17:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"Redis Enterprise 6.x Security Technical Implementation Guide"}],false,["$","$L21",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","2","R","2"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Sep 4, 2024"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"Redis_Enterprise_6-x_STIG","children":"Redis_Enterprise_6-x_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":71}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",11]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",58]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",2]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Redis%20Enterprise%206.x%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Redis%20Enterprise%206.x%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Redis%20Enterprise%206.x%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Redis_Enterprise_6-x_V2R2_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L22",null,{"checks":[{"id":"958b14ec-3647-4972-a050-b186caa92276","vulnId":"V-251183","severity":"low","ruleTitle":"Redis Enterprise DBMS must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.","description":"$23","checkContent":"Redis sets this limit by default at 10k clients per shard. It reserves 32 for descriptors for internal use. The organization can set a limit based on its needs during the configuration. When the set limit is reached, Redis will deny all new incoming connections and inform senders \"max number of clients reached\".\n\nTo check for maximum connections, run the following command:\nrladmin info db db: \n\nwhere db:1 would be:\nrladmin info db db:1 \n\nSearch in the output for max_connections. If the max connections are greater than the organizationally defined value, this is a finding.\n\nNote: Redis Enterprise 6 does support multiple users; however, it does not support the ability to limit connections per user. If using Redis Cluster, the max number of connections remains 10k; however, each node will use two connections (incoming/outgoing).","fixText":"To modify the number of maximum sessions, run the following command:\n\nrladmin tune db max_connections \ne.g., - rladmin tune db inline-jp-staging max_connections 15000"},{"id":"7cad5390-de05-41f3-9190-3b94d744ade7","vulnId":"V-251184","severity":"high","ruleTitle":"Redis Enterprise DBMS must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.","description":"$24","checkContent":"Redis Enterprise supports LDAP for access to the Redis Enterprise web UI. If all accounts are authenticated by the organization-level authentication/access mechanism and not by the DBMS, this is not a finding. LDAP can be checked by examining the process used during user login on the Redis web UI.\n\nIf any accounts are managed by Redis Enterprise, review the system documentation for justification and approval of these accounts. Compare the documented accounts with those found on the system.\n\nIf any Redis Enterprise-managed accounts exist that are not documented and approved, this is a finding.","fixText":"$25"},{"id":"45ccc898-1058-4a23-8594-836bdd9f241a","vulnId":"V-251185","severity":"high","ruleTitle":"Redis Enterprise DBMS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","description":"$26","checkContent":"Review the system documentation to determine if accounts have been set with appropriate, organizationally defined role-based permissions. Compare these settings with the settings on the actual DB.\n\nTo find the database id, run the command:\nrladmin status extra all.\n\n1. Log in to Redis Enterprise.\n2. Navigate to the access controls tab.\n3. Verify that each user is assigned an appropriate role.\n\nIf a user is not assigned an appropriate role, this is a finding. \n\nIf the appropriate role is not assigned to a user, or the roles and permission settings are not documented, this is a finding.","fixText":"To modify the commands or keys a user is able to access, perform the following steps:\n\n1. Log in to Redis Enterprise.\n2. Navigate to the access controls tab.\n3. Ensure the appropriate role is configured by inspecting the Redis ACL rules and Roles in the Redis ACL and Role sub-tabs.\n4. If an appropriate role is not present, create the appropriate role.\n5. On the users tab, assign the appropriate role to the user in question."},{"id":"a89278e6-9c4b-432c-af68-4bd7ff64b8be","vulnId":"V-251186","severity":"medium","ruleTitle":"Redis Enterprise DBMS must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.","description":"$27","checkContent":"Redis Enterprise discretionary access control is configured through the use of individual roles. Verify that enforcement of role-based access control (RBAC) is implemented.\n\nReview the system documentation to determine if accounts have been set with appropriate, organizationally defined Discretionary Access Control permissions. Compare these settings with the settings on the actual DB.\n\n1. Log in to Redis Enterprise.\n2. Navigate to the access controls tab.\n3. Verify that each user is assigned a role. If a user is not assigned an appropriate role, this is a finding.\n\nIf the appropriate access is not assigned to a user, or the access and permission settings are not documented, this is a finding.","fixText":"To assign a user to a role:\n1. Log in to Redis Enterprise as an admin user.\n2. Navigate to the access controls tab.\n3. Ensure that each user is assigned a role according to organizationally defined policy.\n\nTo configure a Redis ACL rule that can be assigned to a user role:\n1. Navigate to access control >> redis acls.\n2. Edit an existing Redis ACL by hovering over a Redis ACL and clicking \"Edit\".\n3. Create a new Redis ACL by clicking \"Add\".\n4. Enter a descriptive name for the Redis ACL. This will be used to reference the ACL rule to the role.\n5. Define the ACL rule.\n6. Click \"Save\".\n\nFor more information: \nhttps://docs.redislabs.com/latest/rs/security/passwords-users-roles/"},{"id":"c4fb5951-697d-4679-8181-9f22bd84b08e","vulnId":"V-251187","severity":"medium","ruleTitle":"Redis Enterprise DBMS must enforce access control lists, as defined by the data owner, over defined subjects and objects.","description":"$28","checkContent":"Review the system documentation to determine what organizationally defined Access Control permissions should be in place. Compare these settings with the settings on the actual DB.\n\n1. Log in to Redis Enterprise.\n2. Navigate to the access controls tab >> redis acls\n3. Review ACLs for appropriate rules. If ACL rules are not defined as appropriate in system documentation, this is a finding.\n4. Review roles.\n5. Verify that each role is assigned an appropriate ACL. If a role is not assigned an appropriate ACL, this is a finding.\n6. Review users.\n7. Verify that each user is assigned a role. If a user is not assigned an appropriate role, this is a finding.\n\nIf any user accounts implicitly gain “Full Access” through the user/role/ACL relationship and are not authorized, this is a finding.","fixText":"To configure a Redis ACL rule that can be assigned to a user role:\n1. Navigate to access control >> redis acls.\n2. Edit an existing Redis ACL by hovering over a Redis ACL and clicking \"Edit\".\n3. Create a new Redis ACL by clicking \"Add\".\n4. Enter a descriptive name for the Redis ACL. This will be used to reference the ACL rule to the role.\n5. Define the ACL rule.\n6. Click \"Save\".\n\nAssign ACLs to roles and roles to users as appropriate.\n\nFor more information: \nhttps://docs.redislabs.com/latest/rs/security/passwords-users-roles/"},{"id":"97fd1bce-bf6d-4484-b202-1614d6d753af","vulnId":"V-251188","severity":"medium","ruleTitle":"Redis Enterprise DBMS must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","description":"$29","checkContent":"To verify this, perform the following steps:\n1. Log in to the Redis Enterprise control plane.\n2. Navigate to the access control tab.\n3. Navigate to the users tab and review the roles for users.\n4. For users without the need to modify the database, verify they are given a viewer or none for cluster management in the roles tab.\n5. For users with access to databases, verify they are given the default role \"Not Dangerous\" or a more restrictive role that does not allow access to the dangerous command category.\n\nIf a non-privileged user is granted a non-default role, this is a finding.","fixText":"To ensure that a non-privileged user is not granted a non-default role, perform the following steps:\n1. Log in to the Redis Enterprise control plane.\n2. Navigate to the access control tab.\n3. Navigate to the users tab and review the roles for users.\n4. Assign users an appropriate role, and if necessary, create a new role for the user.\n5. Modify and save the users' new role after ensuring the role is provided with the appropriate permissions."},{"id":"0b523391-6c8b-4daa-ba1c-e282e01952c5","vulnId":"V-251189","severity":"medium","ruleTitle":"Execution of software modules (to include stored procedures, functions, and triggers) with elevated privileges must be restricted to necessary cases only.","description":"$2a","checkContent":"To verify that each database is not using these modules, perform the following steps:\n1. Log in to the Redis Enterprise control plane.\n2. Navigate to the databases tab.\n3. Inspect each database for Redis modules within the database application. If the databases display \"None\" next to the Redis Modules field, no modules are installed.\n\nIf a module is present and a necessary use case is not documented, this is a finding.","fixText":"To remove a module from the Redis Enterprise Software:\n1. Log in to the adminUI as an administrator.\n2. Navigate to the \"settings\" tab.\n3. Under \"redis modules\" to the far-right of each individual module, click the trashcan icon to remove the associated module.\n\nTo remove a module from an existing database, the database needs to be recreated without the authorized modules and migrate all applications and data to the new database. Once a module is installed within a database, removal is not supported."},{"id":"70731297-45ba-4391-b05b-83faa41020dd","vulnId":"V-251190","severity":"medium","ruleTitle":"Redis Enterprise DBMS must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.","description":"$2b","checkContent":"$2c","fixText":"$2d"},{"id":"50a3f9f0-8273-481d-a745-1dacda30be9f","vulnId":"V-251191","severity":"medium","ruleTitle":"Redis Enterprise DBMS must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.","description":"Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent or interfere with the auditing of critical events.\n\nSuppression of auditing could permit an adversary to evade detection.\n\nMisconfigured audits can degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"Auditing alerts can be selected on Redis Enterprise. With the RBAC settings, by default, only the Admin group can configure these events in the database. Additional roles with admin privileges can also be configured.\n\nTo view which roles have admin level privileges:\n1. Log in to Redis Enterprise.