[
https://issues.apache.org/jira/browse/CASSANDRA-14465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16511439#comment-16511439
]
Jason Brown commented on CASSANDRA-14465:
-----------------------------------------
I'm kind of in favor of [~eperott]'s option 3. Making it configurable
(defaulting to off) offers the most flexibility with the least potential impact
to performance.
> Consider logging prepared statements bound values in Audit Log
> --------------------------------------------------------------
>
> Key: CASSANDRA-14465
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14465
> Project: Cassandra
> Issue Type: Improvement
> Reporter: Vinay Chella
> Priority: Minor
>
> The Goal of this ticket is to determine the best way to implement audit
> logging of actual bound values from prepared statement execution. The current
> default implementation does not log bound values
> Here are the options I see
> 1. Log bound values of prepared statements
> 2. Let a custom implementation of IAuditLogger decide what to do
> *Context*:
> Option #1: Works for teams which expects bind values to be logged in audit
> log without any security or compliance concerns
> Option #2: Allows teams make the best choice for themselves
> Note that the efforts of securing C* clusters by certs, authentication, and
> audit logging can go in vain when log rotation and log aggregation systems
> are not equally secure enough since logging bind values allow someone to
> replay the database events and expose sensitive data.
> [[email protected]] [~jasobrown]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
