{
  "format_version": 3,
  "policy": {
    "external_id": "6fe508b5f697b3750e52b9198c8c48a5",
    "name": "CIS Apache Cassandra 4.0 Benchmark v1.3.0 - Level 1",
    "version": "1.0.0",
    "description": "Center for Internet Security benchmark — Level 1 hardening for Apache Cassandra 4.0. Cross-distro: cassandra.yaml lookups expand to /etc/cassandra/, /etc/cassandra/conf/, and $CASSANDRA_HOME/conf/. Assign this policy to a system group of Cassandra hosts. Generated from CIS_Apache_Cassandra_4.0_Benchmark_v1.3.0.pdf. Requires cmd_enabled = true on the agent.",
    "author": "Center for Internet Security"
  },
  "tests": [
    {
      "external_id": "89365011db9aa1bd7644efce83d93b38",
      "name": "1.2 — Ensure a supported version of Java is installed",
      "description": "A prerequisite to installing Cassandra is the installation of Java. The version of Java installed should be the most recent that is compatible with the organization's operational needs.",
      "rational": "Apache Cassandra 4.0 expects Java 8 (1.8) with experimental support for Java 11. Older versions miss security fixes; newer versions may not be supported by Cassandra.",
      "remediation": "1. Uninstall the old/unsupported version of Java, if present. 2. Download the latest compatible release of the Java JDK (1.8) or OpenJDK. 3. Follow the provided installation instructions to complete the installation.",
      "severity": "Medium",
      "filter": "any",
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "java -version 2>&1",
          "selement": "OUTPUT",
          "condition": "CONTAINS",
          "sinput": "1.8"
        },
        {
          "type": "condition",
          "element": "CMD",
          "input": "java -version 2>&1",
          "selement": "OUTPUT",
          "condition": "CONTAINS",
          "sinput": "11."
        }
      ],
      "applicability": []
    },
    {
      "external_id": "1db01b37ff0636a66a1e6f30bffe7dbc",
      "name": "1.3 — Ensure a supported version of Python is installed",
      "description": "A prerequisite to installing Cassandra is the installation of Python. The version of Python installed should be the most recent that is compatible with the organisation's operational needs.",
      "rational": "For using cqlsh, Python 3.6+ (or Python 2.7, deprecated) is required. Older or missing Python prevents cqlsh from running and miss security fixes.",
      "remediation": "1. Uninstall the old/unsupported version of Python, if present. 2. Download the latest compatible release of Python (3.6 or newer) from https://www.python.org/downloads/ 3. Follow the provided installation instructions.",
      "severity": "Medium",
      "filter": "any",
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "python3 --version 2>&1 || python --version 2>&1",
          "selement": "OUTPUT",
          "condition": "REGEX",
          "sinput": "Python (3\\.[6-9]|3\\.[1-9][0-9]|2\\.7)"
        }
      ],
      "applicability": []
    },
    {
      "external_id": "3a74e92757bd1f4691791a652941bec7",
      "name": "1.4 — Ensure a supported version of Cassandra is installed",
      "description": "The Cassandra installation version, along with the patches, should be the most recent that is compatible with the organisation's operational needs.",
      "rational": "Older Cassandra versions miss security fixes; major version mismatches can also miss feature-level hardening (e.g. network authorizer in 4.x).",
      "remediation": "Upgrade to the latest version of Cassandra: for each node, drain memtables with `nodetool drain`, stop Cassandra services, install the new version, restart, and re-join the cluster.",
      "severity": "Medium",
      "filter": "all",
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "cassandra -v 2>&1",
          "selement": "OUTPUT",
          "condition": "REGEX",
          "sinput": "^4\\."
        }
      ],
      "applicability": []
    },
    {
      "external_id": "92d4d724188a6584cea485bd684050ee",
      "name": "4.1 — Ensure that logging is enabled",
      "description": "Apache Cassandra uses Logback for logging. While `nodetool setlogginglevel` can change levels at runtime, changes are reverted to the level specified in logback.xml on next restart unless persisted there.",
      "rational": "Without logging, security-relevant events (authentication failures, schema changes, errors) leave no audit trail and cannot be investigated after the fact.",
      "remediation": "Edit logback-test.xml (or logback.xml if not present) to set ROOT to INFO or finer. Restart Cassandra so the configuration takes effect.",
      "severity": "Medium",
      "filter": "all",
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "nodetool getlogginglevels 2>/dev/null | grep -E '^ROOT' | awk '{print $NF}'",
          "selement": "OUTPUT",
          "condition": "NOT EQUALS",
          "sinput": "OFF"
        }
      ],
      "applicability": []
    },
    {
      "external_id": "d549caf0e5392dc1b5b5306e2d203a63",
      "name": "5.1 — Ensure inter-node encryption is enabled",
      "description": "Cassandra offers the option to encrypt data in transit between nodes on the cluster. By default, inter-node encryption is turned off.",
      "rational": "Without inter-node encryption, replication traffic and gossip can be observed or tampered with on the network. Acceptable values are `all`, `dc`, or `rack`.",
      "remediation": "Stop the database. In cassandra.yaml set `server_encryption_options.internode_encryption` to one of `all`, `dc`, or `rack`, configure keystore/truststore paths, then restart. See https://cassandra.apache.org/doc/latest/operating/security.html",
      "severity": "High",
      "filter": "all",
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "grep -hE '^[[:space:]]*internode_encryption:' /etc/cassandra/cassandra.yaml /etc/cassandra/conf/cassandra.yaml $CASSANDRA_HOME/conf/cassandra.yaml 2>/dev/null | awk -F: '{print $2}' | tr -d ' '",
          "selement": "OUTPUT",
          "condition": "NOT EQUALS",
          "sinput": "none"
        }
      ],
      "applicability": []
    },
    {
      "external_id": "52220148a69ba96dabdeb0947154d905",
      "name": "5.2 — Ensure client encryption is enabled",
      "description": "Cassandra offers the option to encrypt data in transit between the client and nodes on the cluster. By default, client encryption is turned off.",
      "rational": "Unencrypted client connections expose query payloads and authentication credentials to network observers. The CIS recommendation is `client_encryption_options.enabled: true` with `optional: false`.",
      "remediation": "Stop the database. In cassandra.yaml set `client_encryption_options.enabled: true` and `optional: false`, configure keystore paths, then restart.",
      "severity": "High",
      "filter": "all",
      "app_filter": null,
      "conditions": [
        {
          "type": "condition",
          "element": "CMD",
          "input": "grep -hA1 '^[[:space:]]*client_encryption_options:' /etc/cassandra/cassandra.yaml /etc/cassandra/conf/cassandra.yaml $CASSANDRA_HOME/conf/cassandra.yaml 2>/dev/null | grep -E '^[[:space:]]*enabled:' | awk -F: '{print $2}' | tr -d ' '",
          "selement": "OUTPUT",
          "condition": "EQUALS",
          "sinput": "true"
        }
      ],
      "applicability": []
    }
  ]
}