cis apache cassandra 3.11 benchmark v1.0.0 · this document, cis apache cassandra benchmark,...

CISApacheCassandra3.11Benchmarkv1.0.0-03-29-2019

1|P a g e

TermsofUsePlease see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/

2|P a g e

TableofContents

TermsofUse...................................................................................................................................................................1

Overview..........................................................................................................................................................................4

IntendedAudience..................................................................................................................................................4

ConsensusGuidance..............................................................................................................................................4

TypographicalConventions...............................................................................................................................5

ScoringInformation...............................................................................................................................................5

ProfileDefinitions...................................................................................................................................................6

Acknowledgements................................................................................................................................................8

Recommendations.......................................................................................................................................................9

1InstallationandUpdates..................................................................................................................................9

1.1EnsureaseparateuserandgroupexistforCassandra(NotScored)......................9

1.2EnsurethelatestversionofJavaisinstalled(Scored).................................................11

1.3EnsurethelatestversionofPythonisinstalled(Scored)...........................................13

1.4EnsurelatestversionofCassandraisinstalled(Scored)............................................15

1.5EnsuretheCassandraserviceisrunasanon-rootuser(Scored)..........................17

1.6Ensureclocksaresynchronizedonallnodes(NotScored).......................................19

2AuthenticationandAuthorization............................................................................................................21

2.1EnsurethatauthenticationisenabledforCassandradatabases(Scored).........21

2.2EnsurethatauthorizationisenabledforCassandradatabases(Scored)...........23

3AccessControl/PasswordPolicies.........................................................................................................25

3.1Ensurethecassandraandsuperuserrolesareseparate(Scored).........................25

3.2Ensurethatthedefaultpasswordchangedforthecassandrarole(Scored)....27

3.3Ensuretherearenounnecessaryrolesorexcessiveprivileges(NotScored)..29

3.4EnsurethatCassandraisrunusinganon-privileged,dedicatedserviceaccount(Scored)......................................................................................................................................................31

3.5EnsurethatCassandraonlylistensfornetworkconnectionsonauthorizedinterfaces(NotScored).......................................................................................................................33

3.6ReviewUser-DefinedRoles(NotScored)...........................................................................35

3.7ReviewSuperuser/AdminRoles(NotScored).................................................................37

4AuditingandLogging......................................................................................................................................39

3|P a g e

4.1Ensurethatloggingisenabled.(Scored)............................................................................39

4.2Ensurethatauditingisenabled(NotScored)...................................................................41

5Encryption............................................................................................................................................................43

5.1Inter-nodeEncryption(Scored)..............................................................................................43

5.2ClientEncryption(Scored)........................................................................................................45

Appendix:SummaryTable....................................................................................................................................47

Appendix:ChangeHistory.....................................................................................................................................48

4|P a g e

OverviewThisdocument,CISApacheCassandraBenchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforApacheCassandraversion3.11.ThisguidewastestedagainstApacheCassandrarunningonCentOSLinux7,butappliestootherLinuxdistributionsaswell.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].

Intended Audience

Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateApacheCassandra.

Consensus Guidance

Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.

EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://workbench.cisecurity.org/.

5|P a g e

Typographical Conventions

Thefollowingtypographicalconventionsareusedthroughoutthisguide:

Convention Meaning

Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.

Monospace font Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.

<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.

Italicfont Usedtodenotethetitleofabook,article,orotherpublication.

Note Additionalinformationorcaveats

Scoring Information

Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:

Scored

Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.

NotScored

Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.

6|P a g e

Profile Definitions

ThefollowingconfigurationprofilesaredefinedbythisBenchmark:

• Level1-Cassandra

ItemsinthisprofileapplytoApacheCassandraandintendto:

o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.

Note:TheintentofthisprofileistoincludechecksthatcanbeassessedbyremotelyconnectingtoPostgreSQL.Therefore,filesystem-relatedchecksarenotcontainedinthisprofile.

• Level2-Cassandra

Thisprofileextendsthe“Level1-Cassandra”profile.ItemsinthisprofileapplytoApacheCassandraandexhibitoneormoreofthefollowingcharacteristics:

o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.

Note:TheintentofthisprofileistoincludechecksthatcanbeassessedbyremotelyconnectingtoPostgreSQL.Therefore,filesystem-relatedchecksarenotcontainedinthisprofile.

• Level1-CassandraonLinux

Thisprofileextendsthe“Level1-Cassandra”profile.ItemsinthisprofileapplytoApacheCassandrarunningonLinuxandintendto:

o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.

7|P a g e

• Level2-CassandraonLinux

Thisprofileextendsthe“Level1-CassandraonLinux”profile.ItemsinthisprofileapplytoApacheCassandrarunningonLinuxandexhibitoneormoreofthefollowingcharacteristics:

o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.

