cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Brown (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-14465) Consider logging prepared statements bound values in Audit Log
Date Wed, 13 Jun 2018 17:11:00 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-14465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16511439#comment-16511439
] 

Jason Brown commented on CASSANDRA-14465:
-----------------------------------------

I'm kind of in favor of [~eperott]'s option 3. Making it configurable (defaulting to off)
offers the most flexibility with the least potential impact to performance.

> Consider logging prepared statements bound values in Audit Log
> --------------------------------------------------------------
>
>                 Key: CASSANDRA-14465
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14465
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Vinay Chella
>            Priority: Minor
>
> The Goal of this ticket is to determine the best way to implement audit logging of actual
bound values from prepared statement execution. The current default implementation does not
log bound values
> Here are the options I see
>  1. Log bound values of prepared statements 
>  2. Let a custom implementation of IAuditLogger decide what to do
> *Context*:
>  Option #1: Works for teams which expects bind values to be logged in audit log without
any security or compliance concerns
>  Option #2: Allows teams make the best choice for themselves
> Note that the efforts of securing C* clusters by certs, authentication, and audit logging
can go in vain when log rotation and log aggregation systems are not equally secure enough
since logging bind values allow someone to replay the database events and expose sensitive
data.
> [~spodxx@gmail.com] [~jasobrown]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message