Onboarding Databases to Sonar Reference Guide

Onboarding Databases to Sonar Reference

Guide

Onboarding Databases to Sonar Reference Guide 1

 Contents

Contents
Apache Cassandra Onboarding Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Onboarding Databases to Sonar Reference Guide 2

 Onboarding Databases to Sonar Reference Guide

Apache Cassandra Onboarding Steps

This topic reviews the steps required to audit activity Apache Cassandra databases and send that information to DSF
Hub (Sonar) for auditing, analysis, detecting and preventing security events.

Getting Started
This page contains information and helpful links to onboard this data source to Data Security Fabric (DSF) Hub. The
following main topics are included:

• A complete list of prerequisites and permissions that are required for onboarding data sources to DSF.
• Instructions on how to enable audit on the data source and collect data using DSF.
• DSF reference links and related information.
• Initial troubleshooting steps and technical support information.

Quick Links
These links are a quick way to reference DSF Hub information and detailed step-by-step instructions for onboarding
data sources. Please reference these links for additional assistance with any of the onboarding steps or DSF Hub
tasks.

DSF Page Summary

This link provides information on systems and version

Data Security Coverage Tool
compatibility with Imperva DSF.

Step-by-step instructions for adding data source assets

Adding Assets via the Import Assets Page
via the Asset Dashboard.

Step-by-step instructions for adding and editing data

Adding Assets via Unified Settings Console (USC)
source assets via the USC.

A guide to onboarding and managing assets via DSF

Using DSF Open APIs
Open APIs.

A high-level overview of Data Security Fabric (DSF) portal

Using the Data Security Fabric Portal
and components.

Onboarding Databases to Sonar Reference Guide 3

 Onboarding Databases to Sonar Reference Guide

Onboarding Steps
To ensure a smooth and successful deployment, it is necessary to complete each of these onboarding steps. Please
click on each of the steps below to display the content.

STEP 1: Gathering Permissions & Information

Onboarding a data source requires preparation, such as gathering permissions and collecting relevant information for
your deployment. Assistance may be necessary from a database administrator, network administrator, and an IT
administrator to successfully begin monitoring your data source.

Please ensure all of the following items are properly configured or available for use. The information and permissions
gathered in this step are required for the remaining onboarding steps.

Network Prerequisites

Below is an overview of the necessary steps which enable the Agentless Gateway to communicate with data sources
and other components across the network. Please ensure these steps are completed by a Network Administrator.

• Ensure the Cassandra database host’s firewall allows outbound TCP traffic to the Agentless Gateway host IP.

• If the Cassandra host has Selinux enabled, open the port 10550 following the Selinux documentation. To verify
that the ports are open run the command below and make sure that the ports are in the list:

sudo semanage port -l | grep syslogd_port_t

IT Prerequisites

Below is an overview of the necessary steps which will need to be completed on the Agentless Gateway host or the
data source. Please ensure these steps are completed by an IT Administrator.

• You have sudo privileges on the Cassandra host.

• If the Cassandra host has Selinux enabled, ensure that the rsyslog service is able to access the audit log files.
• By default, Rsyslog can read all of the log files that are contained within the /var/log/ directory. If the
log files exist within a different directory, ensure the syslogd_t type can access the log files as well as
any subdirectories leading up to it by following the SELinux documentation. The SELinux context of
files and directories can be viewed by running the following command:
ls -dZ /path/to/my/audit.log

STEP 2: Enabling Audit on the Data Source

Once the required permissions and information have been obtained, please complete the following steps to enable
audit on the data source.

Note:

For a Cassandra Cluster setup, repeat all the instructions in Step 2 on each node of the cluster.

Onboarding Databases to Sonar Reference Guide 4

 Onboarding Databases to Sonar Reference Guide

Enabling Audit

As "root" user, enter the following command to open and edit the following configuration file on the Cassandra host:

sudo vi /etc/cassandra/default.conf/cassandra.yaml

Uncomment the parameters "authenticator" and "authorizer". Replace the default values of these parameters
(AllowAllAuthenticator and AllowAllAuthorizer) with the values shown below:

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

Uncomment the "audit_logging_options" code block and set the following parameters as shown below.
enabled: true
class name: FileAuditLogger
audit_logs_dir: Enter the path to the audit log directory

audit_logging_options:
enabled: true
logger:
- class_name: FileAuditLogger
audit_logs_dir: "/var/log/cassandra/audit/logs"

