Ericsson · RhoderickGalero · Aug 30, 2018 · Aug 31, 2018 · Aug 31, 2018 · Aug 31, 2018
@@ -5,4 +5,5 @@ target/
 .idea
 *.iml
 dependency-reduced-pom.xml
+.idea/
 
@@ -1,7 +1,15 @@
 # Changes
 
+## Version 3.1.0 (unreleased)
+
+* Add Audit Prepare statements - #226
+
+## Version 3.0.0 (only flavor ecaudit_c4.1)
+
 ## Version 2.11.0
+
 * Use SnakeYaml's SafeConstructor to avoid CVE-2022-1471
+* Support escaping characters in log messages - #207
 
 ## Version 2.10.0
 * Build with Cassandra 4.0.7 (only flavor ecaudit_c4.0)

@@ -3,9 +3,6 @@ Copyright 2018-22 Telefonaktiebolaget LM Ericsson
 
 This product includes software developed at Ericsson (http://www.ericsson.com/).
 
-This software contains code derived form Apache Cassandra (http://cassandra.apache.org/)
-Licensed under the Apache License 2.0.
-
 This product also includes the following software:
 
 Chronicle-Queue (https://github.com/OpenHFT/Chronicle-Queue)

@@ -1,7 +1,7 @@
 # ecAudit
 
-[![tests](https://github.com/Ericsson/ecaudit/actions/workflows/test.yml/badge.svg?branch=release/c3.0)](https://github.com/Ericsson/ecaudit/actions/workflows/test.yml?query=branch%3Arelease/c3.0)
-[![coverage](https://codecov.io/gh/ericsson/ecaudit/branch/release/c3.0/graph/badge.svg)](https://codecov.io/gh/ericsson/ecaudit/branch/release/c3.0)
+[![tests](https://github.com/Ericsson/ecaudit/actions/workflows/test.yml/badge.svg?branch=release/c3.11)](https://github.com/Ericsson/ecaudit/actions/workflows/test.yml?query=branch%3Arelease/c3.11)
+[![coverage](https://codecov.io/gh/Ericsson/ecaudit/branch/release/c3.11/graph/badge.svg?token=f42z31Yqr3)](https://codecov.io/gh/Ericsson/ecaudit/branch/release%2Fc3.11)
 
 With ecAudit you get auditing and query logger functionality for Apache Cassandra 3.0 and 3.11.
 

