You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Vinay Chella (JIRA)" <ji...@apache.org> on 2018/05/23 18:20:00 UTC

[jira] [Updated] (CASSANDRA-14465) Consider logging prepared statements bound values in Audit Log

     [ https://issues.apache.org/jira/browse/CASSANDRA-14465?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vinay Chella updated CASSANDRA-14465:
-------------------------------------
    Description: 
The Goal of this ticket is to determine the best way to implement audit logging of actual bound values from prepared statement execution. The current default implementation does not log bound values

Here are the options I see
1. Log bound values of prepared statements 
2. Let a custom implementation of IAuditLogger decide what to do

*Context*:
Option #1: Works for teams which expects bind values to be logged in audit log without any security or compliance concerns
Option #2: Allows teams make the best choice for themselves

Note that the efforts of securing C* clusters by certs, authentication, and audit logging can go in vain when log rotation and log aggregation systems are not equally secure enough since logging bind values allow someone to reply the database events and exposes sensitive data.

[~spodxx@gmail.com] [~jasobrown]

  was:
The Goal of this ticket is to determine the best way to implement audit logging of actual bound values from prepared statement execution. The current default implementation does not log bound values

Here are the options I see
1. Log bound values of prepared statements 
2. Let a custom implementation of IAuditLogger decide what to do

Context:
Option #1: Works for teams which expects bind values to be logged in audit log without any security or compliance concerns
Option #2: Allows teams make the best choice for themselves

Note that the efforts of securing C* clusters by certs, authentication, and audit logging can go in vain when log rotation and log aggregation systems are not equally secure enough since logging bind values allow someone to reply the database events and exposes sensitive data.

[~spodxx@gmail.com] [~jasobrown]


> Consider logging prepared statements bound values in Audit Log
> --------------------------------------------------------------
>
>                 Key: CASSANDRA-14465
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14465
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Vinay Chella
>            Priority: Minor
>
> The Goal of this ticket is to determine the best way to implement audit logging of actual bound values from prepared statement execution. The current default implementation does not log bound values
> Here are the options I see
> 1. Log bound values of prepared statements 
> 2. Let a custom implementation of IAuditLogger decide what to do
> *Context*:
> Option #1: Works for teams which expects bind values to be logged in audit log without any security or compliance concerns
> Option #2: Allows teams make the best choice for themselves
> Note that the efforts of securing C* clusters by certs, authentication, and audit logging can go in vain when log rotation and log aggregation systems are not equally secure enough since logging bind values allow someone to reply the database events and exposes sensitive data.
> [~spodxx@gmail.com] [~jasobrown]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org