Threat Finder

Threat ID
2784
Threat Date
06/27/2013
Threat Name
HDFS cluster administrators
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
Informational
Database Type
Hadoop
Category
Improper Access Controls
Versions
All versions of Hadoop
Summary
Property dfs.cluster.administrators defaine an ACL that defines users and groups that are granted HDFS cluster administration privileges. This list should be audited and maintained by the admin.
Overview
The Hadoop Distributed File System (HDFS) implements a permissions model for files and directories that shares much of the POSIX model. Parameter dfs.permissions in file hdfs-site.xml determines if permissions are enforced (true) or not (false). Even if permissions are not enforced, the setting of dfs.cluster.administrators should be audited in case the permissions are switched on.

Property dfs.cluster.administrators in file hdfs-site.xml define a list of accounts and groups that are HDFS cluster administrators. These users have administration privileges and should be audited by the system admin.

Default value is undefined, which means there are no special privileged accounts/groups for HDFS cluster.

Property value is formatted as an ACL: a list of accounts and a list of groups, separated by a space. The special character "*" can be used to indicate all users.
References
http://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by