@@ -0,0 +1,14 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest release version of ecaudit is supported by security updates.
+
+| Version         | Supported            |
+| --------------- | -------------------- |
+| Latest release  | :white_check_mark:   |
+| early release   | :x:                  |
+
+## Reporting a Vulnerability
+
+If you find a vulnerability in ecaudit, please report it as a security vulnerability on GitHub https://github.com/Ericsson/ecaudit/security/advisories/new
@@ -0,0 +1,60 @@
+#!/bin/bash
+#
+# Copyright 2019 Telefonaktiebolaget LM Ericsson
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+shopt -s extglob
+
+SCRIPT_PATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
+CCM_CONFIG=${CCM_CONFIG_DIR:=~/.ccm}
+
+if [ ! -f ${CCM_CONFIG}/CURRENT ]; then
+ echo "Unable to find an active ccm cluster"
+ exit 2
+fi
+
+CCM_CLUSTER_NAME=`cat ${CCM_CONFIG}/CURRENT`
+echo "Enabling 4.0 Audit with Chronicle backend into ${CCM_CLUSTER_NAME}"
+
+CLUSTER_PATH=${CCM_CONFIG}/${CCM_CLUSTER_NAME}
+
+update_cache_times() {
+ sed -i "s/^$1_validity_in_ms:.*/$1_validity_in_ms: 10000/" $2
+ sed -i "/^$1_update_interval_in_ms/d" $2
+ sed -i "/^$1_validity_in_ms:.*/a\
+$1_update_interval_in_ms: 2000" $2
+}
+
+enable_audit() {
+ mkdir -p $2
+ sed -i '/^audit_logging_options/,/^[a-z]/{/^ /d}' $1
+ sed -i '/^audit_logging_options/a\  enabled: true' $1
+ sed -i '/^audit_logging_options/a\  logger: BinAuditLogger' $1
+ sed -i "/^audit_logging_options/a\  audit_logs_dir: $2" $1
+ sed -i '/^audit_logging_options/a\  roll_cycle: MINUTELY' $1
+ sed -i '/^audit_logging_options/a\  block: false' $1
+ sed -i '/^audit_logging_options/a\  max_log_size: 1073741824 # 1GB' $1
+}
+
+for NODE_PATH in ${CLUSTER_PATH}/node*;
+do
+ sed -i 's/^authenticator:.*/authenticator: PasswordAuthenticator/' ${NODE_PATH}/conf/cassandra.yaml
+ sed -i 's/^authorizer:.*/authorizer: CassandraAuthorizer/' ${NODE_PATH}/conf/cassandra.yaml
+ sed -i 's/^role_manager:.*/role_manager: CassandraRoleManager/' ${NODE_PATH}/conf/cassandra.yaml
+ update_cache_times roles ${NODE_PATH}/conf/cassandra.yaml
+ update_cache_times permissions ${NODE_PATH}/conf/cassandra.yaml
+ update_cache_times credentials ${NODE_PATH}/conf/cassandra.yaml
+ enable_audit ${NODE_PATH}/conf/cassandra.yaml ${NODE_PATH}/logs/audit
+done
@@ -48,5 +48,5 @@ do
  sed -i 's/^role_manager:.*/role_manager: CassandraRoleManager/' ${NODE_PATH}/conf/cassandra.yaml
  update_cache_times roles ${NODE_PATH}/conf/cassandra.yaml
  update_cache_times permissions ${NODE_PATH}/conf/cassandra.yaml
- #update_cache_times credentials ${NODE_PATH}/conf/cassandra.yaml
+ update_cache_times credentials ${NODE_PATH}/conf/cassandra.yaml
 done
@@ -0,0 +1,85 @@
+#!/bin/bash
+#
+# Copyright 2019 Telefonaktiebolaget LM Ericsson
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+shopt -s extglob
+
+SCRIPT_PATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
+
+if [[ $# -ne 1 ]]; then
+ echo "Missing argument - specify path to cassandra 4.0 source dir"
+ echo " hint: ant realclean jar"
+ exit 2
+fi
+
+CASSANDRA_SOURCE=$1
+
+which ccm > /dev/null
+if [[ $? -ne 0 ]]; then
