3.5 Ensure that Cassandra only listens for network connections on authorized interfaces

Information

When listen_address is blank and listen_interface is commented out, this will be set automatically by InetAddress.getLocalHost(). Presuming the node is configured correctly, e.g. hostname, name resolution, etc., this will configure the node to use the address associated with the hostname. The listen_address must not be set to 0.0.0.0.

Rationale:
Setting the address or interface to bind to will tell other Cassandra nodes to which address or interface to connect. This must be changed from the default in order for multiple nodes to be able to communicate.

Solution

Set the listen_address or listen_interface, not both, in the cassandra.yaml to an authorized address or interface.

Default Value:
listen_address: localhost
listen_interface: eth0, but is commented out by default.

References:
http://cassandra.apache.org/doc/3.11/configuration/cassandra_config_file.html#listen-address
http://cassandra.apache.org/doc/3.11/configuration/cassandra_config_file.html#listen-interface

See Also

https://workbench.cisecurity.org/files/2309

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|9.2

Plugin: Unix

Control ID: a92d12dd6fb005473d5f302af1f4ed47f8515bda686e7f5b4f4c8e0d4b938b4e