_NUMBER>withanumbernotalreadyusedontheserver
18|P a g e
CISControls:
Version6
5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
Version7
4ControlledUseofAdministrativePrivilegesControlledUseofAdministrativePrivileges
19|P a g e
1.6 Ensure clocks are synchronized on all nodes (Not Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
EnablingNetworkTimeProtocol(NTP),orsomeequivalentway,tokeepclocksonallnodesinsynciscritical.
Rationale:
Cassandradecideswhichdataismostcurrentbetweenallofthenodesintheclusterbasedontimestamps.Itisparamounttoensureallclocksarein-sync,otherwisethemostcurrentdatamaynotbereturnedorworse,markedfordeletion.
Audit:
DependingontheLinuxinstallationthismaybecheckedbyexecutingthefollowingcommandoneachnode:
ps -aef | grep ntp OR ps -aef | grep chronyd
IfNTPisnotconfiguredorclocksareout-of-syncthenthisisafinding.
Remediation:
InstallandstartthetimeprotocoloneverynodeintheCassandracluster.
CISControls:
Version6
6.1UseAtLeastTwoSynchronizedTimeSourcesForAllServersAndNetworkEquipmentIncludeatleasttwosynchronizedtimesourcesfromwhichallserversandnetworkequipmentretrievetimeinformationonaregularbasissothattimestampsinlogsareconsistent.
20|P a g e
Version7
6.1UtilizeThreeSynchronizedTimeSourcesUseatleastthreesynchronizedtimesourcesfromwhichallserversandnetworkdevicesretrievetimeinformationonaregularbasissothattimestampsinlogsareconsistent.
21|P a g e
2 Authentication and Authorization
ThissectioncontainsrecommendationsrelatedtoCassandra'sauthenticationandauthorizationmechanisms.
2.1 Ensure that authentication is enabled for Cassandra databases (Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
AuthenticationispluggableinCassandraandisconfiguredusingtheauthenticatorsettingincassandra.yaml.Cassandrashipswithtwooptionsincludedinthedefaultdistribution,AllowAllAuthenticatorandPasswordAuthenticator.Thedefault,AllowAllAuthenticator,performsnoauthenticationchecksandthereforerequiresnocredentials.Itisusedtodisableauthenticationcompletely.Thesecondoption,PasswordAuthenticator,storesencryptedcredentialsinasystemtable.Thiscanbeusedtoenablesimpleusername/passwordauthentication.
Rationale:
AuthenticationisanecessaryconditionofCassandra’spermissionssubsystem,soifauthenticationisdisabledthensoarepermissions.Failuretoauthenticateclients,users,and/orserverscanallowunauthorizedaccesstotheCassandradatabaseandcanpreventtracingactionsbacktotheirsources.TheauthenticationmechanismshouldbeimplementedbeforeanyoneaccessestheCassandraserver.
Audit:
Runthefollowingcommandtoverifywhetherauthenticationisenabled(authenticatorvaluessettoPasswordAuthenticator)ontheCassandraserver.
TheCassandraconfigurationfilescanbefoundintheconfdirectoryoftarballs.Forpackages,theconfigurationfileswillbelocatedin/etc/cassandra.
cat cassandra.yaml | grep -in "authenticator:"
IfauthenticatorissettoAllowAllAuthenticator,thenthisisafinding.
22|P a g e
Remediation:
Toenabletheauthenticationmechanism:
1. StoptheCassandradatabase.2. Modifycassandra.yamlfiletomodify/addentryforauthenticator:setitto
PasswordAuthenticator3. StarttheCassandradatabase.
DefaultValue:
authenticator: AllowAllAuthenticator
References:
1. http://cassandra.apache.org/doc/latest/getting_started/configuring.html2. http://cassandra.apache.org/doc/latest/operating/security.html
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
Version7
14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.
23|P a g e
2.2 Ensure that authorization is enabled for Cassandra databases (Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
AuthorizationispluggableinCassandraandisconfiguredusingtheauthorizersettingincassandra.yaml.Cassandrashipswithtwooptionsincludedinthedefaultdistribution,AllowAllAuthenticatorandCassandraAuthorizer.Thedefault,AllowAllAuthenticatorperformsnocheckingwhichgrantsallpermissionstoallroles.Thesecondoption,CassandraAuthorizer,implementsfullpermissionsmanagementfunctionalityandstoresitsdatainCassandrasystemtables.
