Check: RD6X-00-008600
Redis Enterprise 6.x STIG:
RD6X-00-008600
(in versions v2 r2 through v1 r1)
Title
Redis Enterprise DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). (Cat II impact)
Discussion
Redis Enterprise allows the user to configure unique users per role. Review roles and ensure roles use unique organizational principles per user to the database. Redis does come with a default user for backwards compatibility. This user may be disabled.
Check Content
To audit this configuration: 1. Log in to Redis Enterprise Administrative Control Plane. 2. Go to databases tab. 3. Select the desired database and then the configuration subtab. 4. Verify that Default database access is enabled. If it is enabled, this is a finding.
Fix Text
To fix this issue perform the following actions: To audit this configuration: 1. Log in to Redis Enterprise Administrative Control Plane. 2. Go to databases tab. 3. Select each database and review the configuration by selecting edit. 4. Deselect the default database access tab. This configuration will break applications designed for use with Redis 5 prior to ACLs.
Additional Identifiers
Rule ID: SV-251222r960969_rule
Vulnerability ID: V-251222
Group Title: SRG-APP-000148-DB-000103
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000764 |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
Controls
Number | Title |
---|---|
IA-2 |
Identification and Authentication (organizational Users) |