\n2. Navigate to the Access control tab and review the users listed therein.\n\nTo view which alerts are configured:\n1. Log in to Redis Enterprise.\n2. Navigate to the Databases tab.\n3. Select any database to view and select the configuration tab.\n4. Scroll down to determine which Alerts are selected to be emailed to the appropriate audiences (if any).\n\nIf designated personnel are not able to configure auditable events, this is a finding.","fixText":"Configure the DBMS's settings to allow designated personnel to select which auditable events are audited. This can be done on Redis Enterprise with ACLs and RBAC.\n\nTo configure RBAC:\n1. Log in to the Redis Control Plane as an admin user.\n2. Navigate to the access control tab.\n3. Provide the appropriate permissions and privileges as defined by the organization."},{"id":"582fe0ba-fac1-45ef-814a-0765fbb24193","vulnId":"V-251192","severity":"medium","ruleTitle":"Redis Enterprise DBMS must generate audit records for all direct access to the database(s).","description":"In this context, direct access is any query, command, or call to the DBMS that comes from any source other than the application(s) that it supports. Examples would be the command line or a database management utility program. The intent is to capture all activity from administrative and non-standard sources.","checkContent":"All local access to the server is handled by the underlying RHEL OS server that hosts the Redis Enterprise DBMS and is viewable in syslog. Additionally, RHEL can be configured to audit direct access to Redis Enterprise by modifying the rule set in /etc/audit/audit.rules to include the redis-cli and rladmin command found in /opt/redislabs/bin. \n\nTo determine if the OS is auditing direct and privileged access/execution of the database and database configuration options on the server:\ncat to /etc/audit/audit.rules \n\nExamine the audit rules defined for rules that specify that command calls for /opt/redislabs/bin/redis-cli and /opt/redislabs/bin/rladmin are audited, if not present, this is a finding.","fixText":"Configure the host RHEL OS to generate audit records whenever a user calls the redis-cli command. This can be done by adding a rule to the /etc/audit/audit.rules to generate records when /opt/redislabs/bin/redis-cli and /opt/redislabs/bin/rladmin is called.\n\nExample Linux commands:\n-a always,exit -F path=/opt/redislabs/bin/redis-cli -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n-a always,exit -F path=/opt/redislabs/bin/rladmin -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change\n\nThe audit daemon must be restarted for the changes to take effect."},{"id":"67fbee9a-e977-4c68-ae58-c8a78a387176","vulnId":"V-251195","severity":"medium","ruleTitle":"Redis Enterprise DBMS must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.","description":"$2e","checkContent":"Review organization documentation to determine the organization-defined audit record storage requirements. By default, Redis Enterprise will use whatever disk space is allocated for audit logs. It is the responsibility of the organization to ensure that the RHEL OS server hosting the service has been allocated enough storage space to avoid running out of log space.\n\nInterview the system administrator and review audit log configuration and alerts to investigate whether there have been any incidents where the Redis Enterprise server ran out of audit log space since the last time the space was allocated, or other corrective measures were taken. \n\nIf such incidents have occurred, this is a finding.\n\nReview the Redis Enterprise control pane as an admin user. \n\nIf alerts are present indicating that storage is full or is at 95 percent full, this is a finding.","fixText":"Ensure that the server is configured with enough storage space to accommodate database and audit record storage. The right amount of storage will be dependent on a variety of factors such as: number of databases, database size, HA enabled, persistence enabled, etc.\n\nAt no time should storage be more than 95 percent full.\n\nSee the following documents for hardware requirements:\nhttps://docs.redislabs.com/latest/rs/administering/designing-production/hardware-requirements/\nand\nhttps://docs.redislabs.com/latest/rs/installing-upgrading/file-locations/"},{"id":"0dc64983-448a-4d26-b187-a3a4f062ae20","vulnId":"V-251196","severity":"medium","ruleTitle":"Redis Enterprise DBMS must offload audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility, and weekly or more often for stand-alone systems.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOffloading is a common process in information systems with limited audit storage capacity. \n\nThe DBMS may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with offloading the records to the centralized system.\n\nFor more information, refer to: \nhttps://docs.redislabs.com/latest/rs/administering/logging/rsyslog-logging/\nand\nhttps://redislabs.com/blog/sending-redis-cluster-alerts-to-slack-with-syslog/","checkContent":"$2f","fixText":"$30"},{"id":"f4f02d61-5665-4119-ad93-2dcd7ed89d6b","vulnId":"V-251197","severity":"medium","ruleTitle":"Redis Enterprise DBMS must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity.","description":"Organizations are required to use a central log management system, so under normal conditions, the audit space allocated to the DBMS on its own server will not be an issue. However, space will still be required on the DBMS server for audit records in transit, and, under abnormal conditions, this could fill up. Since a requirement exists to halt processing upon audit failure, a service outage would result.\n\nIf support personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity expansion. \n\nThe appropriate support staff include, at a minimum, the ISSO and the DBA/SA.","checkContent":"$31","fixText":"$32"},{"id":"c5edff2e-e188-44bf-8419-a0648fc7fee9","vulnId":"V-251198","severity":"medium","ruleTitle":"Redis Enterprise DBMS must provide an immediate real-time alert to appropriate support staff of all audit log failures.","description":"$33","checkContent":"Review the OS or third-party logging software settings to determine whether a real-time alert will be sent to the appropriate personnel when auditing fails for any reason.\n\nIf real-time alerts are not sent upon auditing failure, this is a finding.","fixText":"Configure the system to provide an immediate real-time alert to appropriate support staff when an audit log failure occurs.\n\nIt is possible to create scripts or implement third-party tools to enable real-time alerting for audit log failures, depending on the underlying OS.\n\nAdditionally, it is recommended to enable the following alerts from within the Redis Enterprise AdminUI Console:\n\n1. Log in to the AdminUI.\n2. Navigate to settings >> alerts.\n- Receive email alerts (with the appropriate email server settings configured under settings >> general)\n- Node has sufficient disk space for AOF rewrite\n- Multiple nodes are down - this may cause data loss"},{"id":"905cea25-185f-4fa7-a2e9-db4cd2f62883","vulnId":"V-251199","severity":"medium","ruleTitle":"Redis Enterprise DBMS must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.","description":"$34","checkContent":"If the application owner has determined that the need for system availability outweighs the need for a complete audit trail, this is not applicable. \n\nOtherwise, review the procedures, manual and/or automated, for monitoring the space used by audit trail(s) and for offloading audit records to a centralized log management system.\n\nIf the procedures do not exist, this is a finding.\n\nIf the procedures exist, request evidence that they are followed. If the evidence indicates that the procedures are not followed, this is a finding.\n\nIf the procedures exist, inquire if the system has ever run out of audit trail space in the last two years or since the last system upgrade, whichever is more recent. If it has run out of space in this period, and the procedures have not been updated to compensate, this is a finding.","fixText":"Modify DBMS, OS, or third-party logging application settings to alert appropriate personnel when a specific percentage of log storage capacity is reached."},{"id":"af4ce72a-68ad-4b8d-8c1c-895cc9b026b4","vulnId":"V-251200","severity":"medium","ruleTitle":"Redis Enterprise DBMS must be configurable to overwrite audit log records, oldest first (First-In-First-Out [FIFO]), in the event of unavailability of space for more audit log records.","description":"$35","checkContent":"Redis Enterprise uses the default logrotate daemon to schedule rotation of logs stored on the operating system. The configuration of log rotation may be found at /etc/logrotate.d.\n\nBy default, the log rotation should occur on a daily basis. Redis Labs recommends sending log files to a remote logging server so that they can be more effectively maintained.\n\nTo check the log rotation policy, perform the following steps:\n1. sudo cat /etc/logrotate.conf (The location of the log rotation configuration may vary depending on operating system distribution.)\n2. Investigate the log rotation policy to verify that the appropriate policy is applied for all logs.\n\nCheck to verify that log rotation is not disabled and is appropriate for the application by investigating the logrotated configuration. If log rotation is not enabled or is not configured appropriately, this is a finding.","fixText":"Redis Enterprise uses the default logrotate daemon to schedule rotation of logs stored on the operating system. The configuration of log rotation may be found at /etc/logrotate.d.\n\nBy default, the log rotation should occur on a daily basis. Redis Labs recommends sending log files to a remote logging server so that they can be more effectively maintained.\n\nTo modify the log rotation policy perform the following steps:\n1. sudo vi /etc/logrotate.conf (The location of the log rotation configuration may vary depending on operating system distribution.)\n2. Modify the log rotation configuration to meet the needs of the application."},{"id":"5e430bb5-e3cf-4b15-a264-68b6e9c606fb","vulnId":"V-251201","severity":"medium","ruleTitle":"Redis Enterprise DBMS must record time stamps, in audit records and application data, that can be mapped to Coordinated Universal Time (UTC, formerly GMT).","description":"If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.\n\nTime stamps generated by the DBMS must include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. \n\nSome DBMS products offer a data type called TIMESTAMP that is not a representation of date and time. Rather, it is a database state counter and does not correspond to calendar and clock time. This requirement does not refer to that meaning of TIMESTAMP.\n\nRedis Enterprise application components allow the setting of a UTC timestamp associated with the logs of the database.","checkContent":"To check the timestamp, perform the following steps:\n1. Log in to the Redis Enterprise Control Plane.\n2. Navigate to the settings tab.\n3. Navigate to the general tab of the settings tab.