Rationale:
AuthorizingrolesisanimportantsteptowardsensuringonlyauthorizedaccesstotheCassandradatabasetablesispermitted.Italsoprovidestherequisitemeansofimplementingleastprivilegebestpractices.TheauthorizationmechanismshouldbeimplementedbeforeanyoneaccessestheCassandradatabase.
Audit:
Runthefollowingcommandtoverifywhetherauthorizationisenabled(authorizationvaluessettoCassandraAuthorizer)ontheCassandraserver.
TheCassandraconfigurationfilescanbefoundintheconfdirectoryoftarballs.Forpackages,theconfigurationfileswillbelocatedin/etc/cassandra.
cat cassandra.yaml | grep -in "authorizer:"
IfauthorizerissettoAllowAllAuthorizer,thenthisisafinding.
Remediation:
Toenabletheauthorizationmechanism:
1. StoptheCassandradatabase.2. Modifycassandra.yamlfiletomodify/addentryforauthorization:setitto
CassandraAuthorizer
24|P a g e
3. StarttheCassandradatabase.
DefaultValue:
authorizer: AllowAllAuthorizer
References:
1. http://cassandra.apache.org/doc/latest/getting_started/configuring.html2. http://cassandra.apache.org/doc/latest/operating/security.html
Notes:
TheauthorizermustbeconfiguredtoAllowAllAuthorizerifAllowAllAuthenticatoristheconfiguredauthenticator.
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
Version7
14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.
25|P a g e
3 Access Control / Password Policies
ThissectioncontainsrecommendationsrelatedtoCassandra'spasswordpolicies.
3.1 Ensure the cassandra and superuser roles are separate (Scored)
ProfileApplicability:
•Level1-Cassandra
•Level2-Cassandra
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
Thedefaultinstallationofcassandraincludesasuperuserrolenamedcassandra.Thisnecessitatesthecreationofaseparateroletobethesuperuserrole.
Rationale:
Superuserpermissionsallowforthecreation,deletion,andpermissionmanagementofotherusers.ConsideringtheCassandraroleiswellknownitshouldnotbeasuperuseroronewhichisusedforanyadministrativetasks.
Audit:
Toverifytheconfiguration,runthefollowingquery:
SELECT role FROM system_auth.roles WHERE is_superuser = True;
Ifcassandraoranyunapprovedroleisreturned,thisisafinding.
Remediation:
Toremediateamisconfiguration,performthefollowingsteps:
1. Executethefollowingcommand:
create role '<NEW_ROLE_HERE>' with password='<NEW_PASSWORD_HERE>' and login=TRUE and superuser=TRUE ;
grant all permissions on all keyspaces to <NEW_ROLE_HERE>;
26|P a g e
Note:Replace<NEW_ROLE_HERE>withthedesiredroleand<NEW_PASSWORD_HERE>withapassword.
2. Verifythenewroleisworking.3. Removethesuperuserrolefromthecassandraaccountbyexecutingthefollowing
command:
UPDATE system_auth.roles SET is_superuser=null WHERE role='cassandra'
Impact:
Theseparateaccountmustbecreated,assignedthesuperuserrole,andtestedforcorrectfunctionalitypriortoremovingthesuperuserrolefromthecassandraaccount.Otherwise,
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
Version7
4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.
27|P a g e
3.2 Ensure that the default password changed for the cassandra role (Scored)
ProfileApplicability:
•Level1-Cassandra
•Level2-Cassandra
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
Thecassandrarolehasadefaultpasswordwhichmustbechanged.
Rationale:
Failuretochangethedefaultpasswordforthecassandrarolemayposearisktothedatabaseintheformofunauthorizedaccess.
Audit:
ConnecttoCassandradatabasetoverifywhetherthecassandrarolehasdefaultpassword.
cqlsh -u cassandra -p cassandra
Iftheconnectionissuccessfulthisisafinding.