The above configuration will audit all database events. To add specific auditing instructions, add any of the below
parameters in the audit_logging_options block:

• included_keyspaces
• excluded_keyspaces
• included_categories
• excluded_categories
• included_users
• excluded_users

For example, to only audit actions on a keyspace called "test_keyspace", the audit_logging_options section would
look like this:

audit_logging_options:
enabled: true
logger:
- class_name: FileAuditLogger
audit_logs_dir: "/var/log/cassandra/audit/logs"
included_keyspaces: test_keyspace

Once finished, save the configuration changes and exit the file by entering the command :wq or ZZ.

Navigate to the /etc/cassandra/default.conf/logback.xml file on the Cassandra host, and add the following XML
block to it.

Note:

Onboarding Databases to Sonar Reference Guide 5

 Onboarding Databases to Sonar Reference Guide

The "audit appender" block must have the same indentation as the other sections and it should be placed before the
root block. See the example below.

<appender name="AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">

<file>${cassandra.logdir}/audit/audit.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
<fileNamePattern>${cassandra.logdir}/audit/audit.log.%d{yyyy-MM-dd}.%i.zip</fileNamePatter
<maxFileSize>50MB</maxFileSize>
<maxHistory>30</maxHistory>
<totalSizeCap>5GB</totalSizeCap>
</rollingPolicy>
<encoder>
<pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
</encoder>
</appender>

<logger name="org.apache.cassandra.audit" additivity="false" level="INFO">

<appender-ref ref="AUDIT"/>
</logger>

Here is an example, where the "audit appender" block was added after the "STDOUT appender" and before the "root"
block:

<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">

<filter class="ch.qos.logback.classic.filter.ThresholdFilter">
<level>INFO</level>
</filter>
<encoder>
<pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
</encoder>
</appender>

<appender name="AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">

<file>${cassandra.logdir}/audit/audit.log</file>
<rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy">
<fileNamePattern>${cassandra.logdir}/audit/audit.log.%d{yyyy-MM-dd}.%i.zip</fileNamePatter
<maxFileSize>50MB</maxFileSize>
<maxHistory>30</maxHistory>
<totalSizeCap>5GB</totalSizeCap>
</rollingPolicy>
<encoder>
<pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
</encoder>
</appender>

<logger name="org.apache.cassandra.audit" additivity="false" level="INFO">

<appender-ref ref="AUDIT"/>
</logger>

Onboarding Databases to Sonar Reference Guide 6

 Onboarding Databases to Sonar Reference Guide

<!-- Uncomment bellow and corresponding appender-ref to activate logback metrics

<appender name="LogbackMetrics" class="com.codahale.metrics.logback.InstrumentedAppender"
-->

<root level="INFO">
<appender-ref ref="SYSTEMLOG" />
<appender-ref ref="STDOUT" />
<appender-ref ref="ASYNCDEBUGLOG" /> <!-- Comment this line to disable debug.log -->

Restart the Cassandra service:

sudo service cassandra stop

sudo service cassandra start

Data source events should now start populating in the audit log file. Use the command below to view the logs:

cat /var/log/cassandra/audit/audit.log

For more details on Audit Logging, see Cassandra Audit documentation.

Redirecting Cassandra Audit Logs to Agentless Gateway

Please complete the following steps to redirect the audit logs to the Agentless Gateway host via Rsyslog. As root user,
create the file /etc/rsyslog.d/cassandra.conf using the following code block and replace the following two parameter
values:

• target: Enter the IP address of the Agentless Gateway host.

• file: Enter the path to the audit log file.

module(load="imfile")
template(name="imfile_fwd_t" type="list") {
constant(value="{ ")
constant(value="\"Server Port\":\"9042\"")
constant(value=" }")
constant(value="PR3N0RM")
property(name="rawmsg")
}
ruleset(name="imfile_to_gateway") {
action(type="omfwd"
keepalive="on"
protocol="tcp"
target="<agentless-gateway-ip>" ### IP address of the agentless gateway host
port="10550" ### the remote gateway port for cassandra
template="imfile_fwd_t")
stop
}
input(type="imfile" file="/var/log/cassandra/audit/audit.log" tag="imfile" ruleset="imfile_to_g

Run the following command to verify the Rsyslog configuration file correctness.

