Jump to: navigation, search

Cassandra Security

This page discusses security considerations and configurations for Cassandra.

Authentication

If authentication is enabled on Cassandra, you must add the section and options below to UCS cluster application.

Procedure

  1. Create a [cassandra-client] configuration option section.
  2. Set the value of the user-name option to the name of a Cassandra user.
  3. Set the value of the password option to the user's password.

General Linux Recommendations

  • Use a passworded BIOS that prevents booting from anything other than HDD.
  • Password protect the bootloader to prevent changing boot options.
  • Remove unused applications and use minimal OS images.
  • Only use official package depots.
  • Do not install programming tools such as Perl, Python, GCC, JDK.
  • Regularly update and monitor the system for security advisories.
  • Keep listening network services to the minimum required for each network interface.
  • Disable dynamic module loading.
  • Use a role-based access control mechanism (Tomoyo, AppArmor, SELinux, grsecurity).
  • Adapt Kernel to the target environment.
  • Use a firewall.
  • Use relevant partitioning and mount options.
  • Ensure strict application of read/write permissions to all files, especially to the scripts started automatically.
  • Encrypt your data.
  • Use fencing/jails/Docker to isolate processes.
  • Use automated auditing and event journalling.
  • Disable/remove dormant users.
  • Use strong passwords to prevent root ssh login.

File System Encryption

Amazon EBS

  1. Create and attach a new EBS volume with the Encrypted checkbox checked:
  2. AmazonEBS.png

  3. Format the volume.

Regular File System

  1. Ensure system-storage-manager and cryptsetup are installed.
  2. sudo yum install system-storage-manager
    sudo yum install cryptsetup
  3. In this example we'll use sdb to store Cassandra and Elasticsearch files as well as binary files.
  4. sudo ssm list
    ------------------------------------------------------------
    Device Free Used Total Pool Mount point
    ------------------------------------------------------------
    /dev/sda 64.00 GB PARTITIONED
    /dev/sda1 500.00 MB /boot
    /dev/sda2 0.00 KB 63.51 GB 63.51 GB centos
    /dev/sdb 32.00 GB
    ------------------------------------------------------------
    ...
  5. Create a new mount point and corresponding disk.
  6. sudo ssm add -p cassandrapool /dev/sdb
      Volume group "cassandrapool" successfully created
     
    sudo lvcreate -L31.99GB -n EncryptedStorage cassandrapool
      Rounding up size to full physical extent 31.99 GiB
      Logical volume "EncryptedStorage" created.
  7. Optional (not required for a new disk)—You may want to shred the existing device to make sure no unencrypted data is left.
  8. sudo shred -v –iterations=1 /dev/cassandrapool/EncryptedStorage
    shred: /dev/cassandrapool/EncryptedStorage: pass 1/3 (random)...
    shred: /dev/cassandrapool/EncryptedStorage: pass 1/3 (random)...137MiB/32GiB 0%
    shred: /dev/cassandrapool/EncryptedStorage: pass 1/3 (random)...478MiB/32GiB 1%
     
    ...
  9. Create the encrypted volume, make sure to have a passphrase longer than 8 characters.
  10. sudo cryptsetup --verbose --verify-passphrase --cipher aes-cbc-essiv:sha256 --key-size <br/>
    256 luksFormat /dev/cassandrapool/EncryptedStorage
    WARNING!
    ========
    This will overwrite data on /dev/cassandrapool/EncryptedStorage irrevocably.
    Are you sure? (Type uppercase yes): YES
    Enter passphrase:
    Verify passphrase:
    Command successful.
  11. Unlock the created volume use the previously created passphrase.
  12. sudo cryptsetup --verbose luksOpen /dev/cassandrapool/EncryptedStorage enc_encrypted_storage
    Enter passphrase for /dev/cassandrapool/EncryptedStorage:
    Key slot 0 unlocked.
    Command successful.
  13. Format the volume using xfs that is recommended for Cassandra.
  14. sudo mkfs.xfs /dev/mapper/enc_encrypted_storage
    meta-data=/dev/mapper/enc_encrypted_storage isize=256 agcount=4, agsize=2096512 blks
    ...
  15. Edit /etc/cryptotab file.
  16. sudo vi /etc/cryptotab
  17. Add the following:
  18. enc_encrypted_storage /dev/cassandrapool/EncryptedStorage none noauto
  19. Edit /etc/fstab file.
  20. sudo vi /etc/fstab
  21. Add the following:
  22. /dev/mapper/enc_encrypted_storage /encrypted_storage xfs noauto,defaults 1 2
  23. Finally create the mount point and mount your encrypted volume.
  24. sudo mkdir /encrypted_storage
    sudo mount /encrypted_storage
  25. After each reboot you’ll need to run these two commands to have your encrypted file-system available. The first command will prompt you for the passphrase:
  26. sudo cryptsetup luksOpen /dev/cassandrapool/EncryptedStorage enc_encrypted_storage
    sudo mount /encrypted_storage

Migration from Unencrypted to Encrypted Storage

  1. Apply above steps to create an encrypted storage on the target host(s).
  2. Stop Cassandra/Elasticsearch.
  3. Move Cassandra and Elasticsearch files to the encrypted storage.
  4. Edit startup files such as /etc/systemd/system/cassandra.service to point to the new storage.
  5. Start Cassandra/Elasticsearch.
This page was last modified on March 5, 2019, at 08:39.

Feedback

Comment on this article:

blog comments powered by Disqus