\n4. On screen find the Time zone setting.\n5. Verify that the time zone is mapped to UTC.\n\nIf the time zone isn't mapped to UTC, this is a finding.","fixText":"To resolve an issue with the timestamps, perform the following steps:\n1. Log in to the Redis Enterprise Control Plane.\n2. Navigate to the settings tab.\n3. Navigate to the general tab of the settings tab.\n4. On screen find the Time zone setting.\n5. Ensure that the time zone is mapped to UTC.\n6. Click \"Save\"."},{"id":"6ffcf45e-5ad9-4322-a103-b698cbf40f8a","vulnId":"V-251202","severity":"medium","ruleTitle":"The audit information produced by Redis Enterprise DBMS must be protected from unauthorized read access.","description":"$36","checkContent":"To investigate the log files used by Redis Enterprise, perform the following steps:\n1. SSH into the server running Redis Enterprise.\n2. Issue the command cd /var/opt/redislabs/log\n3. Issue the command ls -ltr ./\n\nInvestigate the permissions on these files. These permissions should be 640 or 660 and assigned to the installation user and group or another appropriate group. If the permissions are readable by other or assigned an inappropriate owner/group, this is a finding.\n\nRedis Enterprise does not support the ability to perform transaction logging.","fixText":"To investigate the log files used by Redis Enterprise, perform the following steps:\n1. SSH into the server running Redis Enterprise.\n2. Issue the command chmod 640 /var/opt/redislabs/log/* to change permissions of log files that are not appropriately assigned permissions.\n3. Issue the command chown owner:group -R /var/opt/redislabs/log/ if the ownership is not correct where the owner and group are substituted for the appropriate owner and group."},{"id":"675878cd-ff29-4da5-a9d9-3cb91ebe3c80","vulnId":"V-251203","severity":"medium","ruleTitle":"The audit information produced by Redis Enterprise DBMS must be protected from unauthorized modification.","description":"$37","checkContent":"To investigate the log files used by Redis Enterprise, perform the following steps:\n1. SSH into the server running Redis Enterprise.\n2. Issue the command cd /var/opt/redislabs/log\n3. Issue the command ls -ltr ./\n\nInvestigate the permissions on these files. These permissions should be 640 or 660 and assigned to the installation user and group or another appropriate group. If the permissions are readable by other or assigned an inappropriate owner/group, this is a finding.\n\nRedis Enterprise does not support the ability to perform transaction logging.","fixText":"To investigate the log files used by Redis Enterprise, perform the following steps:\n1. SSH into the server running Redis Enterprise.\n2. Issue the command chmod 640 /var/opt/redislabs/log/* to change permissions of log files that are not appropriately assigned permissions.\n3. Issue the command chown owner:group -R /var/opt/redislabs/log/ if the ownership is not correct where the owner and group are substituted for the appropriate owner and group."},{"id":"686ca8f0-1559-4df3-acd7-5f6cad1872ec","vulnId":"V-251204","severity":"medium","ruleTitle":"The audit information produced by Redis Enterprise DBMS must be protected from unauthorized deletion.","description":"$38","checkContent":"$39","fixText":"To investigate the log files used by Redis Enterprise, perform the following steps:\n1. SSH into the server running Redis Enterprise.\n2. Issue the command chmod 640 /var/opt/redislabs/log/* to change permissions of log files that are not appropriately assigned permissions.\n3. Issue the command chown owner:group -R /var/opt/redislabs/log/ if the ownership is not correct where the owner and group are substituted for the appropriate owner and group.\n\nRedis Enterprise provides configurable role-based access control inherently within the product. To ensure that users are provided the appropriate permissions that they are authorized to use, check each user's assigned roles.\n1. Log in to Redis Enterprise.\n2. Navigate to the access controls tab.\n3. Navigate to the users tab.\n4. Ensure that each user is given a role appropriate for their authorization level."},{"id":"1620ea04-6c95-457a-87fe-67a51b9884b6","vulnId":"V-251205","severity":"medium","ruleTitle":"Redis Enterprise DBMS must protect its audit features from unauthorized access.","description":"$3a","checkContent":"For validating privilege on the OS, verify user ownership, group ownership, and permissions on the Redis audit directory.\n\nFrom Linux command line as root:\n> ls - ald /var/opt/redislabs/log/ (or whatever the organizationally defined location for Redis logs)\n\nIf the User owner is not a defined admin, this is a finding.\n\nIf the Group owner is not a defined admin group, this is a finding.\n\nIf the directory is more permissive than 700, this is a finding.\n\nFor validating privileges on the control plane, verify Redis Admin users listed on the control plane against documented approved admin users. If any users have unauthorized admin privileges, this is a finding.","fixText":"Apply or modify access controls and permissions (in the file system/operating system) to tools used to view or modify audit log data. Tools must be accessible by authorized personnel only.\n\n/var/opt/redislabs/log/ (or whatever the organizationally defined location for Redis logs) should have an appropriate and documented admin user and group owner, and the directory should not have permissions more than 700. \n\nTo update these permissions, run the following commands:\nchown redislabs:redislabs /var/opt/redislabs/log\nchmod 700 /var/opt/redislabs/log"},{"id":"e9db0732-d977-42fb-8c6a-e2e3b5738bbb","vulnId":"V-251206","severity":"medium","ruleTitle":"Redis Enterprise DBMS must protect its audit configuration from unauthorized modification.","description":"Redis Enterprise does not come with unique tools to view log data and logging is not configurable. Logs are stored in a standard log file on the host operating system that is accessible using standard Linux tooling. Only users in the admin role can view or modify privileged settings in the Redis Enterprise UI.\n\nProtecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the modification of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"For validating privilege on the OS, verify user ownership, group ownership, and permissions on the redis audit directory. \n\nFrom Linux command line as root:\n> ls - ald /var/opt/redislabs/log/ (or whatever the organizationally defined location for Redis logs)\n\nIf the User owner is not a defined admin, this is a finding. \n\nIf the Group owner is not a defined admin group, this is a finding.\n\nIf the directory is more permissive than 700, this is a finding.\n\nFor validating privileges on the control plane, verify Redis Admin users that are listed on the control plane against documented approved admin users. If any users have unauthorized admin privileges, this is a finding.","fixText":"Apply or modify access controls and permissions (in the file system/operating system) to tools used to view or modify audit log data. Tools must be accessible by authorized personnel only.\n\n/var/opt/redislabs/log/ (or whatever the organizationally defined location for Redis logs) should have an appropriate and documented admin user and group owner and the directory should not have permissions more than 700. \n\nTo update these permissions, run the following commands:\nchown redislabs:redislabs /var/opt/redislabs/log\nchmod 700 /var/opt/redislabs/log"},{"id":"ec338924-bfdf-4b1b-accf-ec86a42a5d70","vulnId":"V-251207","severity":"medium","ruleTitle":"Redis Enterprise DBMS must protect its audit features from unauthorized removal.","description":"Redis Enterprise does not come with unique tools to view log data and logging is not configurable. Logs are stored in a standard log file on the host operating system that is accessible using standard Linux tooling. Only users in the admin role can view or modify privileged settings in the Redis Enterprise UI.\n\nProtecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.","checkContent":"For validating privilege on the OS, verify user ownership, group ownership, and permissions on the Redis audit directory:\n\nFrom Linux command line as root:\n> ls - ald /var/opt/redislabs/log/ (or whatever the organizationally defined location for Redis logs)\n\nIf the User owner is not a defined admin, this is a finding. \n\nIf the Group owner is not a defined admin group, this is a finding.\n\nIf the directory is more permissive than 700, this is a finding.\n\nFor validating privileges on the control plane, verify Redis Admin users that are listed on the control plane against documented approved admin users. If any users have unauthorized admin privileges, this is a finding.","fixText":"Apply or modify access controls and permissions (in the file system/operating system) to tools used to view or modify audit log data. Tools must be accessible by authorized personnel only.\n\n/var/opt/redislabs/log/ (or whatever the organizationally defined location for Redis logs) should have an appropriate and documented admin user and group owner and the directory should not have permissions more than 700. \n\nTo update these permissions, run the following commands:\nchown redislabs:redislabs /var/opt/redislabs/log\nchmod 700 /var/opt/redislabs/log"},{"id":"0f577488-ed93-42d2-a0fe-71f33d19e573","vulnId":"V-251208","severity":"medium","ruleTitle":"Redis Enterprise DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.","description":"Redis Enterprise permits the installation of logic modules through a control plane layer to the database, which requires privilege access to the control plane. This is provisioned for support during database runtime by a user with permissions to create a database.\n\nThe ability to load modules directly within the database is not supported in Redis Enterprise; however, it is supported in open-source Redis.","checkContent":"Modules may be added to the Redis Enterprise control plane (adminUI) by navigating to the settings tab and then modules. Only admin users can view the settings tab.\n\nTo verify that users without explicit privileged status are not able to install modules, do the following:\n1. Log in to the Redis Enterprise control plane (adminUI) with a user with administrative privileges.\n2. Navigate to the access control tab.\n3. Verify that only organizationally defined users have the appropriate privileges.\n\nIf a user is not assigned appropriate permissions, this is a finding.","fixText":"To ensure a regular user is unable to perform updates:\n1. Log in to the Redis Enterprise control plane.\n2. Navigate to the access controls tab.\n3. In the users section, review each users role to ensure they are assigned the appropriate permissions.\n4. If a user is not assigned appropriate permissions, ensure they are moved to an appropriate role."