8|P a g e

Acknowledgements

This benchmark exemplifies the great things a community of users, vendors, and subject matter experts can accomplish through consensus collaboration. The CIS community thanks the entire consensus team with special recognition to the following individuals who contributed greatly to the creation of this guide:

AuthorJosephTestaEditorTimHarrisonCISSP,ICP,CenterforInternetSecurity

9|P a g e

Recommendations1 Installation and Updates

ThissectioncontainsrecommendationsrelatedtoinstallingandpatchingCassandra.

1.1 Ensure a separate user and group exist for Cassandra (Not Scored)

ProfileApplicability:

•Level1-CassandraonLinux


Description:

CreateseparateuseridandgroupforCassandra.

Rationale:

Allprocessesneedtorunasauserwithleastprivilege.Thismitigatesthepotentialimpactofmalwaretothesystem.

Audit:

LogontotheserverwhereCassandraisinstalled.Toconfirmexistenceofthegroup,executethefollowingcommand:

$ getent group | grep cassandra

Toconfirmexistenceoftheuser,executethefollowingcommand:

$ getent passwd | grep cassandra

Ifeitherthegrouporuserdonotexist,oriftheuserisnotamemberofthegroup,thisisafinding.

Remediation:

Createagroupforcassandra(ifitdoesnotalreadyexist)

sudo groupadd cassandra

CreateauserwhichisonlyusedforrunningCassandraanditsrelatedprocesses.

10|P a g e

sudo useradd -m -d /home/cassandra -s /bin/bash -g cassandra -u <USERID_NUMBER> cassandra

Replacing<USERID_NUMBER>withanumbernotalreadyusedontheserver

References:

1.

CISControls:

Version6

5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

Version7

4ControlledUseofAdministrativePrivilegesControlledUseofAdministrativePrivileges

11|P a g e

1.2 Ensure the latest version of Java is installed (Scored)




Description:

AprerequisitetoinstallingCassandraistheinstallationofJava.TheversionofJavainstalledshouldbethemostrecentthatiscompatiblewiththeorganization'soperationalneeds.

Rationale:

UsingthemostrecentJavaSDKversioncanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.Ensureyouareusingareleasethatiscoveredbyalevelofsupportwhichincludesregularupdatestoaddressvulnerabilities.

Audit:

Toverifythatyouhavethecorrectversionofjavainstalled:

# java -version java version "1.8.0_172" Java(TM) SE Runtime Environment (build 1.8.0_172-b11)

Ifanold/unsupportedversionofJavaisinstalledthisisafinding.

Remediation:

1. Uninstalltheold/unsupportedversionofJava,ifpresent.2. DownloadthelatestcompatiblereleaseoftheJavaJDK,orOpenJDK.3. Followtheprovidedinstallationinstructionstocompletetheinstall.

References:

1. http://www.oracle.com/technetwork/java/javase/downloads/index-jsp-138363.html#javasejdk

2. http://openjdk.java.net/3. http://openjdk.java.net/install/index.html4. http://cassandra.apache.org/doc/latest/getting_started/installing.html#prerequisit

es

12|P a g e

5. https://www.java.com/en/download/help/index_installing.xml?os=All+Platforms&j=8&n=20

CISControls:

Version6

2InventoryofAuthorizedandUnauthorizedSoftwareInventoryofAuthorizedandUnauthorizedSoftware

Version7

18.4OnlyUseUp-to-dateAndTrustedThird-PartyComponentsOnlyuseup-to-dateandtrustedthird-partycomponentsforthesoftwaredevelopedbytheorganization.

13|P a g e

1.3 Ensure the latest version of Python is installed (Scored)




Description:

AprerequisitetoinstallingCassandraistheinstallationofPython.TheversionofPythoninstalledshouldbethemostrecentthatiscompatiblewiththeorganizations'operationalneeds.

Rationale:

UsingthemostrecentPythoncanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.Ensureyouareusingareleasethatiscoveredbyalevelofsupportwhichincludesregularupdatestoaddressvulnerabilities.

Audit:

Toverifythatyouhavethecorrectversionofpythoninstalled:

# python -V

Ifanold/unsupportedversionofPythonisinstalledthisisafinding.

Remediation:

1. Uninstalltheold/unsupportedversionofPython,ifpresent.2. DownloadthelatestcompatiblereleaseofthePython:

https://www.python.org/downloads/3. Followtheprovidedinstallationinstructionstocompletetheinstall.

References:

1. https://www.python.org/downloads/2. http://cassandra.apache.org/doc/latest/getting_started/installing.html#prerequisit

es

CISControls:

Version6

14|P a g e


Version7


15|P a g e

1.4 Ensure latest version of Cassandra is installed (Scored)




Description:

TheCassandrainstallationversion,alongwiththepatches,shouldbethemostrecentthatiscompatiblewithorganization'soperationalneeds.Whenobtainingandinstallingsoftwarepackages(typicallyviaapt-getoryoucancompilethesourcecode),it'simperativethatpackages(orthesourcecode,tarball)aresourcedonlyfromvalidandauthorizedrepositories.