+ echo "ccm must be installed"
+ exit 3
+fi
+
+ccm status | grep -qs UP
+if [[ $? -eq 0 ]]; then
+ echo "ccm cluster already running"
+ exit 3
+fi
+
+ccm create -n 1 --install-dir=${CASSANDRA_SOURCE} 40audit
+if [[ $? -ne 0 ]]; then
+ echo "Failed to create ccm cluster '40audit'"
+ exit 3
+fi
+
+echo "Generating performance report into 40audit-performance.html"
+
+ccm start
+sleep 30
+${CASSANDRA_SOURCE}/tools/bin/cassandra-stress write n=3000000 -node 127.0.0.1 -port jmx=7100 -mode native cql3 user=cassandra password=cassandra -rate threads=10 -graph file=40audit-performance.html title=40Audit-Performance revision=vanilla
+ccm clear
+sleep 5
+
+${SCRIPT_PATH}/configure_ccm_cassandra_auth.sh
+ccm start
+sleep 30
+${CASSANDRA_SOURCE}/tools/bin/cassandra-stress write n=3000000 -node 127.0.0.1 -port jmx=7100 -mode native cql3 user=cassandra password=cassandra -rate threads=10 -graph file=40audit-performance.html title=40Audit-Performance revision=authentication-authorization
+ccm clear
+sleep 5
+
+${SCRIPT_PATH}/configure_ccm_40audit_chronicle.sh
+ccm start
+sleep 30
+ccm node1 nodetool "enableauditlog --excluded-users cassandra"
+${CASSANDRA_SOURCE}/tools/bin/cassandra-stress write n=3000000 -node 127.0.0.1 -port jmx=7100 -mode native cql3 user=cassandra password=cassandra -rate threads=10 -graph file=40audit-performance.html title=40Audit-Performance revision=authentication-authorization-audit-whitelist
+ccm clear
+sleep 5
+
+${SCRIPT_PATH}/configure_ccm_40audit_chronicle.sh
+ccm start
+sleep 30
+ccm node1 nodetool "enableauditlog --included-users cassandra"
+${CASSANDRA_SOURCE}/tools/bin/cassandra-stress write n=3000000 -node 127.0.0.1 -port jmx=7100 -mode native cql3 user=cassandra password=cassandra -rate threads=10 -graph file=40audit-performance.html title=40Audit-Performance revision=authentication-authorization-audit-chronicle
+ccm clear
+sleep 5
+
+#${SCRIPT_PATH}/configure_ccm_audit_slf4j.sh
+#ccm start
+#sleep 30
+#ccm node1 cqlsh -u cassandra -p cassandra -x "ALTER ROLE cassandra WITH OPTIONS = { 'REVOKE AUDIT WHITELIST FOR ALL': 'data' };"
+#${CASSANDRA_SOURCE}/tools/bin/cassandra-stress write n=3000000 -node 127.0.0.1 -port jmx=7100 -mode native cql3 user=cassandra password=cassandra -rate threads=10 -graph file=40audit-performance.html title=40Audit-Performance revision=authentication-authorization-audit-slf4j
+#ccm clear
+#sleep 5
@@ -105,7 +105,7 @@ tune_cassandra() {
   echo "JVM_EXTRA_OPTS=\"\$JVM_EXTRA_OPTS -Xms16G -Xmx16G -Xmn4G"\" >> ${CLUSTER_PATH}/cassandra.in.sh
   #echo "JVM_EXTRA_OPTS=\"\$JVM_EXTRA_OPTS -XX:+UnlockDiagnosticVMOptions -XX:ParGCCardsPerStrideChunk=4096"\" >> ${CLUSTER_PATH}/cassandra.in.sh
   echo "disk_access_mode: mmap_index_only" >> ${CLUSTER_PATH}/node1/conf/cassandra.yaml
-  sed -i 's/^memtable_allocation_type.*/memtable_allocation_type: heap_buffers/' ${CLUSTER_PATH}/node1/conf/cassandra.yaml
+  sed -i 's/^memtable_allocation_type.*/memtable_allocation_type: offheap_objects/' ${CLUSTER_PATH}/node1/conf/cassandra.yaml
   sed -i 's/^-XX:SurvivorRatio=.*/-XX:SurvivorRatio=2/' ${CLUSTER_PATH}/node1/conf/cassandra.yaml
 }
 

