The Cassandra database must be able to generate audit records when privileges/permissions are retrieved.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-72627	VROM-CS-000020	SV-87259r1_rule		Medium

Description
Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.

Description

Under some circumstances, it may be useful to monitor who/what is reading privilege/permission/role information. Therefore, it must be possible to configure auditing to do this. DBMSs typically make such information available through views or functions. This requirement addresses explicit requests for privilege/permission/role membership information. It does not refer to the implicit retrieval of privileges/permissions/role memberships that the DBMS continually performs to determine if any and every action on the database is permitted.

STIG	Date
vRealize - Cassandra Security Technical Implementation Guide	2017-06-06

Details

Check Text ( C-72781r1_chk )
Review the Cassandra Server settings to ensure that audit records can be produced when privileges/permissions/role memberships are retrieved. At the command prompt, execute the following command: # grep ' If level is not set to "ALL", this is a finding.

Fix Text (F-79029r1_fix)
Configure the Cassandra Server to produce audit records when privileges/permissions/role memberships are retrieved. At the command line execute the following command: # sed -i 's/^$\s$$\s$$/\1\2/' /usr/lib/vmware-vcops/user/conf/cassandra/logback.xml