Check: RD6X-00-009300
Redis Enterprise 6.x STIG:
RD6X-00-009300
(in versions v2 r2 through v1 r1)
Title
Redis Enterprise DBMS must map the PKI-authenticated identity to an associated user account. (Cat II impact)
Discussion
The DoD standard for authentication is DoD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to a DBMS user account for the authenticated identity to be meaningful to the DBMS and useful for authorization decisions.
Check Content
Review the Redis Enterprise configuration to verify user accounts are being mapped directly to unique identifying information within the validated PKI certificate. To test, have the user log in to the database and verify that the unique certificate to the authenticating user is used or prompted. If user accounts are not being mapped to authenticated identities, this is a finding.
Fix Text
Configure Redis Enterprise settings to meet organizationally defined requirements. Redis Enterprise uses LDAP to map authenticated identity directly to the DBMS user account. 1. Before enabling LDAP in Redis Software, it is important to verify: - Confirmation of the LDAP groups that correspond to the levels of access on which to authorize. Each LDAP group will be mapped to a Redis Software access control role. - Confirmation of Redis Software access control role for each LDAP group. If role-based access controls (RBAC) have not already been set up, do so before enabling LDAP. 2. The following LDAP info is needed: - Server URI, including host, port, and protocol details. - Certificate details for secure protocols. - Bind credentials, including Distinguished Name, password, and (optionally) client public and private keys for certificate authentication. - Authentication query details, whether template or query. - Authorization query details, whether attribute or query. - The Distinguished Names of LDAP groups that will be used to authorize access to Redis Software resources. 3. Use Settings | LDAP to enable LDAP access. 4. Map LDAP groups to access control roles. 5. Update database access control lists (ACLs) to authorize role access. If appropriate roles are already established, update them to include LDAP groups. For additional information: https://docs.redislabs.com/latest/rs/security/ldap/
Additional Identifiers
Rule ID: SV-251227r961044_rule
Vulnerability ID: V-251227
Group Title: SRG-APP-000177-DB-000069
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000187 |
For public key-based authentication, map the authenticated identity to the account of the individual or group. |
Controls
Number | Title |
---|---|
IA-5(2) |
Pki-based Authentication |