ForCassandra,ashortlistofvalidrepositoriesmayinclude:

• Theofficialapachecassandrawebsite:http://cassandra.apache.org/• DataStaxEnterprise:https://www.datastax.com/

Rationale:

UsingthemostrecentversionofCassandracanhelplimitthepossibilitiesforvulnerabilitiesinthesoftware,theinstallationversionappliedduringsetupshouldbeestablishedaccordingtotheneedsoftheorganization.Ensureyouareusingareleasethatiscoveredbyalevelofsupportwhichincludesregularupdatestoaddressvulnerabilities.

Audit:

ToverifytheversionofCassandrayouhaveinstalled:

cassandra -v 3.11.2 (as of 6/8/2018)

Ifanold/unsupportedversionofCassandraisinstalledthisisafinding.

Remediation:

UpgradetothelatestversionoftheCassandrasoftware:Foreachnodeinthecluster:

1. UsingthenodetooldraincommandtopushallmemtablesdatatoSSTables.2. StopCassandraservices.

16|P a g e

3. BackupthedatasetandallofyourCassandraconfigurationfiles.4. Download/UpdateJavaifneeded.5. Download/UpdatePythonifneeded.6. DownloadthebinariesforthelatestCassandrarevisionfromtheCassandra

DownloadPage.7. InstallnewversionofCassandra.8. ConfigurenewversionofCassandra,takingintoaccountallofyourprevious

settingsinyourconfigfiles(cassandra.yml,cassandrea-env.sh,etc).9. StartCassandraservices.10. Checklogsforwarnings,errors.11. UsingthenodetooltoupgradeyourSSTables.12. Usingthenodetoolcommandtocheckstatusofcluster.

References:

1. http://cassandra.apache.org/doc/latest/getting_started/installing.html#prerequisites

CISControls:

Version6


Version7


17|P a g e

1.5 Ensure the Cassandra service is run as a non-root user (Scored)




Description:

ThoughCassandradatabasemayberunasroot,itshouldrunasanothernon-rootuser.

Rationale:

Oneofthebestwaystoreduceyourexposuretoattackistocreateaunique,unprivilegeduserandgroupfortheserverapplication.Abestpracticeistofollowisensuringprocessesrunwithauserwithleastprivilege.

Audit:

LogontotheserverwhereCassandraisrunningandrunthefollowingcommand

ps -aef | grep cassandra | grep java | cut -d' ' -f1

ThiswillshowwhoisrunningtheCassandrabinary.Iftheuserisrootorhasexcessiveprivilegesthenthisisafinding.

Remediation:

Createagroupforcassandra(ifitdoesnotalreadyexist)

sudo groupadd cassandra

CreateauserwhichisonlyusedforrunningCassandraanditsrelatedprocesses.

sudo useradd -m -d <DIRECTORY_WHERE_CASSANDRA_INSTALLED> -s /bin/bash -g cassandra -u <USERID_NUMBER> cassandra

Replacing<DIRECTORY_WHERE_CASSANDRA_INSTALLED>withthefullpathofwhereCassandrabinariesareinstalled.

Replacing<USERID_NUMBER>withanumbernotalreadyusedontheserver

18|P a g e

CISControls:

Version6

5.1MinimizeAndSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

Version7


19|P a g e

1.6 Ensure clocks are synchronized on all nodes (Not Scored)




Description:

EnablingNetworkTimeProtocol(NTP),orsomeequivalentway,tokeepclocksonallnodesinsynciscritical.

Rationale:

Cassandradecideswhichdataismostcurrentbetweenallofthenodesintheclusterbasedontimestamps.Itisparamounttoensureallclocksarein-sync,otherwisethemostcurrentdatamaynotbereturnedorworse,markedfordeletion.

Audit:

DependingontheLinuxinstallationthismaybecheckedbyexecutingthefollowingcommandoneachnode:

ps -aef | grep ntp OR ps -aef | grep chronyd

IfNTPisnotconfiguredorclocksareout-of-syncthenthisisafinding.

Remediation:

InstallandstartthetimeprotocoloneverynodeintheCassandracluster.

CISControls:

Version6

6.1UseAtLeastTwoSynchronizedTimeSourcesForAllServersAndNetworkEquipmentIncludeatleasttwosynchronizedtimesourcesfromwhichallserversandnetworkequipmentretrievetimeinformationonaregularbasissothattimestampsinlogsareconsistent.

20|P a g e

Version7

6.1UtilizeThreeSynchronizedTimeSourcesUseatleastthreesynchronizedtimesourcesfromwhichallserversandnetworkdevicesretrievetimeinformationonaregularbasissothattimestampsinlogsareconsistent.