Onboarding Databases to Sonar Reference Guide 7

 Onboarding Databases to Sonar Reference Guide

rsyslogd -N1

Restart the Rsyslog service.

sudo systemctl restart rsyslog

STEP 3: Collecting Audit Data

After completing the prerequisites and enabling audit, the data source is ready to be onboarded onto DSF. This can be
accomplished using ANY ONE of the methods listed below:

• Importing Assets via Unified Settings Console (USC)

• Importing Assets via Assets Dashboard
• Importing Assets via DSF Open APIs

Please use the Asset Specifications below as a guide to fill in the field values for this data source.

Cassandra Asset Specifications

Importing Assets via Unified Settings Console (USC)

The USC feature in the DSF Portal allows users to configure a full audit flow, including importing new data assets. To
access the USC, visit the DSF Portal and under Apps, click the Unified Settings Console link. To add a new data source
asset, please complete these steps:

1. From the DSF Portal, under Apps, click Unified Settings Console.
2. In the Appliances pane, select DSF Hub.
3. Click the Data Sources tab to open the Data Sources page.
4. Click "Add" to open the Add Data Source form.
5. In the Data Source Type section, select a data source via the dropdown menu.
6. Specific data source configuration sections will display: Details, Connections, and Monitoring. Configure the
mandatory configuration fields under Details and any optional configuration fields displayed under Advanced.
7. Under Connection, select an authentication method (Auth Mechanism) from the drop-down menu. The
mandatory fields for the selected Auth Mechanism are displayed; to see optional configuration fields available,
click Advanced.
8. Click "Save". The Add Data Source form closes and the Data Sources page opens.
9. Locate the asset you want to connect. Click on "Enable Audit Collection" to start collecting audit data.

For additional instructions on adding, viewing and editing Data Source assets, see Adding Assets via Unified Settings
Console (USC) documentation.

Importing Assets via Asset Dashboard

To import data source assets, please obtain the Asset Spreadsheet by completing these steps:

1. Log into the DSF Hub with your username and password.
2. In the DSF Hub homepage, under Apps, click Sync Spreadsheet. A new window will open → Click Import Assets.
3. On the Import Assets page, go to the Assets Templates dropdown menu.
4. Select the template for the data source you want to import, and click Download.
5. Use the Asset Specification documentation as a guide to complete the asset-connection spreadsheet for this
data source.

Onboarding Databases to Sonar Reference Guide 8

 Onboarding Databases to Sonar Reference Guide

6. On the Import Assets page, go to the section named Upload 'Assets and Connections to Import'
spreadsheet. Navigate to the asset-connection pair spreadsheet that you saved to your local computer and
click Open. Click Upload.
7. Click Validate All to validate the current configuration of the spreadsheet.
8. To complete the process of adding the asset-connection spreadsheet, click Run 'Import Assets'.
9. In the Asset Dashboard page, locate the asset that was imported. Click “Connect Gateway” on the database
asset to start collecting Audit data.

For more details, please visit Adding Assets via the Import Assets Page

Note:

• Asset template name for Cassandra - APACHE_CASSANDRA_template.xlsx

• For a cluster setup, import separate assets for each node in the cluster.

Importing Assets via DSF Open APIs

Data Security Fabric (DSF) Open APIs provide functions for onboarding and managing assets (log aggregators, cloud
accounts, data sources, secret managers and other assets) via a RESTful API. For more information on the supported
sources and how to onboard, please see Using DSF Open APIs.

Troubleshooting
Should you encounter any unexpected issues or behaviors, you may check the status of the following services and
associated log files to help pinpoint the root cause. If additional assistance is needed at any time, technical support
staff is available to help users of all technical levels via support.imperva.com.

On the Agentless Gateway host(s) please review the following:

• Gateway log file: ${JSONAR_LOGDIR}/gateway/syslog/cassandra.log.

• Run the following command to verify the status of the gateway service:

systemctl status -l sonarrsyslog

For more information...

Need Help?
For assistance with any DSF Hub or related products, please contact Online Technical Support via https://
support.imperva.com/. A team of technical customer success representatives are ready to assist users of all skill
levels. Additional resources may also be found by searching the Documentation Portal at docs.imperva.com.

Document generated by Confluence on Apr 09, 2024 23:47

Atlassian

Onboarding Databases to Sonar Reference Guide 9