STIGQter STIGQter: STIG Summary: vRealize - Cassandra Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

The Cassandra Server must isolate security functions from non-security functions.

DISA Rule

SV-87299r1_rule

Vulnerability Number

V-72667

Group Title

SRG-APP-000233-DB-000124

Rule Version

VROM-CS-000175

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the Cassandra Server to isolate security functions from non-security functions.

Locate security-related database objects and code in a separate database, schema, or other separate security domain from database objects and code implementing application logic.

Using the "REVOKE" command, modify access privileges for objects in system, system_auth, and system_traces, revoking privileges of non-superuser users.

Check Contents

Review the Cassandra Server configuration to ensure objects or code implementing security functionality are located in a separate security domain, such as a separate database or schema created specifically for security functionality.

If security-related database objects or code are not kept separate, this is a finding.

Open "cqlsh" prompt of Cassandra Server and run "LIST ALL PERMISSIONS" command from it. Review username resource and permissions columns.

If for any of the objects under system, system_auth, or system_traces schemas privileges are given to any other users than a superuser (cassandra in default configuration), this is a finding.

Vulnerability Number

V-72667

Documentable

False

Rule Version

VROM-CS-000175

Severity Override Guidance

Review the Cassandra Server configuration to ensure objects or code implementing security functionality are located in a separate security domain, such as a separate database or schema created specifically for security functionality.

If security-related database objects or code are not kept separate, this is a finding.

Open "cqlsh" prompt of Cassandra Server and run "LIST ALL PERMISSIONS" command from it. Review username resource and permissions columns.

If for any of the objects under system, system_auth, or system_traces schemas privileges are given to any other users than a superuser (cassandra in default configuration), this is a finding.

Check Content Reference

M

Target Key

3179

Comments