21|P a g e

2 Authentication and Authorization

ThissectioncontainsrecommendationsrelatedtoCassandra'sauthenticationandauthorizationmechanisms.

2.1 Ensure that authentication is enabled for Cassandra databases (Scored)




Description:

AuthenticationispluggableinCassandraandisconfiguredusingtheauthenticatorsettingincassandra.yaml.Cassandrashipswithtwooptionsincludedinthedefaultdistribution,AllowAllAuthenticatorandPasswordAuthenticator.Thedefault,AllowAllAuthenticator,performsnoauthenticationchecksandthereforerequiresnocredentials.Itisusedtodisableauthenticationcompletely.Thesecondoption,PasswordAuthenticator,storesencryptedcredentialsinasystemtable.Thiscanbeusedtoenablesimpleusername/passwordauthentication.

Rationale:

AuthenticationisanecessaryconditionofCassandra’spermissionssubsystem,soifauthenticationisdisabledthensoarepermissions.Failuretoauthenticateclients,users,and/orserverscanallowunauthorizedaccesstotheCassandradatabaseandcanpreventtracingactionsbacktotheirsources.TheauthenticationmechanismshouldbeimplementedbeforeanyoneaccessestheCassandraserver.

Audit:

Runthefollowingcommandtoverifywhetherauthenticationisenabled(authenticatorvaluessettoPasswordAuthenticator)ontheCassandraserver.

TheCassandraconfigurationfilescanbefoundintheconfdirectoryoftarballs.Forpackages,theconfigurationfileswillbelocatedin/etc/cassandra.

cat cassandra.yaml | grep -in "authenticator:"

IfauthenticatorissettoAllowAllAuthenticator,thenthisisafinding.

22|P a g e

Remediation:

Toenabletheauthenticationmechanism:

1. StoptheCassandradatabase.2. Modifycassandra.yamlfiletomodify/addentryforauthenticator:setitto

PasswordAuthenticator3. StarttheCassandradatabase.

DefaultValue:

authenticator: AllowAllAuthenticator

References:

1. http://cassandra.apache.org/doc/latest/getting_started/configuring.html2. http://cassandra.apache.org/doc/latest/operating/security.html

CISControls:

Version6

16AccountMonitoringandControlAccountMonitoringandControl

Version7

14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.

23|P a g e

2.2 Ensure that authorization is enabled for Cassandra databases (Scored)




Description:

AuthorizationispluggableinCassandraandisconfiguredusingtheauthorizersettingincassandra.yaml.Cassandrashipswithtwooptionsincludedinthedefaultdistribution,AllowAllAuthenticatorandCassandraAuthorizer.Thedefault,AllowAllAuthenticatorperformsnocheckingwhichgrantsallpermissionstoallroles.Thesecondoption,CassandraAuthorizer,implementsfullpermissionsmanagementfunctionalityandstoresitsdatainCassandrasystemtables.

Rationale:

AuthorizingrolesisanimportantsteptowardsensuringonlyauthorizedaccesstotheCassandradatabasetablesispermitted.Italsoprovidestherequisitemeansofimplementingleastprivilegebestpractices.TheauthorizationmechanismshouldbeimplementedbeforeanyoneaccessestheCassandradatabase.

Audit:

Runthefollowingcommandtoverifywhetherauthorizationisenabled(authorizationvaluessettoCassandraAuthorizer)ontheCassandraserver.

TheCassandraconfigurationfilescanbefoundintheconfdirectoryoftarballs.Forpackages,theconfigurationfileswillbelocatedin/etc/cassandra.

cat cassandra.yaml | grep -in "authorizer:"

IfauthorizerissettoAllowAllAuthorizer,thenthisisafinding.

Remediation:

Toenabletheauthorizationmechanism:

1. StoptheCassandradatabase.2. Modifycassandra.yamlfiletomodify/addentryforauthorization:setitto

CassandraAuthorizer

24|P a g e

3. StarttheCassandradatabase.

DefaultValue:

authorizer: AllowAllAuthorizer

References:

1. http://cassandra.apache.org/doc/latest/getting_started/configuring.html2. http://cassandra.apache.org/doc/latest/operating/security.html

Notes:

TheauthorizermustbeconfiguredtoAllowAllAuthorizerifAllowAllAuthenticatoristheconfiguredauthenticator.

CISControls:

Version6


Version7

14.7EnforceAccessControltoDatathroughAutomatedToolsUseanautomatedtool,suchashost-basedDataLossPrevention,toenforceaccesscontrolstodataevenwhendataiscopiedoffasystem.

25|P a g e

3 Access Control / Password Policies

ThissectioncontainsrecommendationsrelatedtoCassandra'spasswordpolicies.

3.1 Ensure the cassandra and superuser roles are separate (Scored)


•Level1-Cassandra

•Level2-Cassandra



Description:

Thedefaultinstallationofcassandraincludesasuperuserrolenamedcassandra.Thisnecessitatesthecreationofaseparateroletobethesuperuserrole.

