STIGQter: STIG Summary: vRealize - Cassandra Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 05 Jun 2017:

The Cassandra Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.

DISA Rule

SV-87313r1_rule

Vulnerability Number

V-72681

Group Title

SRG-APP-000383-DB-000364

Rule Version

VROM-CS-000240

Severity

CAT II

CCI(s)

• CCI-001762 - The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

Weight

10

Fix Recommendation

Configure the Cassandra Server to disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accordance with the Ports, Protocols, and Services Management (PPSM) guidance.

Open the console to the server that Cassandra DB is hosted at and type: "find / | grep "cassandra.yaml"". Open "cassandra.yaml" file and modify "start_rpc parameter" value to "false", "start_native_transport parameter" value to "true" and "native_transport_port" parameter value to one in the range of approved ports, according to https://disa.deps.mil/ext/cop/iase/ppsm/Pages/cal.aspx document (default port is 9042).

Check Contents

Review the Cassandra Server to ensure network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accordance with the Ports, Protocols, and Services Management (PPSM) guidance are disabled.

Open the console to the server that Cassandra DB is hosted at and type: "find / | grep "cassandra.yaml"". Open "cassandra.yaml" file and review "start_rpc", "start_native_transport", and "native_transport_port" parameters values.

If "start_rpc" is not set to "false" and "start_native_transport" is not set to "true", this is a finding.

Run following command from the console of server, hosting Cassandra: "netstat -ntl | grep <native_transport_port > parameter value". Review output of this command record for the protocol and port Cassandra listens at.

Obtain the document containing the list of approved ports, protocols, and services from https://disa.deps.mil/ext/cop/iase/ppsm/Pages/cal.aspx.

If protocol and port Cassandra listens at are not approved, this is a finding.

Vulnerability Number

V-72681

Documentable

False

Rule Version

VROM-CS-000240

Severity Override Guidance

Review the Cassandra Server to ensure network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accordance with the Ports, Protocols, and Services Management (PPSM) guidance are disabled.

Open the console to the server that Cassandra DB is hosted at and type: "find / | grep "cassandra.yaml"". Open "cassandra.yaml" file and review "start_rpc", "start_native_transport", and "native_transport_port" parameters values.

If "start_rpc" is not set to "false" and "start_native_transport" is not set to "true", this is a finding.

Run following command from the console of server, hosting Cassandra: "netstat -ntl | grep <native_transport_port > parameter value". Review output of this command record for the protocol and port Cassandra listens at.

Obtain the document containing the list of approved ports, protocols, and services from https://disa.deps.mil/ext/cop/iase/ppsm/Pages/cal.aspx.

If protocol and port Cassandra listens at are not approved, this is a finding.

Check Content Reference

M

Target Key

3179

Comments