},{"id":"936a4d86-659e-4ba6-a8e7-cea68200e3ec","vulnId":"V-251209","severity":"medium","ruleTitle":"Redis Enterprise DBMS must enforce access restrictions associated with changes to the configuration of Redis Enterprise DBMS or database(s).","description":"Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. \n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. \n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.","checkContent":"Redis Enterprise is an application database and not intended to be used by human actors. Human actor activity has been generally abstracted to a control plane that resides outside of the database level. \n\nRedis Enterprise comes with roles for both the control plane and the data plane. Viewer roles and none provide access restrictions to make configuration changes to the database. \n\nTo verify that users are in the appropriate role, perform the following steps:\n1. Log in to the Redis Enterprise Control Plane.\n2. Navigate to the access control tab.\n3. Navigate to the users tab. \n4. Verify that all users are assigned an appropriate role. If the principle is using custom roles, this may require investigating the permissions provided for each custom role.\n\nIf it does not enforce access restrictions associated with changes to the configuration of the DBMS or database(s), this is a finding.","fixText":"Redis Enterprise is an application database and not intended to be used by human actors. Human actor activity has been generally abstracted to a control plane that resides outside of the database level. \n\nTo ensure that users are in the appropriate role, perform the following steps:\n1. Log in to the Redis Enterprise Control Plane.\n2. Navigate to the access control tab.\n3. Navigate to the users tab. \n4. Ensure that the principle is assigned the appropriate permissions for their function."},{"id":"ef67a4eb-9cb6-4218-bacd-8ef6df7ca7f5","vulnId":"V-251210","severity":"medium","ruleTitle":"Redis Enterprise DBMS must limit privileges to change software modules; to include stored procedures, functions, and triggers, and links to software external to Redis Enterprise DBMS.","description":"$3b","checkContent":"$3c","fixText":"Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement. Syslog can be used to track and monitor access, deletions, and modification actions of the Redis logs, system configuration files, and binaries stored on the RHEL OS.\n\nEnsure that the permissions of the Redis logs, system configuration files, and binaries are set so that only those with admin privileges can modify them on the hosting RHEL OS. Permissions can be modified using the chmod command."},{"id":"59618e32-ad87-404c-bdf7-4f8549a3049b","vulnId":"V-251211","severity":"medium","ruleTitle":"Redis Enterprise DBMS software installation account must be restricted to authorized users.","description":"When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system. \n\nIf the system were to allow any user to make changes to software libraries, those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nDBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a great impact on database security and operation. It is especially important to grant privileged access to only those persons who are qualified and authorized to use them.","checkContent":"To install the software, the user must have root level access to each node it will be installed on. Review the procedure used to install Redis Enterprise. In this procedure, users are capable of selecting their own user to own the software. Typically, this is run under a Redis Labs system user.\n\nTo check this requirement, investigate the user used and verify that only the appropriate people are able to access this account on the host operating system. \n\nIf more than the appropriate people can access this account, this is a finding.","fixText":"User must have root level access to the system prior to installing Redis Enterprise. Without this, the installation will not complete, and no changes will be made. Review the procedure used to install Redis Enterprise. In this procedure, users are capable of selecting their own user to own the software. Typically, this is run under a Redis Labs system user.\n\nTo check this requirement, investigate the user used and ensure that only the appropriate people are able to access this account on the host operating system."},{"id":"156e5d63-6153-456b-a938-25580f5b4db8","vulnId":"V-251212","severity":"medium","ruleTitle":"Database software, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.","description":"$3d","checkContent":"$3e","fixText":"To resolve this issue, perform one of the two following actions:\n1. Install Redis Enterprise on a single tenant operating system.\n2. Uninstall third-party applications that have been installed in the Redis Enterprise directories and install them in separate directories."},{"id":"c4433dc0-6ce4-475b-b05a-77f4e0a2cfa3","vulnId":"V-251213","severity":"medium","ruleTitle":"The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to Redis Enterprise DBMS, etc.) must be restricted to authorized users.","description":"If the DBMS were to allow any user to make changes to database structure or logic, those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.\n\nRedis Enterprise provides configurable role-based access control inherently within the product. To ensure that users are provided the appropriate permissions that they are authorized to use, check each user's assigned roles.","checkContent":"To check each user's assigned role:\n1. Log in to Redis Enterprise.\n2. Navigate to the access controls tab.\n3. Navigate to the users tab.\n4. Review all roles assigned to a user and verify that user is given the appropriate role for their authorization level.\n\nIf the user is not given the appropriate role, this is a finding.","fixText":"To ensure that users are provided the appropriate permissions that they are authorized to use, check each user's assigned roles.\n1. Log in to Redis Enterprise.\n2. Navigate to the access controls tab.\n3. Navigate to the users tab.\n4. Locate desired user.\n5. Assign appropriate permission based on desired authorization level."},{"id":"5bab936d-f0ab-48bb-8e60-f0d5e51465e7","vulnId":"V-251214","severity":"medium","ruleTitle":"Redis Enterprise DBMS must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.","description":"Configuring the DBMS to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across the DoD that reflects the most restrictive security posture consistent with operational requirements. \n\nIn addition to this STIG, sources of guidance on security and information assurance exist. These include NSA configuration guides, CTOs, DTMs, and IAVMs. The DBMS must be configured in compliance with guidance from all such relevant sources.","checkContent":"The organization that is implementing Redis Enterprise must review the documentation and configuration to determine if it is configured in accordance with DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.\n\nIf Redis Enterprise is not configured in accordance with security configuration settings, this is a finding.","fixText":"Follow all DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs and IAVMs to configure the Redis Enterprise security configuration settings."},{"id":"2b049d79-9f4d-41ce-8bc4-71713617b270","vulnId":"V-251215","severity":"medium","ruleTitle":"Redis Enterprise DBMS must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.","description":"Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats.","checkContent":"$3f","fixText":"Use firewalld commands to remove any unnecessary ports from the appropriate zone. To do this, enter the following commands as root.\n\nThis command will immediately remove a port from the configuration:\n$ firewall-cmd --zone= --remove-port=/\n\nThis command will persistently remove a port from a configuration:\n$ firewall-cmd --permanent --zone= --remove-port=/\n\nRepeat the previous commands for any port that is unauthorized for use or is not used."},{"id":"6ec4713c-8b13-4963-a43c-0d6dd7471f40","vulnId":"V-251217","severity":"medium","ruleTitle":"Unused database components, DBMS software, and database objects must be removed.","description":"Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives. \n\nDBMSs must adhere to the principles of least functionality by providing only essential capabilities.\n\nModules are not needed for Redis Enterprise to function properly but can make some tasks easier. The following come by default on Redis Enterprise 6:\nRedisBloom\nRediSearch\nRedisGraph\nRedisJSON\nRedisTimeSeries\n\nMore information can be found at: https://docs.redislabs.com/latest/modules/?s=modules","checkContent":"Redis Enterprise comes with a suite of capabilities sorted into modules. These modules can be removed if deemed unnecessary. Modules are not needed for Redis Enterprise to function properly but can make some tasks easier. Check the installed modules in the UI at the following location:\n1. Log in to the Redis Enterprise UI as an Admin user.\n2. Navigate to the Settings tab.\n3. View the Redis Modules tab.\n\nIf unused components or features are installed and are not documented and authorized, this is a finding.","fixText":"Modules are not needed for Redis Enterprise to function properly but can make some tasks easier. To view/remove installed modules from the UI:\n1. Click \"Settings\" in the red banner.\n2. Click Redis modules.\n3. Find the module to be removed and click the trash can icon on the right."},{"id":"db741eba-68a5-4c98-b652-e83d45d56bf7","vulnId":"V-251218","severity":"medium","ruleTitle":"Unused database components that are integrated in Redis Enterprise DBMS and cannot be uninstalled must be disabled.","description":"$40","checkContent":"Redis Enterprise comes with a suite of capabilities sorted into modules. These modules can be removed if deemed unnecessary. Check the installed modules in the UI at the following location:\n1. Log in to the Redis Enterprise UI as an Admin user.\n2. Navigate to the Settings tab.\n3. View the Redis Modules tab.\n\nIf unused components or features are present on the system, can be disabled, and are not disabled, this is a finding.","fixText":"To view/remove installed modules from the UI:\n1. Click \"Settings\" in the red banner.\n2. Click Redis modules.\n3. Find the module to be removed and click the trash can icon on the right."},{"id":"951cd74c-211f-462b-a371-f5b6557e95be","vulnId":"V-251219","severity":"medium","ruleTitle":"Access to external executables must be disabled or restricted.","description":"Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). \n\nIt is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. \n\nApplications must adhere to the principles of least functionality by providing only essential capabilities.\n\nDBMSs may spawn additional external processes to execute procedures that are defined in the DBMS but stored in external host files (external procedures). The spawned process used to execute the external procedure may operate within a different OS security context than the DBMS and provide unauthorized access to the host system.","checkContent":"Redis Enterprise has this feature available if any object used is approved by the ISSO. By default, external executables are not included in Redis Enterprise, and only admin users on the Redis Enterprise web UI or admins who have direct access to the server can add them.