Threat Finder

Threat ID
2789
Threat Date
08/01/2013
Threat Name
DFS superuser group
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
Informational
Database Type
Hadoop
Category
Misconfigurations
Versions
All versions of Hadoop
Summary
Hadoop allows the definition of a special 'superuser group': members of this group will be considered superusers. This setting should be authorized and audited by the system administrator.
Overview
Hadoop DFS has the concept of superuser: an account for which permissions never fail, allowed to perform any action. The superuser is the user with the same identity as name node process itself.

The administrator may also specify a distinguished group using a configuration parameter in hdfs-site.xml file. If set, members of this group are also superusers. Until Hadoop version 2.0, this configuration parameter is named "dfs.permissions.supergroup"; since v2.0, it is named "dfs.permissions.superusergroup".

This parameter accepts only one group name.
References
http://hadoop.apache.org/docs/stable/hdfs_permissions_guide.html
VMSKey
STIGID

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by