Rationale:

Superuserpermissionsallowforthecreation,deletion,andpermissionmanagementofotherusers.ConsideringtheCassandraroleiswellknownitshouldnotbeasuperuseroronewhichisusedforanyadministrativetasks.

Audit:

Toverifytheconfiguration,runthefollowingquery:

SELECT role FROM system_auth.roles WHERE is_superuser = True;

Ifcassandraoranyunapprovedroleisreturned,thisisafinding.

Remediation:

Toremediateamisconfiguration,performthefollowingsteps:

1. Executethefollowingcommand:

create role '<NEW_ROLE_HERE>' with password='<NEW_PASSWORD_HERE>' and login=TRUE and superuser=TRUE ;

grant all permissions on all keyspaces to <NEW_ROLE_HERE>;

26|P a g e

Note:Replace<NEW_ROLE_HERE>withthedesiredroleand<NEW_PASSWORD_HERE>withapassword.

2. Verifythenewroleisworking.3. Removethesuperuserrolefromthecassandraaccountbyexecutingthefollowing

command:

UPDATE system_auth.roles SET is_superuser=null WHERE role='cassandra'

Impact:

Theseparateaccountmustbecreated,assignedthesuperuserrole,andtestedforcorrectfunctionalitypriortoremovingthesuperuserrolefromthecassandraaccount.Otherwise,

CISControls:

Version6


Version7

4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.

27|P a g e

3.2 Ensure that the default password changed for the cassandra role (Scored)


•Level1-Cassandra

•Level2-Cassandra



Description:

Thecassandrarolehasadefaultpasswordwhichmustbechanged.

Rationale:

Failuretochangethedefaultpasswordforthecassandrarolemayposearisktothedatabaseintheformofunauthorizedaccess.

Audit:

ConnecttoCassandradatabasetoverifywhetherthecassandrarolehasdefaultpassword.

cqlsh -u cassandra -p cassandra

Iftheconnectionissuccessfulthisisafinding.

Remediation:

Changethepasswordforthecasssandrarolebyissuingthefollowingcommand:

cqlsh -u cassandra -p cassandra

alter role 'cassandra' with password '<NEWPASSWORD_HERE>';

Where<NEWPASSWORD_HERE>isreplacedwiththepasswordofyourchoosing.

DefaultValue:

cassandra

28|P a g e

References:

1. http://cassandra.apache.org/doc/latest/operating/security.html

CISControls:

Version6


Version7

4.4UseUniquePasswordsWheremulti-factorauthenticationisnotsupported(suchaslocaladministrator,root,orserviceaccounts),accountswillusepasswordsthatareuniquetothatsystem.

29|P a g e

3.3 Ensure there are no unnecessary roles or excessive privileges (Not Scored)


•Level1-Cassandra

•Level2-Cassandra



Description:

Verifyeachroleisrequireandhasonlytheprivilegesneededtodoitsjob.

Rationale:

Roleswhichareunneeded,havesuperuserorotherpotentiallyexcessiveprivilegesmaybeanavenueforahackertogainaccesstoormodifydatainthedatabase.

Audit:

Asasuperuser,retrieveallroles:

list roles;

Retrieveallpermissionsforallroles

select * from system_auth.role_permissions;

Ifthereareanyunnecessaryrolesorroleswithexcessiveprivilegesthisisafinding.

Remediation:

Removeanyunnecessaryrolesand/orpermissionsinaccordancewithorganizationalneeds.

References:

1. http://cassandra.apache.org/doc/latest/cql/security.html

30|P a g e

CISControls:

Version6

5ControlledUseofAdministrationPrivilegesControlledUseofAdministrationPrivileges

16.1PerformRegularAccountReviewsReviewallsystemaccountsanddisableanyaccountthatcannotbeassociatedwithabusinessprocessandowner.

Version7

16.8DisableAnyUnassociatedAccountsDisableanyaccountthatcannotbeassociatedwithabusinessprocessorbusinessowner.

31|P a g e

3.4 Ensure that Cassandra is run using a non-privileged, dedicated service account (Scored)




Description:

Aswithanyserviceinstalledonahost,itcanbeprovidedwithitsownusercontext.Providingadedicatedusertotheserviceprovidestheabilitytopreciselyconstraintheservicewithinthelargerhostcontext.

Rationale:

Utilizinganon-privilegedaccountforCassandratoexecuteasmayreducetheimpactofaCassandra-bornvulnerability.ArestrictedaccountwillbeunabletoaccessresourcesunrelatedtoCassandra,suchasoperatingsystemconfigurations.

Audit:

Executethefollowingcommandataterminalprompttoassessthisrecommendation:

ps -ef | egrep "^cassandra.*$"

Ifnolinesarereturned,thenthisisafinding.