\n\nTo determine what modules or executables are applied:\n1. Log in to the Redis Enterprise web UI as an admin user.\n2. Navigate to the settings and then Redis modules tabs.\n\nVerify that no unapproved external executables exist. \n\nIf external executables do exist and are not approved by the ISSO, this is a finding.","fixText":"To add or remove modules or executables:\n1. Log in to the Redis Enterprise web UI as an admin user.\n2. Navigate to the settings and then Redis modules tabs. From here, modules may be freely added or removed."},{"id":"04df33a1-4b65-4348-8f45-423dde97d355","vulnId":"V-251220","severity":"medium","ruleTitle":"Redis Enterprise DBMS must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"$41","checkContent":"$42","fixText":"Use firewalld commands to remove any unnecessary ports from the appropriate zone. To do this, enter the following commands as root:\n\nThis command will immediately remove a port from the configuration:\n$ firewall-cmd --zone= --remove-port=/\n\nThis command will persistently remove a port from a configuration:\n$ firewall-cmd --permanent --zone= --remove-port=/\n\nRepeat the previous commands for any port that is unauthorized for use or is not used."},{"id":"9ac79e44-cbbf-4dff-8f1c-d991bcf00d05","vulnId":"V-251221","severity":"medium","ruleTitle":"Redis Enterprise DBMS must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.","description":"$43","checkContent":"Review the system documentation and the configuration of Redis Enterprise and related applications and tools.\n\nIf the information owner has identified additional cases where reauthentication is needed, but there are circumstances where the system does not ask the user to reauthenticate when those cases occur, this is a finding.\n\nRedis Enterprise requires users to reauthenticate after the configured time-out period has been met, but does not require reauthentication when permissions are updated; permissions are automatically updated and applied on both the database and the Redis Enterprise web UI. Only admin users can modify privileges and roles.","fixText":"$44"},{"id":"da59d073-a0fe-4556-97c2-25dd17aa4f60","vulnId":"V-251222","severity":"medium","ruleTitle":"Redis Enterprise DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"Redis Enterprise allows the user to configure unique users per role. Review roles and ensure roles use unique organizational principles per user to the database. Redis does come with a default user for backwards compatibility. This user may be disabled.","checkContent":"To audit this configuration:\n1. Log in to Redis Enterprise Administrative Control Plane.\n2. Go to databases tab.\n3. Select the desired database and then the configuration subtab.\n4. Verify that Default database access is enabled. \n\nIf it is enabled, this is a finding.","fixText":"To fix this issue perform the following actions:\n\nTo audit this configuration:\n1. Log in to Redis Enterprise Administrative Control Plane.\n2. Go to databases tab.\n3. Select each database and review the configuration by selecting edit.\n4. Deselect the default database access tab.\n\nThis configuration will break applications designed for use with Redis 5 prior to ACLs."},{"id":"1dc6ff33-8c50-40d8-a050-24fc301783a5","vulnId":"V-251223","severity":"medium","ruleTitle":"If passwords are used for authentication, Redis Enterprise DBMS must store only hashed, salted representations of passwords.","description":"The DOD standard for authentication is DOD-approved PKI certificates.\n\nAuthentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires authorizing official (AO) approval.\n\nIn such cases, database passwords stored in clear text, using reversible encryption, or using unsalted hashes would be vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes when stored internally or externally to the DBMS.","checkContent":"$45","fixText":"Develop, document, and maintain a list of DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings in the System Security Plan.\n\nRecord whether they do or do not contain DBMS passwords. If passwords are present, ensure that they are correctly hashed using one-way, salted hashing functions, and that the hashes are protected by host system security."},{"id":"9c7c04f6-da39-4b6e-a435-9b0e4b61e236","vulnId":"V-251224","severity":"medium","ruleTitle":"Redis Enterprise DBMS must prohibit the use of cached authenticators after an organization-defined time period.","description":"If cached authentication information is out of date, the validity of the authentication information may be questionable.\n\nFor more information on configuring time out periods on Redis Enterprise refer to:\nhttps://docs.redislabs.com/latest/rs/administering/access-control/","checkContent":"Interview the system administrator to determine what, if any, the organizational policy is for cached authentication. By default, Redis Enterprise terminates authenticators after a user logs or times out.\n\nTo view the current time out period for authentication, log in to the RHEL server that the Redis Enterprise database is hosted on as an admin user.\n1. Type: rladmin\n2. Once rladmin is started, type: info cluster \n\nCheck documentation to verify that organizationally defined limits, if any, have been set. Compare documentation to actual settings found on the DB. \n\nIf the settings do not match the documentation, this is a finding.","fixText":"Configure Redis Enterprise settings to meet organizationally defined requirements. To configure the time out period, refer to Redis Enterprise Documentation: \n\nTo set time out period for authentication, log in to the RHEL server that the Redis Enterprise database is hosted on as an admin user. Escalate to root privileges.\n1. Type: rladmin\n2. Once rladmin is started, type: cluster config cm_session_timeout_minutes \n\nBy default, the timeout is set to 15 minutes."},{"id":"eb33127d-9e68-4a3f-ab2b-cc67edf45c68","vulnId":"V-251225","severity":"medium","ruleTitle":"Redis Enterprise DBMS, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.","description":"$46","checkContent":"At this time, Redis Enterprise does not support OSCP and is partially compliant with RFC 5280. Verify that the host operating system is encrypted. \n\nIf the host operating system is not encrypted or STIG-compliant, this is a finding.\n\nTo test, have the user log in to the database. If certificates are not being validated by performing RFC 5280-compliant certification path validation (i.e., \"pop up\" certificate validation), this is a finding.\n\nIf the host operating system is encrypted, run the following commands and verify that only DoD-approved PKI certificates are present and used for Redis Enterprise:\n# cd /etc/opt/redislabs\n# cat proxy_cert.pem\n\nIf no DoD-approved certificates are found, this is a finding.","fixText":"$47"},{"id":"1e25b7a8-ec27-47be-bd4c-fc85e2d0d6ef","vulnId":"V-251226","severity":"high","ruleTitle":"Redis Enterprise DBMS must enforce authorized access to all PKI private keys stored/used by Redis Enterprise DBMS.","description":"$48","checkContent":"All keys must be stored by the host RHEL OS that Redis Enterprise resides on. On the server, look for proxy_cert.pem found in /etc/opt/redislabs. If proxy_cert.pem has file permissions that would allow unauthorized users to access it, this is a finding. \n\nKeys can also be manipulated on the Redis Enterprise UI. RBAC prevents unauthorized users from doing this; to check:\n\nReview organization documentation to determine which users should have administrative privileges. From there:\n1. Log in to Redis Enterprise UI as a user in the administrator role.\n2. Navigate to the Access Control tab.\n3. Compare the documented users to the users found in the user settings on the web UI.\n\nIf any users have administrative privileges and are not documented, this is a finding. \n\nIf access to the DBMS's private key(s) is not restricted to authenticated and authorized users, this is a finding.","fixText":"Apply or modify access controls and permissions (in the file system/operating system) to tools used to view or modify where the certificates are stored. Tools must be accessible by authorized personnel only.\n\n/etc/opt/redislabs (or wherever the organizationally defined location for certificates are stored) should have an appropriate and documented admin user and group owner and the directory should not have permissions more than 700. \n\nTo update these permissions, run the following commands:\nchown redislabs:redislabs /etc/opt/redislabs\nchmod 700 /etc/opt/redislabs/proxy_cert.pem"},{"id":"6b40dd2c-4699-42f3-b43d-1788d69a1a68","vulnId":"V-251227","severity":"medium","ruleTitle":"Redis Enterprise DBMS must map the PKI-authenticated identity to an associated user account.","description":"The DoD standard for authentication is DoD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to a DBMS user account for the authenticated identity to be meaningful to the DBMS and useful for authorization decisions.","checkContent":"Review the Redis Enterprise configuration to verify user accounts are being mapped directly to unique identifying information within the validated PKI certificate.\n\nTo test, have the user log in to the database and verify that the unique certificate to the authenticating user is used or prompted. If user accounts are not being mapped to authenticated identities, this is a finding.","fixText":"$49"},{"id":"981bc560-8ba4-4fb9-ad4b-1e68ab864103","vulnId":"V-251228","severity":"high","ruleTitle":"Redis Enterprise DBMS must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.","description":"$4a","checkContent":"If all interaction with the user for purposes of authentication is handled by a software component separate from the DBMS, this is not a finding.\n\nThe Redis Enterprise web UI does inherently obscure passwords. For Redis CLI, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations and that AO approval has been obtained. If not, this is a finding.\n\nRequest evidence that all users of the tool are trained in the importance of using the \"--askpass\" option (and not using the plain-text password option), how to keep the password hidden, and that they adhere to this practice. If not, this is a finding.","fixText":"For Redis CLI tools, which can accept a plain-text password, and any other essential tool with the same limitation:\n1. Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval.\n2. Train all users of the tool in the importance of not using the plain-text password option and in how to keep the password hidden by using the \"--askpass\" without the password option. The user will then be prompted and the password obfuscated.