We’re releasing an open-source tool you can use now, which we developed as a homemade Just-In-Time database access control tool for our sensitive database. This tool syncs with our directory service, slack, SIEM, and finally, our Apache Cassandra database.

Overview

Cassandra Access Control

By Aner Izraeli - Intezer Security Manager ([email protected])

We’re releasing an open-source tool you can use now, which we developed as a homemade Just-In-Time database access control tool for our sensitive database. This tool syncs with our directory service (Jumpcloud), slack, SIEM, and finally, our Apache Cassandra database.

You can read more in our security blog:

Prerequisits

  1. Create new key space (e.g - ttl_accounts) in your DB to host jit_accounts table for the ttl feature.

  2. Create a new table (jit_accounts) in ttl_accounts key space CREATE TABLE intezeraccounts(username text PRIMARY KEY , expirytimestamp timestamp, ttl int, permission text);

  3. It's recommended to create a dedicated service user to interacte with DB CREATE ROLE '<some_app_user>' WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = '<>'

  4. Assign IP & Username in config.yaml

  5. This service fetch credentials from AWS secrets. If you plan to use the same method, make sure to update region_name = "<your region>" in getTokens.py

  6. Assign AWS secret name in jumpcloud.py: jumpcloud_creds = get_secret("jc_credentials")

  7. If using jumpcloud, assign groupnumber in jumpcloud.py: JUMPCLOUD_USERGROUP_URI = 'https://console.jumpcloud.com/api/v2/usergroups/<groupnumber>/members'z

  8. Assign AWS secret name in main.py: cassandra_jit_rest_api = get_secret('cassandraJitApi')

  9. Generate SSL and assign its location in main.py: app.run(ssl_context=('/etc/ssl/file.crt', '/etc/ssl/file.key'))

Service components:

Jit-Service is a REST API web service with five main capabilities: Accepts (with validation & authentication) HTTP(s) requests from slack. Invoke jumpcloud API for user validation. Invoke Cassandra for role settings and password\token management Returns HTTP response with a one-time token to access the database. Logging. TTLING Service: Invoke jumpcloud API for user validation and provisioning. Revokes expired one-time tokens.

Both services are running in Kubernetes environment.

You might also like...
A Discord Server Cloner Which Can Clone Any Discord Server In Just Few Minutes
A Discord Server Cloner Which Can Clone Any Discord Server In Just Few Minutes

A Discord Server Cloner Which Can Clone Any Discord Server In Just Few Minutes.

This is a bot which you can use in telegram to spam without flooding and enjoy being in the leaderboard

Telegram-Count-spamming-Bot This is a bot which you can use in telegram to spam without flooding and enjoy being in the leaderboard You can avoid the

Bot developed in python, 100% open-source, compatible with Windows and Linux.
Bot developed in python, 100% open-source, compatible with Windows and Linux.

Bombcrypto Bot [Family JOW] Bot desenvolvido em python, 100% do código é aberto, para aqueles que tenham conhecimento validarem que não existe nenhum

Secret messaging app which you can use to communicate with your friends by encrypting / decrypting secret messages or sending secret message through mail.

Secret-Whisper A Secret messaging app which you can use to communicate with your friends by encrypting / decrypting secret messages 🤫 or sending secr

This bot  automaticaly access to giveaway ! You can won free NFT !
This bot automaticaly access to giveaway ! You can won free NFT !

This bot automaticaly access to giveaway ! You can won free NFT !

A slack bot that notifies you when a restaurant is available for orders
A slack bot that notifies you when a restaurant is available for orders

Slack Wolt Notifier A Slack bot that notifies you when a Wolt restaurant or venue is available for orders. How does it work? Slack supports bots that

TheTimeMachine - Weaponizing WaybackUrls for Recon, BugBounties , OSINT, Sensitive Endpoints and what not
TheTimeMachine - Weaponizing WaybackUrls for Recon, BugBounties , OSINT, Sensitive Endpoints and what not

The Time Machine - Weaponizing WaybackUrls for Recon, BugBounties , OSINT, Sensi

🤟The VC Music Source code of @DaisyXBot ❤️ v3 Out now
🤟The VC Music Source code of @DaisyXBot ❤️ v3 Out now

DAISYXMUSIC V3 🎵 A bot that can play music on telegram group's voice call Available on telegram as @DaisyXbot Whats new 🔥 Thumbnail Support Playlist

thumbor is an open-source photo thumbnail service by globo.com
thumbor is an open-source photo thumbnail service by globo.com

Survey If you use thumbor, please take 1 minute and answer this survey? It's only 2 questions and one is multiple choice!!! thumbor is a smart imaging

Owner
Intezer Labs
The only solution replicating the concepts of the biological immune system into cyber-security. Intezer provides enterprises with unparalleled threat detection.
Intezer Labs
And now, for the first time, you can send alerts via action from ArcSight ESM Console to the TheHive when Correlation Rules are triggered.

ArcSight Integration with TheHive And now, for the first time, you can send alerts via action from ArcSight ESM Console to the TheHive when Correlatio

Amir Hossein Zargaran 3 Jan 19, 2022
This is a very easy to use tool developed in python that will search for free courses from multiple sites including youtube and enroll in the ones in which it can.

Free-Course-Hunter-and-Enroller This is a very easy to use tool developed in python that will search for free courses from multiple sites including yo

Zain 12 Nov 12, 2022
google-resumable-media Apache-2google-resumable-media (🥉28 · ⭐ 27) - Utilities for Google Media Downloads and Resumable.. Apache-2

google-resumable-media Utilities for Google Media Downloads and Resumable Uploads See the docs for examples and usage. Experimental asyncio Support Wh

Google APIs 36 Nov 22, 2022
pyhakuna is a client to access the API of the time keeping service hakuna.ch.

pyhakuna pyhakuna is a client to access the API of the time keeping service hakuna.ch. The Hakuna API is – unfortunately – personal and currently does

Christian Mäder 1 Feb 15, 2022
The best (and now open source) Discord selfbot.

React Selfbot Yes, for real Why am I making this open source? Because can't stop calling my product a rat, tokenlogger and what else not. But there is

null 30 Nov 13, 2022
An Open-Source Discord bot created to provide basic functionality which should be in every discord guild. We use this same bot with additional configurations for our guilds.

A Discord bot completely written to be taken from the source and built according to your own custom needs. This bot supports some core features and is

Tesseract Coding 14 Jan 11, 2022
SpaceManJax's open-source Discord Bot. Now on Github!

SpaceManBot This is SpaceManJax's open-source Discord.py Bot. Now on Github! This bot runs on Repl.it, which is a free online code editor. It can do a

Jack 1 Nov 16, 2021
This automation protect against subdomain takeover on AWS env which also send alerts on slack.

AWS_Subdomain_Takeover_Detector Purpose The purpose of this automation is to detect misconfigured Route53 entries which are vulnerable to subdomain ta

Puneet Kumar Maurya 8 May 18, 2022
Nasdaq Cloud Data Service (NCDS) provides a modern and efficient method of delivery for realtime exchange data and other financial information. This repository provides an SDK for developing applications to access the NCDS.

Nasdaq Cloud Data Service (NCDS) Nasdaq Cloud Data Service (NCDS) provides a modern and efficient method of delivery for realtime exchange data and ot

Nasdaq 8 Dec 1, 2022