NOTE:ItisassumedthattheCassandrauseriscassandra.Additionally,youmayconsiderrunningsudo -lastheCassandrauserortocheckthesudoersfile.

Remediation:

CreateauserwhichisonlyusedforrunningCassandraanddirectlyrelatedprocesses.Thisusermustnothaveadministrativerightstothesystem.

32|P a g e

CISControls:

Version7


14ControlledAccessBasedontheNeedtoKnowControlledAccessBasedontheNeedtoKnow

33|P a g e

3.5 Ensure that Cassandra only listens for network connections on authorized interfaces (Not Scored)




Description:

Whenlisten_addressisblankandlisten_interfaceiscommentedout,thiswillbesetautomaticallybyInetAddress.getLocalHost().Presumingthenodeisconfiguredcorrectly,e.g.hostname,nameresolution,etc.,thiswillconfigurethenodetousetheaddressassociatedwiththehostname.Thelisten_addressmustnotbesetto0.0.0.0.

Rationale:

SettingtheaddressorinterfacetobindtowilltellotherCassandranodestowhichaddressorinterfacetoconnect.Thismustbechangedfromthedefaultinorderformultiplenodestobeabletocommunicate.

Audit:

Checkthevalueoflisten_addressorlisten_interfaceinthecassandra.yaml.Iflisten_addressisset0.0.0.0oranon-authorizedaddressorinterfaceisspecified,thisisafinding.

Remediation:

Setthelisten_addressorlisten_interface,notboth,inthecassandra.yamltoanauthorizedaddressorinterface.

DefaultValue:

listen_address:localhost

listen_interface:eth0,butiscommentedoutbydefault.

References:

1. http://cassandra.apache.org/doc/3.11/configuration/cassandra_config_file.html#listen-address

34|P a g e

2. http://cassandra.apache.org/doc/3.11/configuration/cassandra_config_file.html#listen-interface

CISControls:

Version7

9.2EnsureOnlyApprovedPorts,ProtocolsandServicesAreRunningEnsurethatonlynetworkports,protocols,andserviceslisteningonasystemwithvalidatedbusinessneeds,arerunningoneachsystem.

35|P a g e

3.6 Review User-Defined Roles (Not Scored)


•Level1-Cassandra

•Level2-Cassandra



Description:

TheMEMBER_OFcolumnfoundinthesystem_auth.rolestableshowsrolesgrantedtoroles.

Rationale:

TheMEMBER_OFcolumnshowswhoeverhasrolesgrantedtorolesanddependingontheroleandtheprivilegesgranttotheroleshouldbelimited.Limitingtheaccountsthathavethecertainrolesreducesthechancesthatanattackercanexploitthesecapabilities.

Audit:

ExecutethefollowingSQLstatementtoauditthissetting:

select role, can_login, member_of from system_auth.roles;

Lookingforcan_loginwhichtellsyouthatrolecanlogintocassandraandmember_ofiswhenrolesaregrantedtoroles.

Remediation:

Lookingatthoseusersfromthequerythathavemember_ofthatisNOTnull,decideifthatusertrulyneedsthatrole,ifnot,foreachuser,issuethefollowingSQLstatement(replace<is_member>withthevalueofmember_ofreturnedbythequeryintheauditprocedure)

revoke <is_member> from role;

36|P a g e

CISControls:

Version7

14.6ProtectInformationthroughAccessControlListsProtectallinformationstoredonsystemswithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

37|P a g e

3.7 Review Superuser/Admin Roles (Not Scored)


•Level1-Cassandra

•Level2-Cassandra



Description:

TheIS_SUPERUSERprivilegefoundinthesystem_auth.rolestablegovernswhocancontroltheentireCassandradatabaseandallofitsdatacontainedwithin.

Rationale:

TheIS_SUPERUSERprivilegeallowswhoeverhasittodoanythingtothedataandfulladministratorrightstothedatabase,includingchangingpasswords,creating,droppingroles.LimitingtheaccountsthathavetheIS_SUPERUSERrolereducesthechancesthatanattackercanexploitthesecapabilities.

Audit:

ExecutethefollowingSQLstatementtoauditthissetting:

select role, is_superuser from system_auth.roles;

Lookingforis_superuser = True

Remediation:

Performthefollowingstepstoremediatethissetting:

alter role <role> with superuser=false;

Lookingatthoseusersfromthequerythathaveis_superuser = True,decideifthatusertrulyneedsthatrole,ifnot,foreachuser,issuethefollowingSQLstatement(replace<role>withtherolenamefromthequery):

38|P a g e

CISControls:

Version7

4.3EnsuretheUseofDedicatedAdministrativeAccountsEnsurethatalluserswithadministrativeaccountaccessuseadedicatedorsecondaryaccountforelevatedactivities.Thisaccountshouldonlybeusedforadministrativeactivitiesandnotinternetbrowsing,email,orsimilaractivities.