\n\nExample command for authentication:\nredis-cli -h -p --askpass"},{"id":"50e6a4b0-4418-4a1b-b883-d79751f27401","vulnId":"V-251229","severity":"high","ruleTitle":"Redis Enterprise DBMS must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations.","description":"$4b","checkContent":"$4c","fixText":"Configure Redis Enterprise settings to use NIST FIPS 140-2-validated cryptographic modules for cryptographic operations. To set the minimum TLS version that can be used for encrypting the data in transit between a Redis client and a Redis Enterprise cluster, use the REST API or the following rladmin command:\nrladmin> cluster config min_data_TLS_version (e.g., 1.2)\n\nEnsure that openssl is on the latest version as required by organizational policies to be FIPS compliant."},{"id":"d2a2ea7c-b1b6-4009-80be-c3ae9285ff81","vulnId":"V-251230","severity":"medium","ruleTitle":"Redis Enterprise DBMS must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).","description":"Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors, guest researchers, individuals from allied nations). \n\nNon-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access, such as accessing a web server.\n\nAccordingly, a risk assessment is used in determining the authentication needs of the organization.\n\nScalability, practicality, and security are simultaneously considered in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk to organizational operations, organizational assets, individuals, other organizations, and the nation.","checkContent":"Redis Enterprise databases can be configured and set to deny by default posture. Access is granted when the database is configured and can be granted by admins at a later time. Verify in the database configuration that the default user is disabled. This would force non-organizational users to authenticate with a username and password similar to any organizationally defined user. \n\nIn web UI:\n1. Log in to Redis Enterprise as an admin user.\n2. Select the Database tab.\n3. Select the Configuration subtab.\n4. Confirm \"Default database access\" reads \"nopass\" and is \"Inactive\".\n\nIf default database access is active and there is no password set, this is a finding.","fixText":"When adding user access to the database, either during initial creation or at a later time, admins must establish a unique username and password for all users and the default user account must be disabled.\n\nIn web UI:\n1. Log in to Redis Enterprise as an admin user.\n2. Select the Database tab.\n3. Select the Configuration subtab.\n4. Select \"Edit\".\n5. Ensure that \"Default database access\" is unchecked."},{"id":"26b34282-8128-4695-b57a-468d26338d60","vulnId":"V-251231","severity":"high","ruleTitle":"Redis Enterprise DBMS must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nNSA-approved cryptography for classified networks is hardware based. This requirement addresses the compatibility of a DBMS with the encryption devices.\n\nRedis Enterprise does not encrypt data at rest. Redis Enterprise encryption of data at rest is handled by the underlying Linux OS.","checkContent":"Determine if the organization requires encryption. If Redis is deployed in an unclassified environment, this is not applicable.\n\nDetermine if FIPS mode is enabled with the following command:\n# sudo fipscheck\n\nusage: fipscheck [-s ] \nfips mode is on\n\nIf FIPS mode is \"on\", determine if the kernel command line is configured to use FIPS mode with the following command:\n# sudo grep fips /boot/grub2/grub.cfg\n\n/vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet\n\nIf the kernel command line is configured to use FIPS mode, determine if the system is in FIPS mode with the following command:\n# sudo cat /proc/sys/crypto/fips_enabled\n1\n\nIf FIPS mode is not \"on\", the kernel command line does not have a FIPS entry, or the system has a value of \"0\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.","fixText":"$4d"},{"id":"26c7b834-a9e8-40d9-96a1-2ce69e3ffb30","vulnId":"V-251232","severity":"medium","ruleTitle":"Redis Enterprise DBMS must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to provision digital signatures.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nFor detailed information, refer to NIST FIPS Publication 140-2 or Publication 140-3, Security Requirements for Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.","checkContent":"$4e","fixText":"$4f"},{"id":"8d5366db-8d1a-4722-949f-68119c42ed95","vulnId":"V-251233","severity":"medium","ruleTitle":"Redis Enterprise DBMS must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to generate and validate cryptographic hashes.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nFor detailed information, refer to NIST FIPS Publication 140-2 or Publication 140-3, Security Requirements for Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.","checkContent":"$50","fixText":"$51"},{"id":"f9c34ce3-25eb-40bb-9814-4d9ffc9a4df5","vulnId":"V-251234","severity":"medium","ruleTitle":"Redis Enterprise DBMS must implement NIST FIPS 140-2 or 140-3 validated cryptographic modules to protect unclassified information requiring confidentiality and cryptographic protection, in accordance with the data owners requirements.","description":"Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. \n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nFor detailed information, refer to NIST FIPS Publication 140-2 or Publication 140-3, Security Requirements for Cryptographic Modules. Note that the product's cryptographic modules must be validated and certified by NIST as FIPS-compliant.\n\nThe DBMS relies on the underlying Linux operating system to meet this check.","checkContent":"Verify the operating system implements FIPS compliant cryptographic modules.\n\nAs the system administrator, run the following to determine if FIPS is enabled:\n# cat /proc/sys/crypto/fips_enabled\n\nIf fips_enabled is not 1, this is a finding.","fixText":"To configure the operating system to implement DoD-approved encryption, review the official RHEL Documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations"},{"id":"93472e5e-30bf-40db-bf89-baed5a53919f","vulnId":"V-251235","severity":"medium","ruleTitle":"Redis Enterprise DBMS must separate user functionality (including user interface services) from database management functionality.","description":"$52","checkContent":"Redis Enterprise provides separate user functionality by default. An administrative control plane helps facilitate configuration and a database layer helps facilitate application integrations with the database. This functionality is provided by default; however, the same user may be used for both the database layer and the administrative control plane. \n\nFirst, obtain the list of authorized admin users and general users.\nTo check user functionality, perform the following steps:\n1. Log in to the administrative control plane.\n2. Navigate to the access controls tab.\n3. Navigate to the roles tab.\n4. Review all roles and verify that any role that provides access to the data path is configured with the cluster management role of \"None\". \n\nIf a role provides access to both data and management paths, this is a finding.","fixText":"Configure DBMS to separate database administration and general user functionality."},{"id":"78556886-51b7-4a4e-8930-35d76cb96dd3","vulnId":"V-251236","severity":"high","ruleTitle":"Access to the Redis Enterprise control plane must be restricted.","description":"If administrative functionality or information regarding DBMS management is presented on an interface available for users, information on DBMS settings may be inadvertently made available to the user.\n\nThe Redis administrative control plane helps facilitate configuration and application integrations with the database. Exposing the control plane application to any network interface that is available to non-administrative personnel leaves the server vulnerable to attempts to access the management application. To mitigate this risk, the management application must only be run on network interfaces tied to a dedicated management network or firewall rule to limit access to dedicated trusted machines.\n\nRedis does not provide a configuration setting that can be used to restrict access to the administrative control plane, so firewall controls must be applied.","checkContent":"$53","fixText":"$54"},{"id":"f2f53ce4-9931-4d6d-b975-2d93031276ee","vulnId":"V-251237","severity":"medium","ruleTitle":"Redis Enterprise DBMS must recognize only system-generated session identifiers.","description":"This requirement focuses on communications protection for the DBMS session rather than for the network packet. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. \n\nRedis Enterprise Software (RS) uses self-signed certificates out-of-the-box to make sure that sessions are secure by default. When using the default self-signed certificates, an untrusted connection notification is shown in the web UI. Depending on the browser used, the user can allow the connection for each session or add an exception to make the site trusted in future sessions.","checkContent":"By default, each cluster node has a different set of self-signed certificates. These certificates can be replaced with a DoD-acceptable certificate, preferably a certificate issued by an intermediate certificate authority (CA).\n\nFor security reasons, Redis Enterprise only supports the TLS protocol. Therefore, verify that the Redis client or secured tunnel solution is TLS v1.2 or above.\n\nRun the following commands and verify that certificates are present:\n# cd /etc/opt/redislabs\n# ls \n\nVerify the proxy_cert.pem file is present.\n\nIf no certificates are present, this is a finding.","fixText":"To configure TLS and configure only organizationally defined CA-signed certificates, refer to the following document: \nhttps://docs.redislabs.com/latest/rs/administering/cluster-operations/updating-certificates/"},{"id":"477c5940-7e2a-4137-b4cf-0763d6fdea14","vulnId":"V-251238","severity":"medium","ruleTitle":"Redis Enterprise DBMS must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.","description":"Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the session ID. Unique session identifiers or IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session IDs help to reduce predictability of said identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attackers are unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. When a user logs out, or when any other session termination event occurs, the application must terminate the user session to minimize the potential for an attacker to hijack that particular user session.","checkContent":"Redis Enterprise Software (RS) can use industry-standard encryption to protect data in transit between a Redis client and RS. For this purpose, RS uses transport layer security (TLS) protocol.\n\nRun the following commands and verify certificates are present:\n# cd /etc/opt/redislabs\n# ls \n\nVerify the proxy_cert.pem file is present.\n\nIf no certificates are found, this is a finding.\n\nVerify that TLS is configured to be used. To check this:\n1. Log in to the Redis Enterprise web UI as an admin user.\n2. Navigate to the Databases tab and select the database and then configuration.\n3. Review the configuration and verify that TLS is enabled for all communications.\n\nIf TLS is not configured to be used, this is a finding.