Details

When listen_address is blank and listen_interface is commented out, this will be set automatically by InetAddress.getLocalHost(). Presuming the node is configured correctly, e.g. hostname, name resolution, etc., this will configure the node to use the address associated with the hostname. The listen_address must not be set to 0.0.0.0.

Rationale:

Setting the address or interface to bind to will tell other Cassandra nodes to which address or interface to connect. This must be changed from the default in order for multiple nodes to be able to communicate.

Solution

Set the listen_address or listen_interface, not both, in the cassandra.yaml to an authorized address or interface.

Default Value:
listen_address: localhost
listen_interface: eth0, but is commented out by default.

References:
http://cassandra.apache.org/doc/3.11/configuration/cassandra_config_file.html#listen-address
http://cassandra.apache.org/doc/3.11/configuration/cassandra_config_file.html#listen-interface

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2309https://workbench.cisecurity.org/files/2309https://workbench.cisecurity.org/files/2309

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.

References

• 800-53|SI-4
• CSCv7|9.2

Source

• Tenable.com/audits