39|P a g e

4 Auditing and Logging

ThissectioncontainsrecommendationsrelatedtoCassandra'sauditandloggingmechanisms.

4.1 Ensure that logging is enabled. (Scored)


•Level1-Cassandra

•Level2-Cassandra



Description:

ApacheCassandrausesLogbackforloggingfunctionality.Whilethiscanbesetusingnodetool setlogginglevelchangesmadeusingthismethodwillberevertedtothelevelspecifiedinthelogback.xmlfilethenexttimetheprocessrestarts.

Theconfigurablelogginglevelsare:

• OFF• TRACE• DEBUG• INFO(Default)• WARN• ERROR

Rationale:

Ifloggingisnotenabled,issuesmaygoundiscovered,andcompromisesandotherincidentsmayoccurwithoutbeingquicklydetected.Itmayalsonotbepossibletoprovideevidenceofcompliancewithsecuritylaws,regulations,andotherrequirements.

Audit:

Executethefollowingcommandtoconfirmthesettingiscorrect:

$ nodetool getlogginglevels Logger Name Log Level ROOT INFO org.cisecurity.workbench WARN

40|P a g e

IfsettoOFFthenthisisafinding.

Remediation:

Toremediatethissetting:

1. Editthelogback-test.xmlifpresent;otherwise,editthelogback.xml

<configuration scan="true"> <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> <level>INFO</level> </filter> <encoder> <pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern> </encoder> </appender> <root level="INFO"> <appender-ref ref="STDOUT" /> </root> <logger name="org.cisecurity.workbench" level="WARN"/> </configuration>

2. RestarttheApacheCassandra

DefaultValue:

INFO

References:

1. http://cassandra.apache.org/doc/latest/troubleshooting/reading_logs.html?highlight=logging

2. https://logback.qos.ch/manual/configuration.html

CISControls:

Version7

6.3EnableDetailedLoggingEnablesystemloggingtoincludedetailedinformationsuchasaneventsource,date,user,timestamp,sourceaddresses,destinationaddresses,andotherusefulelements.

41|P a g e

4.2 Ensure that auditing is enabled (Not Scored)




Description:

AuditlogginginCassandralogseveryincomingCQLcommandrequest,Authentication(successfulaswellasunsuccessfullogin)toC*node.Currently,therearetwoimplementationsprovided,thecustomloggercanbeimplementedandinjectedwiththeclassnameasaparameterincassandra.yaml.

Rationale:

Unauthorizedattemptstocreate,droporalterusersordatashouldbeaconcern.

Audit:

OpenSourceVersionApacheCassandraversionsupto3.11.4doesnothaveauditingcapabilities,itwillbeinversion4.xbutthathasnotbeenreleasedyetaccordingtoapacheCassandrawebsite.http://cassandra.apache.org/download/

CommercialVersionAllowsviaDataStaxallowsloggingtofilesystemlogfilesusinglogback,ortoaCassandratable.Whenyouturnonauditlogging,thedefaultistowritetologbackfilesystemlogfiles.IfusingDataStaxversionyoucanverifyauditingisturnedon.

cat dse.yaml | grep "audit_logging_options"

Iffailureisenabled:truemeanssuccessAnythingelseisafinding

Remediation:

OpenSourceVersionApacheCassandraversionsupto3.11.4doesnothaveauditingcapabilities,itwillbeinversion4.xbutthathasnotbeenreleasedyetaccordingtoapacheCassandrawebsite.http://cassandra.apache.org/download/

42|P a g e

CommercialVersionOpenthedse.yamlfileinatexteditorIntheaudit_logging_optionssection,setenabledtotrue.

# Audit logging options audit_logging_options: enabled: true

Youmustalsodefinewhereyouwantloggingtogo,addeitherofthefollowinglines:SettheloggeroptiontoeitherCassandraAuditWriter,whichlogstoatable,orSLF4JAuditWriter,whichlogstotheSLF4Jlogger.

References:

1. https://docs.datastax.com/en/datastax_enterprise/4.8/datastax_enterprise/sec/secAudit.html#secAudit

CISControls:

Version7

6.2ActivateauditloggingEnsurethatlocallogginghasbeenenabledonallsystemsandnetworkingdevices.

43|P a g e

5 Encryption

Theserecommendationspertaintoencryption-relatedaspectsofCassandra.

5.1 Inter-node Encryption (Scored)




Description:

Cassandraofferstheoptiontoencryptdataintransitbetweennodesonthecluster.Bydefault,inter-nodeencryptionisturnedoff.

Rationale:

Databeingtransferredonthewireshouldbeencryptedtoavoidnetworksnooping,whetherlegitimateornot.