@@ -19,10 +19,10 @@
     <modelVersion>4.0.0</modelVersion>
     <parent>
         <groupId>com.ericsson.bss.cassandra.ecaudit</groupId>
-        <artifactId>parent_c3.0</artifactId>
-        <version>2.12.0-SNAPSHOT</version>
+        <artifactId>parent_c3.11</artifactId>
+        <version>3.1.0-SNAPSHOT</version>
     </parent>
-    <artifactId>common_c3.0</artifactId>
+    <artifactId>common_c3.11</artifactId>
     <packaging>jar</packaging>
 
     <name>Ericsson Cassandra Audit - Common</name>

@@ -149,3 +149,8 @@ whitelist_cache_update_interval_in_ms: 20000
 # Maximum number of entries in the whitelist cache
 # Default to 10 x the value of roles_cache_max_entries (specified in cassandra.yaml)
 whitelist_cache_max_entries: 10000
+
+# Whether to suppress the auditing of prepare statements
+# Default is to suppress the audit statements this is to match the previous versions which do not audit prepare statements
+
+suppress_prepare_statements: true
@@ -107,8 +107,8 @@ This may add as much as 20% overhead.
 
 This cassandra-stress chart illustrates typical performance impact of ecAudit:
 
-* [Throughput](https://rawgit.com/Ericsson/ecaudit/release/c3.0/doc/ecaudit-performance.html)
-* [Latency](https://rawgit.com/Ericsson/ecaudit/release/c3.0/doc/ecaudit-performance.html?metric=mean)
+* [Throughput](https://rawgit.com/Ericsson/ecaudit/master/doc/ecaudit-performance.html)
+* [Latency](https://rawgit.com/Ericsson/ecaudit/master/doc/ecaudit-performance.html?metric=mean)
 
 Refer to the guides of Logback settings, authentication caches and whitelist settings to get best possible performance.
 

@@ -8,7 +8,8 @@ Visit the [sertup guide](setup.md) for a detailed list of options.
 ## Deploy Plug-In Jar File
 
 Place the ecAudit jar file in your ```$CASSANDRA_HOME/lib/``` directory.
-Get the official releases from [Maven Central](https://search.maven.org/search?q=g:%22com.ericsson.bss.cassandra.ecaudit%22%20AND%20a:%22ecaudit_c3.0%22).
+Get the official releases from [Maven Central](https://search.maven.org/search?q=g:%22com.ericsson.bss.cassandra.ecaudit%22%20AND%20a:%22ecaudit_c3.11%22).
+
 
 ## Enable Plug-In
 

@@ -18,11 +18,12 @@ In the following sections you'll find examples on how to configure the SLF4J log
 
 To configure a custom log message format the following parameters can be configured in the ```audit.yaml``` file:
 
-| Parameter   | Description                                                       | Default |
-| ----------- | ----------------------------------------------------------------- | --------------- |
-| log_format  | Parameterized log message formatting string, see examples below  | the "legacy" format, see [README](../README.md) |
-| time_format | time formatter pattern, see examples below or [DateTimeFormatter](https://docs.oracle.com/javase/8/docs/api/java/time/format/DateTimeFormatter.html#patterns) | number of millis since EPOCH |
-| time_zone   | the time zone id, see examples below or [ZoneId](https://docs.oracle.com/javase/8/docs/api/java/time/ZoneId.html#of-java.lang.String-) | system default |
+| Parameter         | Description                                                                                                                                                            | Default                                         |
+|-------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------|
+| log_format        | Parameterized log message formatting string, see examples below                                                                                                        | the "legacy" format, see [README](../README.md) |
+| time_format       | time formatter pattern, see examples below or [DateTimeFormatter](https://docs.oracle.com/javase/8/docs/api/java/time/format/DateTimeFormatter.html#patterns)          | number of millis since EPOCH                    |
+| time_zone         | the time zone id, see examples below or [ZoneId](https://docs.oracle.com/javase/8/docs/api/java/time/ZoneId.html#of-java.lang.String-)                                 | system default                                  |
+| escape_characters | A comma separated list containing characters that should be escaped (using \\). The characters will be escaped in USER, SUBJECT, OPERATION and OPERATION_NAKED fields. | No escaping                                     |
 
 It is possible to configure a parameterized log message by providing a formatting string.
 The following fields are available:

@@ -19,10 +19,10 @@
     <modelVersion>4.0.0</modelVersion>
     <parent>
         <groupId>com.ericsson.bss.cassandra.ecaudit</groupId>
-        <artifactId>parent_c3.0</artifactId>
-        <version>2.12.0-SNAPSHOT</version>
+        <artifactId>parent_c3.11</artifactId>
+        <version>3.1.0-SNAPSHOT</version>
     </parent>
-    <artifactId>ecaudit_c3.0</artifactId>
+    <artifactId>ecaudit_c3.11</artifactId>
     <packaging>jar</packaging>
 
     <name>Ericsson Cassandra Audit - Plug-in</name>