Remediation:
Changethepasswordforthecasssandrarolebyissuingthefollowingcommand:
cqlsh -u cassandra -p cassandra
alter role 'cassandra' with password '<NEWPASSWORD_HERE>';
Where<NEWPASSWORD_HERE>isreplacedwiththepasswordofyourchoosing.
DefaultValue:
cassandra
28|P a g e
References:
1. http://cassandra.apache.org/doc/latest/operating/security.html
CISControls:
Version6
16AccountMonitoringandControlAccountMonitoringandControl
Version7
4.4UseUniquePasswordsWheremulti-factorauthenticationisnotsupported(suchaslocaladministrator,root,orserviceaccounts),accountswillusepasswordsthatareuniquetothatsystem.
29|P a g e
3.3 Ensure there are no unnecessary roles or excessive privileges (Not Scored)
ProfileApplicability:
•Level1-Cassandra
•Level2-Cassandra
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
Verifyeachroleisrequireandhasonlytheprivilegesneededtodoitsjob.
Rationale:
Roleswhichareunneeded,havesuperuserorotherpotentiallyexcessiveprivilegesmaybeanavenueforahackertogainaccesstoormodifydatainthedatabase.
Audit:
Asasuperuser,retrieveallroles:
list roles;
Retrieveallpermissionsforallroles
select * from system_auth.role_permissions;
Ifthereareanyunnecessaryrolesorroleswithexcessiveprivilegesthisisafinding.
Remediation:
Removeanyunnecessaryrolesand/orpermissionsinaccordancewithorganizationalneeds.
References:
1. http://cassandra.apache.org/doc/latest/cql/security.html
30|P a g e
CISControls:
Version6
5ControlledUseofAdministrationPrivilegesControlledUseofAdministrationPrivileges
16.1PerformRegularAccountReviewsReviewallsystemaccountsanddisableanyaccountthatcannotbeassociatedwithabusinessprocessandowner.
Version7
16.8DisableAnyUnassociatedAccountsDisableanyaccountthatcannotbeassociatedwithabusinessprocessorbusinessowner.
31|P a g e
3.4 Ensure that Cassandra is run using a non-privileged, dedicated service account (Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
Aswithanyserviceinstalledonahost,itcanbeprovidedwithitsownusercontext.Providingadedicatedusertotheserviceprovidestheabilitytopreciselyconstraintheservicewithinthelargerhostcontext.
Rationale:
Utilizinganon-privilegedaccountforCassandratoexecuteasmayreducetheimpactofaCassandra-bornvulnerability.ArestrictedaccountwillbeunabletoaccessresourcesunrelatedtoCassandra,suchasoperatingsystemconfigurations.
Audit:
Executethefollowingcommandataterminalprompttoassessthisrecommendation:
ps -ef | egrep "^cassandra.*$"
Ifnolinesarereturned,thenthisisafinding.
NOTE:ItisassumedthattheCassandrauseriscassandra.Additionally,youmayconsiderrunningsudo -lastheCassandrauserortocheckthesudoersfile.
Remediation:
CreateauserwhichisonlyusedforrunningCassandraanddirectlyrelatedprocesses.Thisusermustnothaveadministrativerightstothesystem.
32|P a g e
CISControls:
Version7
4ControlledUseofAdministrativePrivilegesControlledUseofAdministrativePrivileges
14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow
33|P a g e
3.5 Ensure that Cassandra only listens for network connections on authorized interfaces (Not Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
Whenlisten_addressisblankandlisten_interfaceiscommentedout,thiswillbesetautomaticallybyInetAddress.getLocalHost().Presumingthenodeisconfiguredcorrectly,e.g.hostname,nameresolution,etc.,thiswillconfigurethenodetousetheaddressassociatedwiththehostname.Thelisten_addressmustnotbesetto0.0.0.0.
Rationale:
SettingtheaddressorinterfacetobindtowilltellotherCassandranodestowhichaddressorinterfacetoconnect.Thismustbechangedfromthedefaultinorderformultiplenodestobeabletocommunicate.