Audit:

Runthefollowingcommandtoverifywhetherinter-nodeencryptionisenabled.

cat cassandra.yaml | grep -in "internode_encryption:"

Acceptablevaluesareall,dcorrack.Iftheinternode_encryptionissettonone,thisisafinding.

Note:TheCassandraconfigurationfilescanbefoundintheconfdirectoryoftarballs.Forpackages,theconfigurationfileswillbelocatedin/etc/cassandra.

Remediation:

Theinter-nodeencryptionshouldbeimplementedbeforeanyoneaccessestheCassandraserver.Toenabletheinter-nodeencryptionmechanism:

1. StoptheCassandradatabase.2. Ifnotdonesoalready,buildoutyourkeystoreandtruststore.3. Modifycassandra.yamlfiletomodify/addentryforinternode_encryption:setit

toall4. StarttheCassandradatabase.

44|P a g e

DefaultValue:

internode_encryption: none

References:


CISControls:

Version7

14.4EncryptAllSensitiveInformationinTransit Encryptallsensitiveinformationintransit.

45|P a g e

5.2 Client Encryption (Scored)




Description:

Cassandraofferstheoptiontoencryptdataintransitbetweentheclientandnodesonthecluster.Bydefaultclientencryptionisturnedoff.

Rationale:

Dataintransitbetweentheclientandnodeontheclustershouldbeencryptedtoavoidnetworksnooping,whetherlegitimateornot.

Audit:

TheCassandraconfigurationfilescanbefoundintheconfdirectoryoftarballs.Forpackages,theconfigurationfileswillbelocatedin/etc/cassandra.Openupthecassandra.yamlfile,lookforclient_encryption_optionssection.Lookforenabled:andoptional:

enabled: true optional: false

Ifneitheristrue,thenallclientconnectionsareunencryptedwhichmakesthisafinding.

Ifenabledistrueandoptionalisfalse,thenallclientconnectionsmustbeencryptedwhichmakesthisnotafinding.

Ifenabledisfalseandoptionalistrue,thenenabledwinsandallclientconnectionsareunencryptedwhichmakesthisafinding.

Ifbotharesettotrue,thenbothunencryptedandencryptedconnectionsareallowedonthesameportwhichmakesthisnotafinding.

Remediation:

TheclientencryptionshouldbeimplementedbeforeanyoneaccessestheCassandraserver.Toenabletheclientencryptionmechanism:

46|P a g e

1. StoptheCassandradatabase.2. Ifnotdonesoalready,buildoutyourkeystoreandtruststore.3. Modifycassandra.yamlfiletomodify/addentriesunder

client_encryption_options:

set enabled: true set optional: false

Thiswillforceallconnectionstobeencryptedbetweenclientandnodeonthecluster.

4. StarttheCassandradatabase.

DefaultValue:

enabled: false

optional: false

References:


CISControls:

Version7

14.4EncryptAllSensitiveInformationinTransitEncryptallsensitiveinformationintransit.

47|P a g e

Appendix:SummaryTableControl Set

CorrectlyYes No

1 InstallationandUpdates1.1 EnsureaseparateuserandgroupexistforCassandra(Not

Scored) o o

1.2 EnsurethelatestversionofJavaisinstalled(Scored) o o1.3 EnsurethelatestversionofPythonisinstalled(Scored) o o1.4 EnsurelatestversionofCassandraisinstalled(Scored) o o1.5 EnsuretheCassandraserviceisrunasanon-rootuser

(Scored) o o

1.6 Ensureclocksaresynchronizedonallnodes(NotScored) o o2 AuthenticationandAuthorization2.1 EnsurethatauthenticationisenabledforCassandra

databases(Scored) o o

2.2 EnsurethatauthorizationisenabledforCassandradatabases(Scored) o o

3 AccessControl/PasswordPolicies3.1 Ensurethecassandraandsuperuserrolesareseparate

(Scored) o o

3.2 Ensurethatthedefaultpasswordchangedforthecassandrarole(Scored) o o

3.3 Ensuretherearenounnecessaryrolesorexcessiveprivileges(NotScored) o o

3.4 EnsurethatCassandraisrunusinganon-privileged,dedicatedserviceaccount(Scored) o o

3.5 EnsurethatCassandraonlylistensfornetworkconnectionsonauthorizedinterfaces(NotScored) o o

3.6 ReviewUser-DefinedRoles(NotScored) o o3.7 ReviewSuperuser/AdminRoles(NotScored) o o4 AuditingandLogging4.1 Ensurethatloggingisenabled.(Scored) o o4.2 Ensurethatauditingisenabled(NotScored) o o5 Encryption5.1 Inter-nodeEncryption(Scored) o o5.2 ClientEncryption(Scored) o o

48|P a g e

Appendix:ChangeHistoryDate Version Changesforthisversion

1.0.0 InitialRelease

cis apache cassandra 3.11 benchmark v1.0.0 · this document, cis apache cassandra benchmark,...

Documents