Jump to: navigation, search

Cassandra Security

This page discusses security considerations and configurations for Cassandra.

Authentication

If authentication is enabled on Cassandra:

  • You must add the sections and options below to all Cassandra RAPs.
  • An RAP with these option settings must exist for all Cassandra nodes of the local current Data Center.

Procedure

  1. Create a [cassandra-client] configuration option section.
  2. Set the value of the user-name option to the name of an already-created user.
  3. Set the value of the password option to the user's password.

General Linux Recommendations

  • Use a passworded BIOS that prevents booting from anything other than HDD.
  • Password protect the bootloader to prevent changing boot options.
  • Remove unused applications and use minimal OS images.
  • Only use official package depots.
  • Do not install programming tools such as Perl, Python, GCC, JDK.
  • Regularly update and monitor the system for security advisories.
  • Keep listening network services to the minimum required for each network interface.
  • Disable dynamic module loading.
  • Use a role-based access control mechanism (Tomoyo, AppArmor, SELinux, grsecurity).
  • Adapt Kernel to the target environment.
  • Use a firewall.
  • Use relevant partitioning and mount options.
  • Ensure strict application of read/write permissions to all files, especially to the scripts started automatically.
  • Encrypt your data.
  • Use fencing/jails/Docker to isolate processes.
  • Use automated auditing and event journalling.
  • Disable/remove dormant users.
  • Use strong passwords to prevent root ssh login.

File System Encryption

Amazon EBS

  1. Create and attach a new EBS volume with the Encrypted checkbox checked:
  2. AmazonEBS.png

  3. Format the volume.

Regular File System

  1. Ensure system-storage-manager and cryptsetup are installed.
  2. sudo yum install system-storage-manager
    sudo yum install cryptsetup
  3. In this example we'll use sdb to store Cassandra and Elasticsearch files as well as binary files.
  4. sudo ssm list
    ------------------------------------------------------------
    Device Free Used Total Pool Mount point
    ------------------------------------------------------------
    /dev/sda 64.00 GB PARTITIONED
    /dev/sda1 500.00 MB /boot
    /dev/sda2 0.00 KB 63.51 GB 63.51 GB centos
    /dev/sdb 32.00 GB
    ------------------------------------------------------------
    ...
  5. Create a new mount point and corresponding disk.
  6. sudo ssm add -p cassandrapool /dev/sdb
      Volume group "cassandrapool" successfully created
     
    sudo lvcreate -L31.99GB -n EncryptedStorage cassandrapool
      Rounding up size to full physical extent 31.99 GiB
      Logical volume "EncryptedStorage" created.
  7. Optional (not required for a new disk)—You may want to shred the existing device to make sure no unencrypted data is left.
  8. sudo shred -v –iterations=1 /dev/cassandrapool/EncryptedStorage
    shred: /dev/cassandrapool/EncryptedStorage: pass 1/3 (random)...
    shred: /dev/cassandrapool/EncryptedStorage: pass 1/3 (random)...137MiB/32GiB 0%
    shred: /dev/cassandrapool/EncryptedStorage: pass 1/3 (random)...478MiB/32GiB 1%
     
    ...
  9. Create the encrypted volume, make sure to have a passphrase longer than 8 characters.
  10. sudo cryptsetup --verbose --verify-passphrase --cipher aes-cbc-essiv:sha256 --key-size <br/>
    256 luksFormat /dev/cassandrapool/EncryptedStorage
    WARNING!
    ========
    This will overwrite data on /dev/cassandrapool/EncryptedStorage irrevocably.
    Are you sure? (Type uppercase yes): YES
    Enter passphrase:
    Verify passphrase:
    Command successful.
  11. Unlock the created volume use the previously created passphrase.
  12. sudo cryptsetup --verbose luksOpen /dev/cassandrapool/EncryptedStorage enc_encrypted_storage
    Enter passphrase for /dev/cassandrapool/EncryptedStorage:
    Key slot 0 unlocked.
    Command successful.
  13. Format the volume using xfs that is recommended for Cassandra.
  14. sudo mkfs.xfs /dev/mapper/enc_encrypted_storage
    meta-data=/dev/mapper/enc_encrypted_storage isize=256 agcount=4, agsize=2096512 blks
    ...
  15. Edit /etc/cryptotab file.
  16. sudo vi /etc/cryptotab
  17. Add the following:
  18. enc_encrypted_storage /dev/cassandrapool/EncryptedStorage none noauto
  19. Edit /etc/fstab file.
  20. sudo vi /etc/fstab
  21. Add the following:
  22. /dev/mapper/enc_encrypted_storage /encrypted_storage xfs noauto,defaults 1 2
  23. Finally create the mount point and mount your encrypted volume.
  24. sudo mkdir /encrypted_storage
    sudo mount /encrypted_storage
  25. After each reboot you’ll need to run these two commands to have your encrypted file-system available. The first command will prompt you for the passphrase:
  26. sudo cryptsetup luksOpen /dev/cassandrapool/EncryptedStorage enc_encrypted_storage
    sudo mount /encrypted_storage

Migration from Unencrypted to Encrypted Storage

  1. Apply above steps to create an encrypted storage on the target host(s).
  2. Stop Cassandra/Elasticsearch.
  3. Move Cassandra and Elasticsearch files to the encrypted storage.
  4. Edit startup files such as /etc/systemd/system/cassandra.service to point to the new storage.
  5. Start Cassandra/Elasticsearch.

Feedback

Comment on this article:

blog comments powered by Disqus
This page was last modified on May 18, 2018, at 06:55.