Audit:
Checkthevalueoflisten_addressorlisten_interfaceinthecassandra.yaml.Iflisten_addressisset0.0.0.0oranon-authorizedaddressorinterfaceisspecified,thisisafinding.
Remediation:
Setthelisten_addressorlisten_interface,notboth,inthecassandra.yamltoanauthorizedaddressorinterface.
DefaultValue:
listen_address:localhost
listen_interface:eth0,butiscommentedoutbydefault.
References:
1. http://cassandra.apache.org/doc/3.11/configuration/cassandra_config_file.html#listen-address
34|P a g e
2. http://cassandra.apache.org/doc/3.11/configuration/cassandra_config_file.html#listen-interface
CISControls:
Version7
9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.
35|P a g e
3.6 Review User-Defined Roles (Not Scored)
ProfileApplicability:
•Level1-Cassandra
•Level2-Cassandra
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
TheMEMBER_OFcolumnfoundinthesystem_auth.rolestableshowsrolesgrantedtoroles.
Rationale:
TheMEMBER_OFcolumnshowswhoeverhasrolesgrantedtorolesanddependingontheroleandtheprivilegesgranttotheroleshouldbelimited.Limitingtheaccountsthathavethecertainrolesreducesthechancesthatanattackercanexploitthesecapabilities.
Audit:
ExecutethefollowingSQLstatementtoauditthissetting:
select role, can_login, member_of from system_auth.roles;
Lookingforcan_loginwhichtellsyouthatrolecanlogintocassandraandmember_ofiswhenrolesaregrantedtoroles.
Remediation:
Lookingatthoseusersfromthequerythathavemember_ofthatisNOTnull,decideifthatusertrulyneedsthatrole,ifnot,foreachuser,issuethefollowingSQLstatement(replace<is_member>withthevalueofmember_ofreturnedbythequeryintheauditprocedure)
revoke <is_member> from role;
36|P a g e
CISControls:
Version7
14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
37|P a g e
3.7 Review Superuser/Admin Roles (Not Scored)
ProfileApplicability:
•Level1-Cassandra
•Level2-Cassandra
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
TheIS_SUPERUSERprivilegefoundinthesystem_auth.rolestablegovernswhocancontroltheentireCassandradatabaseandallofitsdatacontainedwithin.
Rationale:
TheIS_SUPERUSERprivilegeallowswhoeverhasittodoanythingtothedataandfulladministratorrightstothedatabase,includingchangingpasswords,creating,droppingroles.LimitingtheaccountsthathavetheIS_SUPERUSERrolereducesthechancesthatanattackercanexploitthesecapabilities.
Audit:
ExecutethefollowingSQLstatementtoauditthissetting:
select role, is_superuser from system_auth.roles;
Lookingforis_superuser = True
Remediation:
Performthefollowingstepstoremediatethissetting:
alter role <role> with superuser=false;
Lookingatthoseusersfromthequerythathaveis_superuser = True,decideifthatusertrulyneedsthatrole,ifnot,foreachuser,issuethefollowingSQLstatement(replace<role>withtherolenamefromthequery):
38|P a g e
CISControls:
Version7
4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.
39|P a g e
4 Auditing and Logging
ThissectioncontainsrecommendationsrelatedtoCassandra'sauditandloggingmechanisms.
4.1 Ensure that logging is enabled. (Scored)
ProfileApplicability:
•Level1-Cassandra
•Level2-Cassandra
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
ApacheCassandrausesLogbackforloggingfunctionality.Whilethiscanbesetusingnodetool setlogginglevelchangesmadeusingthismethodwillberevertedtothelevelspecifiedinthelogback.xmlfilethenexttimetheprocessrestarts.
Theconfigurablelogginglevelsare:
• OFF• TRACE• DEBUG• INFO(Default)• WARN• ERROR
Rationale:
Ifloggingisnotenabled,issuesmaygoundiscovered,andcompromisesandotherincidentsmayoccurwithoutbeingquicklydetected.Itmayalsonotbepossibletoprovideevidenceofcompliancewithsecuritylaws,regulations,andotherrequirements.