\n\nTo check the current TLS version, run the following commands on one of the servers that is hosting Redis Enterprise as a privileged user:\n# ccs-cli\n# hgetall min_control_tls_version\n\nIf TLS is not FIPS compliant, this is a finding.","fixText":"$55"},{"id":"58ce6a02-cad5-4e6b-8da0-fce06bf9fcd5","vulnId":"V-251239","severity":"medium","ruleTitle":"Redis Enterprise DBMS must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.","description":"Only DoD-approved external PKIs have been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient for DoD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users.","checkContent":"$56","fixText":"$57"},{"id":"c90a5b93-a55f-4bb4-9409-82ae4841a270","vulnId":"V-251240","severity":"medium","ruleTitle":"Redis Enterprise DBMS must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.","description":"$58","checkContent":"1. In the console UI, click the databases tab.\n2. For each listed database, click it and select configuration.\n3. Verify that \"Persistence\" is set to: \"Append Only File (AOF) - fsync every write\".\n\nIf the setting is not configured or not documented to be set differently, this is a finding.\n\n4. For each listed database, click it and select configuration.\n5. Verify \"Replication\" is set enabled.\n\nIf the setting is not configured or not documented to be set differently, this is a finding.","fixText":"To enable persistence and replication in the Redis Enterprise UI, click the databases tab. For each database that requires reconfiguration, click it and select configuration. Ensure that the replication box is checked as well as the desired persistence level.\n\nEdit the parameters necessary to meet the desired organizational needs."},{"id":"f0ae666a-596f-459c-9e5a-3e5044a8cd79","vulnId":"V-251241","severity":"medium","ruleTitle":"In the event of a system failure, Redis Enterprise DBMS must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.","description":"Failure to a known state can address safety or security in accordance with the mission/business needs of the organization.\n\nFailure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system.\n\nPreserving information system state information helps to facilitate system restart and return to the operational mode of the organization with less disruption of mission/business processes.\n\nSince it is usually not possible to test this capability in a production environment, systems should either be validated in a testing environment or prior to installation. This requirement is usually a function of the design of the IDPS component. Compliance can be verified by acceptance/validation processes or vendor attestation.\n\nAdditional information can be found at:\nhttps://docs.redislabs.com/latest/rs/administering/troubleshooting/cluster-recovery/","checkContent":"In the Redis Enterprise web UI, select settings and then alerts.\n\nVerify the alerts documented by the ISSO/ISSM are checked.\n\nIf required alerts are not checked, this is a finding.\n\nIn the Redis Enterprise web UI, select databases, then select the individual databases.\n\nFor each database, select configuration.\n\nVerify that \"Persistence\", \"Periodic backup\", and \"Alerts\" are all configured as organizationally defined and documented by the ISSO or ISSM. \n\nVerify that organizationally defined path for the centralized log server is also applied and configured external to the database.\n\nIf any of these items are not configured as documented, this is a finding.","fixText":"In the Redis Enterprise web UI, select databases and then select the individual databases.\n\nFor each database, select configuration.\n\nCheck the box and configure the following as defined by the ISSO/ISSM: \"Persistence\", \"Periodic backup\", and \"Alerts\" \n\nEnsure that organizationally defined path for the centralized log server is also applied and configured external to the database."},{"id":"043c2cca-0bd0-461b-a70a-4af5879e122a","vulnId":"V-251242","severity":"high","ruleTitle":"Redis Enterprise DBMS must protect the confidentiality and integrity of all information at rest.","description":"This control is intended to address the confidentiality and integrity of information at rest in non-mobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Applications and application users generate information throughout the course of their application use. \n\nUser data generated, as well as application-specific configuration data, needs to be protected. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate. \n\nIf the confidentiality and integrity of application data is not protected, the data will be open to compromise and unauthorized modification.\n\nRedis Enterprise does not inherently encrypt data at rest and is designed to have the OS handle encryption for data at rest.","checkContent":"If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding.\n\nVerify the operating system implements encryption to protect the confidentiality and integrity of information at rest.\n\nIf a disk or filesystem requires encryption, ask the system owner, DBA, and SA to demonstrate the use of filesystem and/or disk-level encryption. If this is required and is not found, this is a finding.\n\nTo check if full disk encryption is enabled, log in to RHEL as an admin user and run the following commands:\n# lsblk\n\nIdentify the partition that Redis Enterprise is located on.\n# blkid /dev/[name of partition]\n\nIf the output shows TYPE=\"crypto_LUKS\" then the partition is encrypted.\n\nIf encryption must be used and is not employed, this is a finding.","fixText":"$59"},{"id":"906c1018-fca8-438d-99a3-b13e65f7c7da","vulnId":"V-251243","severity":"high","ruleTitle":"Redis Enterprise DBMS must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.","description":"$5a","checkContent":"Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information.\n\nIf no information is identified as requiring such protection, this is not a finding.\n\nVerify the operating system implements encryption to protect the confidentiality and integrity of information at rest. \n\nIf a disk or filesystem requires encryption, ask the system owner, DBA, and SA to demonstrate the use of filesystem and/or disk-level encryption. If this is required and is not found, this is a finding.\n\nTo check if full disk encryption is enabled, log in to RHEL as an Admin user and run the following commands:\n# lsblk\n\nIdentify the partition that Redis Enterprise is located on.\n# blkid /dev/[name of partition]\n\nIf the output shows TYPE=\"crypto_LUKS\" then the partition is encrypted.\n\nIf encryption must be used and is not employed, this is a finding.","fixText":"$5b"},{"id":"49d96535-4f75-46a2-92b1-5fe410208674","vulnId":"V-251244","severity":"high","ruleTitle":"Redis Enterprise DBMS must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.","description":"$5c","checkContent":"Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from disclosure, which must include, at a minimum, PII and classified information.\n\nIf the documentation indicates no information requires such protections, this is not a finding.\n\nVerify the operating system implements encryption to protect the confidentiality and integrity of information at rest. \n\nIf a disk or filesystem requires encryption, ask the system owner, DBA, and SA to demonstrate the use of filesystem and/or disk-level encryption. If this is required and is not found, this is a finding.\n\nTo check if full disk encryption is enabled, log in to RHEL as an Admin user and run the following commands:\n# lsblk\n\nIdentify the partition that Redis Enterprise is located on.\n# blkid /dev/[name of partition]\n\nIf the output shows TYPE=\"crypto_LUKS\" then the partition is encrypted.\n\nIf encryption must be used and is not employed, this is a finding.","fixText":"$5d"},{"id":"068a88f7-2c49-42dc-8e8b-7c999a2b9154","vulnId":"V-251245","severity":"medium","ruleTitle":"Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.","description":"Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based.","checkContent":"Review the procedures for the refreshing of development/test data from production.\n\nReview any scripts or code that exists for the movement of production data to development/test systems, or to any other location or for any other purpose.\n\nVerify that copies of production data are not left in unprotected locations. \n\nIf the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding.","fixText":"Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy, and to ensure copies of production data are not left in unsecured locations."},{"id":"70de4549-34c4-4f60-b4c6-b12a2b5b91b5","vulnId":"V-251246","severity":"medium","ruleTitle":"Redis Enterprise DBMS must prevent unauthorized and unintended information transfer via shared system resources.","description":"The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse.\n\nFor more information, refer to:\nhttps://redis.io/topics/acl more information on creating clearly defined categories and adding/editing users to categories and ACLs.\nand\nhttps://docs.redislabs.com/latest/rs/administering/access-control/user-roles/","checkContent":"Verify all returned users with security permissions are documented as requiring the permissions.\n\nIn the web UI, select access control >> Redis acls.\n\nVerify that the documented users have the correct ACL(s) assigned to them by clicking the \"Used By\" link for each listed ACL.\n\nVerify that all documented ACLs match each of the listed ACLs.\n\nIf \"Redis ACL name\" and \"Used By\" do not match the documentation, this is a finding.","fixText":"Users and ACLs can be created and modified from the Redis Enterprise UI by navigating to the access control tab as an admin user. Update the user roles and ACLs to reflect organizational requirements."},{"id":"ecb6494d-33a4-45fa-8abc-1440fbac1891","vulnId":"V-251247","severity":"medium","ruleTitle":"Access to database files must be limited to relevant processes and to authorized, administrative users.","description":"Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles.","checkContent":"$5e","fixText":"Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nAdd or edit the line for the \"UMASK\" parameter in \"/etc/login.defs\" file to \"077\":\n\nUMASK 077\n\nSet the permissions of the log files (/var/opt/redislabs/log) and persisted files (/var/opt/redislabs/persist/redis/) to an appropriate organizationally defined setting."},{"id":"6d97ae7d-9259-4264-a71b-598f4f7bab2c","vulnId":"V-251248","severity":"medium","ruleTitle":"Redis Enterprise DBMS must maintain the confidentiality and integrity of information during preparation for transmission.","description":"Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nUse of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.\n\nWhen transmitting data, the DBMS, associated applications, and infrastructure must leverage transmission protection mechanisms.