Check: RD6X-00-011500
Redis Enterprise 6.x STIG:
RD6X-00-011500
(in versions v2 r2 through v1 r1)
Title
Access to database files must be limited to relevant processes and to authorized, administrative users. (Cat II impact)
Discussion
Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles.
Check Content
Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files. If any user/role who is not an authorized system administrator with a need to know or database administrator with a need to know, or a system account for running DBMS processes, is permitted to read/view any of these files, this is a finding. Review the directory contents and files and verify that the appropriate file permissions are set. Verify that the file owner and group is set to Redis Labs or a group defined per site requirements. To check permissions of log files (Note: This may vary depending on the installation path.): # /var/opt/redislabs/log To check persisted files from memory if they are being used run the following command (Note: This may vary depending on the installation path.) # ls -ltr /var/opt/redislabs/persist/redis/ To check the default file permissions to verify that all authenticated users can only read and modify their own files: # cat/etc/login.defs|grep UMASK Verify the value is set to 077 or an appropriate organizationally defined setting. Investigate the permissions on these files. If the permissions allow access by other, this is a finding.
Fix Text
Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077": UMASK 077 Set the permissions of the log files (/var/opt/redislabs/log) and persisted files (/var/opt/redislabs/persist/redis/) to an appropriate organizationally defined setting.
Additional Identifiers
Rule ID: SV-251247r961149_rule
Vulnerability ID: V-251247
Group Title: SRG-APP-000243-DB-000374
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001090 |
Prevent unauthorized and unintended information transfer via shared system resources. |
Controls
Number | Title |
---|---|
SC-4 |
Information in Shared Resources |