https://community.dynatrace.com/t5/Open-Q-A/CIS-Hardening-Benchmark-that-is-applicable-in-Dynatrace-Cluster/m-p/20805#M21 <P>From the product security team's side I can say, that we haven't been looking into CIS hardening benchmarks as of now.</P><P><A rel="user" href="https://answers.dynatrace.com/users/5499/view.html" nodeid="5499">@Radoslaw S.</A>, do you know if someone from the Managed team has been looking into this?</P> Tue, 18 Aug 2020 09:56:08 GMT Michael_Plank 2020-08-18T09:56:08Z https://community.dynatrace.com/t5/Open-Q-A/CIS-Hardening-Benchmark-that-is-applicable-in-Dynatrace-Cluster/m-p/20804#M20 <P>For dynatrace node components like Cassandra and Nginx. Is it possible to apply CIS hardening benchmark on the said component., also is there any additional security components that configure during the installation. </P> Wed, 12 Aug 2020 09:40:15 GMT https://community.dynatrace.com/t5/Open-Q-A/CIS-Hardening-Benchmark-that-is-applicable-in-Dynatrace-Cluster/m-p/20804#M20 richard_tecson 2020-08-12T09:40:15Z https://community.dynatrace.com/t5/Open-Q-A/CIS-Hardening-Benchmark-that-is-applicable-in-Dynatrace-Cluster/m-p/20805#M21 <P>From the product security team's side I can say, that we haven't been looking into CIS hardening benchmarks as of now.</P><P><A rel="user" href="https://answers.dynatrace.com/users/5499/view.html" nodeid="5499">@Radoslaw S.</A>, do you know if someone from the Managed team has been looking into this?</P> Tue, 18 Aug 2020 09:56:08 GMT https://community.dynatrace.com/t5/Open-Q-A/CIS-Hardening-Benchmark-that-is-applicable-in-Dynatrace-Cluster/m-p/20805#M21 Michael_Plank 2020-08-18T09:56:08Z https://community.dynatrace.com/t5/Open-Q-A/CIS-Hardening-Benchmark-that-is-applicable-in-Dynatrace-Cluster/m-p/167581#M17366 <P>Hi, we're running our most secure environments on RHEL-based hardened OS with CIS benchmark level 1. This is achievable for any customer. We're pretty good out-of-the-box for Nginx. For Cassandra and Elasticsearch (similar as Cassandra) it needs some more explanation. Find some answers to common security requirements related to Cassandra below:</P><P>&nbsp;</P><P><STRONG>1. Ensure a separate user and group exist for Cassandra</STRONG><BR />All Cassandra configuration files are automatically put in place by the Dynatrace Managed installation scripts.<BR />Dynatrace managed creates a dedicated user "dynatrace" in group "dynatrace" that is used for Cassandra. The user dynatrace is non-privileged service user (no console) and is not used for anything other than Dynatrace Managed.<BR />While it is not solely for Cassandra, the usage is limited to Dynatrace Managed services, which form an integrated suite. Since we manage these services and dependencies between them, single user for Dynatrace Managed is necessary.<BR />&nbsp;<BR /><STRONG>2. Ensure that authentication is enabled for Cassandra databases</STRONG><BR />Dynatrace Managed Cassandra nodes don't have authentication and authorization enabled. Dynatrace Managed mitigates that risk by automatically putting IP table rules (firewall rules) in place, which make sure that only Dynatrace server nodes are able to access the Cassandra port on the Cassandra nodes. Cassandra is used only by Dynatrace Managed internally.<BR />Dynatrace is currently implementing a new storage system where authenticaion to databases is on the must have requirements list. This is a long term project though with no scheduled release date yet.<BR />&nbsp;<BR /><STRONG>3. Ensure that authorization is enabled for Cassandra databases&nbsp;</STRONG><BR />Same as (2)<BR />&nbsp;<BR /><STRONG>4. Ensure the Cassandra and superuser roles are separate</STRONG><BR />Same as (2)<BR />&nbsp;<BR /><STRONG>5. Ensure that the default password changed for the Cassandra role&nbsp;</STRONG><BR />Same as (2)<BR />&nbsp;<BR /><STRONG>6. Ensure there are no unnecessary roles or excessive privileges</STRONG><BR />Same as (2)<BR />&nbsp;<BR /><STRONG>7. Ensure that Cassandra is run using a non-privileged, dedicated service account</STRONG><BR />As explained in (1), we create a non-privileged service user for Dynatrace Managed that is used for Cassandra.<BR />&nbsp;<BR /><STRONG>8. Review User-Defined Roles</STRONG><BR />Same as (2)<BR />&nbsp;<BR /><STRONG>9. Review Superuser/Admin Roles</STRONG><BR />Same as (2)<BR />&nbsp;<BR /><STRONG>10. Ensure that auditing is enabled</STRONG><BR />Until version 4.0 is announced for Cassandra OpenSource.<BR />Dynatrace is scanning all third party components (including Cassandra) for vulnerabilities (CVEs) using its own AppSec solution.<BR />&nbsp;<BR /><STRONG>11. Inter-node Encryption</STRONG><BR />Dynatrace Managed Cassandra nodes don't have inter-node or client encryption enabled due to potential performance overhead. To mitigate the risk, the Dynatrace Managed server infrastructure needs to be hardened on the OS and network level by the customer, to ensure only authorized personnel can access cluster nodes. For cases where there is a risk of intercepting the traffic traffic between cluster nodes, we recommend external encryption means (IPSec tunnels or hardware encryption)<BR />&nbsp;<BR />12. Client Encryption<BR />We currently don't support client encryption for Cassandra. Dynatrace Managed nodes are intended to operate in secured, internal network. Communication with Cassandra is only within Dynatrace cluster. For cases where there is a risk of intercepting the traffic between cluster nodes, we recommend external encryption means (IPSec tunnels or hardware encryption)</P> Mon, 14 Jun 2021 10:04:24 GMT https://community.dynatrace.com/t5/Open-Q-A/CIS-Hardening-Benchmark-that-is-applicable-in-Dynatrace-Cluster/m-p/167581#M17366 Radoslaw_Szulgo 2021-06-14T10:04:24Z