Jack, I have to note, Cassandra documentation the way it stays now, is not nearly detailed enough. For instance: https://docs.datastax.com/en/cassandra/2.1/cassandra/configuration/configLoggingLevels_r.html is all Cassandra has to say about logging. The reason why I bring my questions to the mailing list is, once again, I can't make security recommendations which would be followed across US, based of the lack of information. It is really not that difficult to confirm that such feature is not present.
Besides, questions I ask might give some implementations ideas. Even from that particular discussion one has been raised already. https://issues.apache.org/jira/browse/CASSANDRA-11097 With that in mind, would you please be able to respond with definitive answers to questions I raised here? My assumption, answer would be "not supported" for all 5 not yet answered, but I need a confirmation from community. Thanks, Oleg On Fri, Jan 29, 2016 at 4:34 PM, Jack Krupansky <jack.krupan...@gmail.com> wrote: > No offense, but my suggestion here is that you write up a preliminary list > of your own answers based on your own reading of the doc, specs, and white > papers (and source code) and post that list, like on Google Docs, for > people to review in bulk, rather than force all Cassandra users on this > list to participate in a full security review one item at a time. To > reiterate, you should be treating the doc as the definitive guide to what > is supported - given the importance that the Cassandra and DSE developers > placed on security features over the past couple of years, it really is > truly safe to say that if it isn't in the doc then it is definitively not > supported. Yes, it would be good to review your final list as a courtesy > check, but asking us to confirm what appears to be obvious (i.e., it is not > in the doc) seems more than a bit excessive to me. > > If there is any true confusion in the doc, of course let us know (or email > to d...@datastax.com), but there is no need for us to confirm that you > did not find something in the doc. > > -- Jack Krupansky > > On Fri, Jan 29, 2016 at 5:02 PM, oleg yusim <olegyu...@gmail.com> wrote: > >> Jack, >> >> Appreciate the links. As I mentioned, I looked over both DSE and >> Cassandra sets of documentation, and ran some experiments on my Cassandra >> installation. What I'm bringing here is something I couldn't find >> definitive answer for in any of the above-mentioned sources. >> >> For instance, regarding logging, here are questions I have: >> >> 1) Identity-based logging (we investigated it in another thread and I >> got "not supported" as an answer) >> 2) Logging source and destinations (server and client IP) >> 3) Logging connections and disconnections - same >> 4) Logging hostname >> 5) Ability to automatically shut down in case if it ran out of space to >> store logs? >> 6) Ability to automatically overwrite audit logs in case if no more >> space is available (oldest first) ? >> >> Thanks, >> >> Oleg >> >> On Fri, Jan 29, 2016 at 3:47 PM, Jack Krupansky <jack.krupan...@gmail.com >> > wrote: >> >>> There is some more detail on DSE Security in this white paper: >>> >>> http://www.datastax.com/wp-content/uploads/2014/04/WP-DataStax-Enterprise-SOX-Compliance.pdf >>> >>> It mentions auditing, for example. I think you were asking abut that >>> earlier. >>> >>> There may be some additional info or discussion related to security on >>> these main web site pages: >>> http://www.datastax.com/products/datastax-enterprise-security >>> >>> Security was given a reasonably high priority for DSE in releases 3.0 >>> and beyond, so that if something is not highlighted in those promotional >>> materials, then it probably isn't in the software. >>> >>> In general, if you see a feature in DSE, just do a keyword search in the >>> Cassandra doc to see if it is supported outside of DSE. >>> >>> -- Jack Krupansky >>> >>> On Fri, Jan 29, 2016 at 4:23 PM, oleg yusim <olegyu...@gmail.com> wrote: >>> >>>> Alex, >>>> >>>> No offense are taken, your question is absolutely legit. As we used to >>>> joke in security world "putting on my black hat"/"putting on my white hat" >>>> - i.e. same set of questions I would be asking for hacking and protecting >>>> the product. So, I commend you for being careful here. >>>> >>>> Now, at that particular case I'm acting with my "white hat on". :) I'm >>>> hired by VMware, to help them improve security posture for their new >>>> products (vRealize package). I do that as part of the security team on >>>> VMware side, and working in conjunction with DISA ( >>>> http://iase.disa.mil/stigs/Pages/a-z.aspx) we are creating STIGs (I >>>> explained this term in details in this same thread above, in my response to >>>> Jon, so I wouldn't repeat myself here) for all the components vRealize >>>> suite of products has, including Cassandra, which is used in one of the >>>> products. This STIGs would be handed over to DISA, reviewed by their SMEs >>>> and published on their website, creating great opportunity for all the >>>> products covered to improve their security posture and advance on a market >>>> for free. >>>> >>>> For VMware purposes, we would harden our suite of products, based on >>>> STIGs, and create own overall Security Guideline, riding on top of STIGs. >>>> >>>> As I mentioned above, for both Cassandra and DSE, equally, this >>>> document would be very beneficial, since it would enable customers and help >>>> them to run hardening on the product and place it right on the system, >>>> surrounded by the correct set of compensation controls. >>>> >>>> Thanks, >>>> >>>> Oleg >>>> >>>> On Fri, Jan 29, 2016 at 1:10 PM, Alex Popescu <al...@datastax.com> >>>> wrote: >>>> >>>>> >>>>> On Fri, Jan 29, 2016 at 8:17 AM, oleg yusim <olegyu...@gmail.com> >>>>> wrote: >>>>> >>>>>> Thanks for encouraging me, I kind of grew a bit desperate. I'm >>>>>> security person, not a Cassandra expert, and doing security assessment of >>>>>> Cassandra DB, I have to rely on community heavily. I will put together a >>>>>> composed version of all my previous queries, will title it "Security >>>>>> assessment questions" and will post it once again. >>>>> >>>>> >>>>> Oleg, >>>>> >>>>> I'll apologize in advance if my answer will sound initially harsh. >>>>> I've been following your questions (mostly because I find them >>>>> interesting), but I've never jumped to answer any of them as I confess not >>>>> knowing the purpose of your research/report makes me caution (e.g. are you >>>>> doing this for your current employer evaluating the future use of the >>>>> product? are you doing this for an analyst company? are you planning to >>>>> sell this report? etc. etc). >>>>> >>>>> >>>>> -- >>>>> Bests, >>>>> >>>>> Alex Popescu | @al3xandru >>>>> Sen. Product Manager @ DataStax >>>>> >>>>> >>>> >>> >> >