\n\nFor more detailed information, refer to:\nhttps://docs.redislabs.com/latest/rs/administering/designing-production/security/","checkContent":"$5f","fixText":"To configure TLS and configure only organizationally defined CA-signed certificates, refer to the following document: \nhttps://docs.redislabs.com/latest/rs/administering/cluster-operations/updating-certificates/"},{"id":"a432dee7-1af8-469c-9f96-9020c7535c12","vulnId":"V-251249","severity":"medium","ruleTitle":"Redis Enterprise DBMS must maintain the confidentiality and integrity of information during reception.","description":"Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nThis requirement applies only to those applications that are either distributed or can allow access to data nonlocally. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. \n\nWhen receiving data, the DBMS, associated applications, and infrastructure must leverage protection mechanisms.","checkContent":"$60","fixText":"$61"},{"id":"1013fc56-de5b-4d6b-94f4-e3d9f0e99731","vulnId":"V-251250","severity":"medium","ruleTitle":"Redis Enterprise DBMS and associated applications must reserve the use of dynamic code execution for situations that require it.","description":"$62","checkContent":"Redis does not rely on a query language and there is no known method of SQL injection that would apply to Redis. Redis is a key value store and relies on commands that do not have a unified query language. Redis has an embedded LUA interpreter that is recommended to disable.\n\nInterview the system administrator and ask if the practice of disabling LUA scripting is a documented practice or has been completed. To check if LUA scripting is disabled on the desired database:\n1. Connect to one of the nodes/servers in the redis enterprise cluster as an admin (sudo su -).\n2. Type: rladmin status to get the DB ID of the database on which LUA scripting is to be disabled\n3. Run the following command, substituting in the bdb_id from the previous step: \nccs-cli hget bdb: \n\nIf the response is NIL or doesn't return EVAL, EVALSHA, this is a finding.\n\nIf no documentation exists or if the database otherwise accepts LUA scripts, this is a finding.","fixText":"Redis does not rely on a query language and there is no known method of SQL injection that would apply to Redis. Redis is a key value store and relies on commands that do not have a unified query language. Redis has an embedded LUA interpreter that is recommended to disable.\n\nTo disable the interpreter run the following REST API command:\ncurl -v -kL -u \":\" --location-trusted -H \"Content-type: application/json\" -d '{ \"disabled_commands\": \"EVAL, EVALSHA\" }' -X PUT https://:PORT/v1/bdbs/"},{"id":"2d6d4129-e208-43c2-8e53-2a2e8db09a7c","vulnId":"V-251251","severity":"medium","ruleTitle":"Redis Enterprise DBMS and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.","description":"$63","checkContent":"Redis does not rely on a query language and there is no known method of SQL injection that would apply to Redis. Redis is a key value store and relies on commands that do not have a unified query language. Redis has an embedded LUA interpreter that is recommended to disable.\n\nInterview the system administrator and ask if the practice of disabling LUA scripting is a documented practice or has been completed. To check if LUA scripting is disabled on the desired database:\n1. Connect to one of the nodes/servers in the redis enterprise cluster as an admin (sudo su -).\n2. Type: rladmin status to get the DB ID of the database on which LUA scripting is to be disabled.\n3. Run the following command, substituting in the bdb_id from the previous step: \nccs-cli hget bdb: \n\nIf the response is NIL or doesn't return EVAL, EVALSHA, this is a finding\n\nIf no documentation exists or if the database otherwise accepts LUA scripts, this is a finding.","fixText":"Redis does not rely on a query language and there is no known method of SQL injection that would apply to Redis. Redis is a key value store and relies on commands that do not have a unified query language. Redis has an embedded LUA interpreter that is recommended to disable.\n\nTo disable the interpreter run the following REST API command:\ncurl -v -kL -u \":\" --location-trusted -H \"Content-type: application/json\" -d '{ \"disabled_commands\": \"EVAL, EVALSHA\" }' -X PUT https://:PORT/v1/bdbs/"},{"id":"b08639d9-d694-43df-97fc-dd53a0524e56","vulnId":"V-251252","severity":"low","ruleTitle":"When updates are applied to Redis Enterprise DBMS software, any software components that have been replaced or made unnecessary must be removed.","description":"Previous versions of DBMS components that are not removed from the information system after updates have been installed may be exploited by adversaries. \n\nSome DBMSs' installation tools may remove older versions of software automatically from the information system. In other cases, manual review and removal will be required. In planning installations and upgrades, organizations must include steps (automated, manual, or both) to identify and remove the outdated modules.\n\nA transition period may be necessary when both the old and the new software are required. This should be considered in the planning.","checkContent":"When the Redis software is upgraded to a new version, the old version install file remains on the server. The users must remove this manually. To verify if the old install files have been deleted, check the locations below:\n/opt/redislabs - Main Installation directory for all Redis Enterprise Software binaries\n/opt/redislabs/config - System configuration files\n/opt/redislabs/lib - System library files\n/var/opt/redislabs - Default storage location for the cluster data, system logs, backups and ephemeral, persisted data\n/tmp - Temporary files\n\nThe GREP command can be used to search for old Redis files in the above locations. \n\nIf software components that have been replaced or made unnecessary are not removed, this is a finding.","fixText":"When a new update is available and installed, all old install files must be removed from the locations below:\n/opt/redislabs - Main Installation directory for all Redis Enterprise Software binaries\n/opt/redislabs/config - System configuration files\n/opt/redislabs/lib - System library files\n/var/opt/redislabs - Default storage location for the cluster data, system logs, backups and ephemeral, persisted data\n/tmp - Temporary files\n\nThe GREP command can be used to search for old Redis files in the above locations.\n\nIf software from a previous/outdated version of Redis Enterprise remains in any of the following locations/directories, run the following to remove it: \nrm -r "},{"id":"f8345e24-6213-4c16-ac0a-c160f0c14be1","vulnId":"V-251253","severity":"medium","ruleTitle":"Security-relevant software updates to Redis Enterprise DBMS must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","description":"$64","checkContent":"To determine the current version of the software, perform the steps below:\n\n1. Log in to the Redis Enterprise UI as an Admin user.\n2. Navigate to the Cluster tab in the red banner.\n3. Click on the Configuration option.\n4. Find the Version number of the Cluster, Latest Redis version supported, and Latest Memcached version supported.\n5. Compare to current Redis Enterprise version available.\n\nIf the organization is not following their own defined time periods to apply updates, this is a finding.","fixText":"$65"},{"id":"23a2aad2-8163-4030-b7f7-fef6c8942eba","vulnId":"V-251426","severity":"medium","ruleTitle":"Redis Enterprise DBMS must generate audit records for DoD-defined auditable events within all DBMS/database components.","description":"Redis Enterprise does not generate all the DoD-required audit records.\n\nThis could lead to incomplete information as follows:\n- Without an audit trail, unauthorized access to protected data and attempts to elevate or restrict privileges could go undetected. \n- It would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n- Without the creation of certain audit logs, it would be difficult to identify attempted attacks, and an audit trail would not be available for some forensic investigation for after-the-fact actions. \n\nFor a complete list of unsupported audit requirements, email \"disa.letterkenny.re.mbx.stig-customer-support-mailbox@mail.mil\". Once the identity of the requester has been verified and the specifics of missing audit requirements obtained, risk can be assessed and a determination made as to whether it is acceptable.","checkContent":"This requirement is a permanent finding and cannot be fixed. Redis Enterprise does not currently support session or transactional auditing on the database. \n\nRedis Enterprise does not generate all the DoD-required audit records; therefore this is a finding.\n\nThe site must seek AO or ISSO approval for use of Redis Enterprise 6.x with the understanding that not all of the DoD audit requirements are being met.","fixText":"This requirement is a permanent finding and cannot be fixed.\n\nThis audit requirement must be continuously monitored.\n\nIt must be marked as an \"open\" finding to serve as a reminder to the AO and other stakeholders that this is an approved risk and needs to be reviewed periodically."},{"id":"e36fa43e-20c2-4213-bfa1-82a7c922b87d","vulnId":"V-251428","severity":"medium","ruleTitle":"If DBMS authentication using passwords is employed, Redis Enterprise DBMS must enforce the DOD standards for password complexity and lifetime.","description":"OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstances make it unavoidable and must be documented and authorizing official (AO)-approved.\n\nThe DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval.\n\nIn such cases, the DOD standards for password complexity and lifetime must be implemented. DBMS products that can inherit the rules for these from the operating system or access control program (e.g., Microsoft Active Directory) must be configured to do so. For other DBMSs, the rules must be enforced using available configuration parameters or custom code.","checkContent":"$66","fixText":"$67"},{"id":"3927eb7e-7088-47aa-9cbb-58293dad20fa","vulnId":"V-265880","severity":"high","ruleTitle":"Redis Enterprise products must be a version supported by the vendor.","description":"Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.\n\nWhen maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.","checkContent":"Review the system documentation and interview the database administrator. Identify all database software components.\n\nReview the version and release information.\n1. Log in to the adminUI console as an authorized user.\n2. Navigate to the cluster tab and select configuration.\n3. Check the version number next to Redis Labs Enterprise Cluster.\n\nAccess the below Redis website or use other means to verify the version is still supported:\nhttps://docs.redislabs.com/latest/rs/administering/product-lifecycle\n\nIf the DBMS or any of the software components are not supported by the vendor, this is a finding.","fixText":"Remove or decommission all unsupported software products.\n\nUpgrade unsupported DBMS or unsupported components to a supported version of the product."}]}]]}]

Redis Enterprise 6.x Security Technical Implementation Guide

Checks (71)