Audit:
Executethefollowingcommandtoconfirmthesettingiscorrect:
$ nodetool getlogginglevels Logger Name Log Level ROOT INFO org.cisecurity.workbench WARN
40|P a g e
IfsettoOFFthenthisisafinding.
Remediation:
Toremediatethissetting:
1. Editthelogback-test.xmlifpresent;otherwise,editthelogback.xml
<configuration scan="true"> <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> <level>INFO</level> </filter> <encoder> <pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern> </encoder> </appender> <root level="INFO"> <appender-ref ref="STDOUT" /> </root> <logger name="org.cisecurity.workbench" level="WARN"/> </configuration>
2. RestarttheApacheCassandra
DefaultValue:
INFO
References:
1. http://cassandra.apache.org/doc/latest/troubleshooting/reading_logs.html?highlight=logging
2. https://logback.qos.ch/manual/configuration.html
CISControls:
Version7
6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.
41|P a g e
4.2 Ensure that auditing is enabled (Not Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
AuditlogginginCassandralogseveryincomingCQLcommandrequest,Authentication(successfulaswellasunsuccessfullogin)toC*node.Currently,therearetwoimplementationsprovided,thecustomloggercanbeimplementedandinjectedwiththeclassnameasaparameterincassandra.yaml.
Rationale:
Unauthorizedattemptstocreate,droporalterusersordatashouldbeaconcern.
Audit:
OpenSourceVersionApacheCassandraversionsupto3.11.4doesnothaveauditingcapabilities,itwillbeinversion4.xbutthathasnotbeenreleasedyetaccordingtoapacheCassandrawebsite.http://cassandra.apache.org/download/
CommercialVersionAllowsviaDataStaxallowsloggingtofilesystemlogfilesusinglogback,ortoaCassandratable.Whenyouturnonauditlogging,thedefaultistowritetologbackfilesystemlogfiles.IfusingDataStaxversionyoucanverifyauditingisturnedon.
cat dse.yaml | grep "audit_logging_options"
Iffailureisenabled:truemeanssuccessAnythingelseisafinding
Remediation:
OpenSourceVersionApacheCassandraversionsupto3.11.4doesnothaveauditingcapabilities,itwillbeinversion4.xbutthathasnotbeenreleasedyetaccordingtoapacheCassandrawebsite.http://cassandra.apache.org/download/
42|P a g e
CommercialVersionOpenthedse.yamlfileinatexteditorIntheaudit_logging_optionssection,setenabledtotrue.
# Audit logging options audit_logging_options: enabled: true
Youmustalsodefinewhereyouwantloggingtogo,addeitherofthefollowinglines:SettheloggeroptiontoeitherCassandraAuditWriter,whichlogstoatable,orSLF4JAuditWriter,whichlogstotheSLF4Jlogger.
References:
1. https://docs.datastax.com/en/datastax_enterprise/4.8/datastax_enterprise/sec/secAudit.html#secAudit
CISControls:
Version7
6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.
43|P a g e
5 Encryption
Theserecommendationspertaintoencryption-relatedaspectsofCassandra.
5.1 Inter-node Encryption (Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
Cassandraofferstheoptiontoencryptdataintransitbetweennodesonthecluster.Bydefault,inter-nodeencryptionisturnedoff.
Rationale:
Databeingtransferredonthewireshouldbeencryptedtoavoidnetworksnooping,whetherlegitimateornot.
Audit:
Runthefollowingcommandtoverifywhetherinter-nodeencryptionisenabled.
cat cassandra.yaml | grep -in "internode_encryption:"
Acceptablevaluesareall,dcorrack.Iftheinternode_encryptionissettonone,thisisafinding.
Note:TheCassandraconfigurationfilescanbefoundintheconfdirectoryoftarballs.Forpackages,theconfigurationfileswillbelocatedin/etc/cassandra.
Remediation:
Theinter-nodeencryptionshouldbeimplementedbeforeanyoneaccessestheCassandraserver.Toenabletheinter-nodeencryptionmechanism:
1. StoptheCassandradatabase.2. Ifnotdonesoalready,buildoutyourkeystoreandtruststore.3. Modifycassandra.yamlfiletomodify/addentryforinternode_encryption:setit
toall4. StarttheCassandradatabase.
