One last time, I'll simply renew my objection to the way you are abusing this list. You'll hear no further reply from me and I will begin marking any more of your excessive inquiries as spam. If others in the community wish to do your security review for you one item at a time, that is their prerogative and I'll respect their wishes. My suggestions for a superior approach to getting feedback for your review still stands and requires no further efforts from me at this stage.
-- Jack Krupansky On Fri, Jan 29, 2016 at 5:50 PM, oleg yusim <olegyu...@gmail.com> wrote: > Jack, > > I have to note, Cassandra documentation the way it stays now, is not > nearly detailed enough. For instance: > https://docs.datastax.com/en/cassandra/2.1/cassandra/configuration/configLoggingLevels_r.html > is all Cassandra has to say about logging. The reason why I bring my > questions to the mailing list is, once again, I can't make security > recommendations which would be followed across US, based of the lack of > information. It is really not that difficult to confirm that such feature > is not present. > > Besides, questions I ask might give some implementations ideas. Even from > that particular discussion one has been raised already. > https://issues.apache.org/jira/browse/CASSANDRA-11097 With that in mind, > would you please be able to respond with definitive answers to questions I > raised here? My assumption, answer would be "not supported" for all 5 not > yet answered, but I need a confirmation from community. > > Thanks, > > Oleg > > On Fri, Jan 29, 2016 at 4:34 PM, Jack Krupansky <jack.krupan...@gmail.com> > wrote: > >> No offense, but my suggestion here is that you write up a preliminary >> list of your own answers based on your own reading of the doc, specs, and >> white papers (and source code) and post that list, like on Google Docs, for >> people to review in bulk, rather than force all Cassandra users on this >> list to participate in a full security review one item at a time. To >> reiterate, you should be treating the doc as the definitive guide to what >> is supported - given the importance that the Cassandra and DSE developers >> placed on security features over the past couple of years, it really is >> truly safe to say that if it isn't in the doc then it is definitively not >> supported. Yes, it would be good to review your final list as a courtesy >> check, but asking us to confirm what appears to be obvious (i.e., it is not >> in the doc) seems more than a bit excessive to me. >> >> If there is any true confusion in the doc, of course let us know (or >> email to d...@datastax.com), but there is no need for us to confirm that >> you did not find something in the doc. >> >> -- Jack Krupansky >> >> On Fri, Jan 29, 2016 at 5:02 PM, oleg yusim <olegyu...@gmail.com> wrote: >> >>> Jack, >>> >>> Appreciate the links. As I mentioned, I looked over both DSE and >>> Cassandra sets of documentation, and ran some experiments on my Cassandra >>> installation. What I'm bringing here is something I couldn't find >>> definitive answer for in any of the above-mentioned sources. >>> >>> For instance, regarding logging, here are questions I have: >>> >>> 1) Identity-based logging (we investigated it in another thread and I >>> got "not supported" as an answer) >>> 2) Logging source and destinations (server and client IP) >>> 3) Logging connections and disconnections - same >>> 4) Logging hostname >>> 5) Ability to automatically shut down in case if it ran out of space >>> to store logs? >>> 6) Ability to automatically overwrite audit logs in case if no more >>> space is available (oldest first) ? >>> >>> Thanks, >>> >>> Oleg >>> >>> On Fri, Jan 29, 2016 at 3:47 PM, Jack Krupansky < >>> jack.krupan...@gmail.com> wrote: >>> >>>> There is some more detail on DSE Security in this white paper: >>>> >>>> http://www.datastax.com/wp-content/uploads/2014/04/WP-DataStax-Enterprise-SOX-Compliance.pdf >>>> >>>> It mentions auditing, for example. I think you were asking abut that >>>> earlier. >>>> >>>> There may be some additional info or discussion related to security on >>>> these main web site pages: >>>> http://www.datastax.com/products/datastax-enterprise-security >>>> >>>> Security was given a reasonably high priority for DSE in releases 3.0 >>>> and beyond, so that if something is not highlighted in those promotional >>>> materials, then it probably isn't in the software. >>>> >>>> In general, if you see a feature in DSE, just do a keyword search in >>>> the Cassandra doc to see if it is supported outside of DSE. >>>> >>>> -- Jack Krupansky >>>> >>>> On Fri, Jan 29, 2016 at 4:23 PM, oleg yusim <olegyu...@gmail.com> >>>> wrote: >>>> >>>>> Alex, >>>>> >>>>> No offense are taken, your question is absolutely legit. As we used to >>>>> joke in security world "putting on my black hat"/"putting on my white hat" >>>>> - i.e. same set of questions I would be asking for hacking and protecting >>>>> the product. So, I commend you for being careful here. >>>>> >>>>> Now, at that particular case I'm acting with my "white hat on". :) I'm >>>>> hired by VMware, to help them improve security posture for their new >>>>> products (vRealize package). I do that as part of the security team on >>>>> VMware side, and working in conjunction with DISA ( >>>>> http://iase.disa.mil/stigs/Pages/a-z.aspx) we are creating STIGs (I >>>>> explained this term in details in this same thread above, in my response >>>>> to >>>>> Jon, so I wouldn't repeat myself here) for all the components vRealize >>>>> suite of products has, including Cassandra, which is used in one of the >>>>> products. This STIGs would be handed over to DISA, reviewed by their SMEs >>>>> and published on their website, creating great opportunity for all the >>>>> products covered to improve their security posture and advance on a market >>>>> for free. >>>>> >>>>> For VMware purposes, we would harden our suite of products, based on >>>>> STIGs, and create own overall Security Guideline, riding on top of STIGs. >>>>> >>>>> As I mentioned above, for both Cassandra and DSE, equally, this >>>>> document would be very beneficial, since it would enable customers and >>>>> help >>>>> them to run hardening on the product and place it right on the system, >>>>> surrounded by the correct set of compensation controls. >>>>> >>>>> Thanks, >>>>> >>>>> Oleg >>>>> >>>>> On Fri, Jan 29, 2016 at 1:10 PM, Alex Popescu <al...@datastax.com> >>>>> wrote: >>>>> >>>>>> >>>>>> On Fri, Jan 29, 2016 at 8:17 AM, oleg yusim <olegyu...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Thanks for encouraging me, I kind of grew a bit desperate. I'm >>>>>>> security person, not a Cassandra expert, and doing security assessment >>>>>>> of >>>>>>> Cassandra DB, I have to rely on community heavily. I will put together a >>>>>>> composed version of all my previous queries, will title it "Security >>>>>>> assessment questions" and will post it once again. >>>>>> >>>>>> >>>>>> Oleg, >>>>>> >>>>>> I'll apologize in advance if my answer will sound initially harsh. >>>>>> I've been following your questions (mostly because I find them >>>>>> interesting), but I've never jumped to answer any of them as I confess >>>>>> not >>>>>> knowing the purpose of your research/report makes me caution (e.g. are >>>>>> you >>>>>> doing this for your current employer evaluating the future use of the >>>>>> product? are you doing this for an analyst company? are you planning to >>>>>> sell this report? etc. etc). >>>>>> >>>>>> >>>>>> -- >>>>>> Bests, >>>>>> >>>>>> Alex Popescu | @al3xandru >>>>>> Sen. Product Manager @ DataStax >>>>>> >>>>>> >>>>> >>>> >>> >> >