44|P a g e
DefaultValue:
internode_encryption: none
References:
1. http://cassandra.apache.org/doc/latest/operating/security.html
CISControls:
Version7
14.4EncryptAllSensitiveInformationinTransit Encryptallsensitiveinformationintransit.
45|P a g e
5.2 Client Encryption (Scored)
ProfileApplicability:
•Level1-CassandraonLinux
•Level2-CassandraonLinux
Description:
Cassandraofferstheoptiontoencryptdataintransitbetweentheclientandnodesonthecluster.Bydefaultclientencryptionisturnedoff.
Rationale:
Dataintransitbetweentheclientandnodeontheclustershouldbeencryptedtoavoidnetworksnooping,whetherlegitimateornot.
Audit:
TheCassandraconfigurationfilescanbefoundintheconfdirectoryoftarballs.Forpackages,theconfigurationfileswillbelocatedin/etc/cassandra.Openupthecassandra.yamlfile,lookforclient_encryption_optionssection.Lookforenabled:andoptional:
enabled: true optional: false
Ifneitheristrue,thenallclientconnectionsareunencryptedwhichmakesthisafinding.
Ifenabledistrueandoptionalisfalse,thenallclientconnectionsmustbeencryptedwhichmakesthisnotafinding.
Ifenabledisfalseandoptionalistrue,thenenabledwinsandallclientconnectionsareunencryptedwhichmakesthisafinding.
Ifbotharesettotrue,thenbothunencryptedandencryptedconnectionsareallowedonthesameportwhichmakesthisnotafinding.
Remediation:
TheclientencryptionshouldbeimplementedbeforeanyoneaccessestheCassandraserver.Toenabletheclientencryptionmechanism:
46|P a g e
1. StoptheCassandradatabase.2. Ifnotdonesoalready,buildoutyourkeystoreandtruststore.3. Modifycassandra.yamlfiletomodify/addentriesunder
client_encryption_options:
set enabled: true set optional: false
Thiswillforceallconnectionstobeencryptedbetweenclientandnodeonthecluster.
4. StarttheCassandradatabase.
DefaultValue:
enabled: false
optional: false
References:
1. http://cassandra.apache.org/doc/latest/operating/security.html
CISControls:
Version7
14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.
47|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 InstallationandUpdates1.1 EnsureaseparateuserandgroupexistforCassandra(Not
Scored) o o
1.2 EnsurethelatestversionofJavaisinstalled(Scored) o o1.3 EnsurethelatestversionofPythonisinstalled(Scored) o o1.4 EnsurelatestversionofCassandraisinstalled(Scored) o o1.5 EnsuretheCassandraserviceisrunasanon-rootuser
(Scored) o o
1.6 Ensureclocksaresynchronizedonallnodes(NotScored) o o2 AuthenticationandAuthorization2.1 EnsurethatauthenticationisenabledforCassandra
databases(Scored) o o
2.2 EnsurethatauthorizationisenabledforCassandradatabases(Scored) o o
3 AccessControl/PasswordPolicies3.1 Ensurethecassandraandsuperuserrolesareseparate
(Scored) o o
3.2 Ensurethatthedefaultpasswordchangedforthecassandrarole(Scored) o o
3.3 Ensuretherearenounnecessaryrolesorexcessiveprivileges(NotScored) o o
3.4 EnsurethatCassandraisrunusinganon-privileged,dedicatedserviceaccount(Scored) o o
3.5 EnsurethatCassandraonlylistensfornetworkconnectionsonauthorizedinterfaces(NotScored) o o
3.6 ReviewUser-DefinedRoles(NotScored) o o3.7 ReviewSuperuser/AdminRoles(NotScored) o o4 AuditingandLogging4.1 Ensurethatloggingisenabled.(Scored) o o4.2 Ensurethatauditingisenabled(NotScored) o o5 Encryption5.1 Inter-nodeEncryption(Scored) o o5.2 ClientEncryption(Scored) o o
top related