Check: RD6X-00-010300
Redis Enterprise 6.x STIG:
RD6X-00-010300
(in versions v2 r2 through v1 r1)
Title
Redis Enterprise DBMS must recognize only system-generated session identifiers. (Cat II impact)
Discussion
This requirement focuses on communications protection for the DBMS session rather than for the network packet. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. Redis Enterprise Software (RS) uses self-signed certificates out-of-the-box to make sure that sessions are secure by default. When using the default self-signed certificates, an untrusted connection notification is shown in the web UI. Depending on the browser used, the user can allow the connection for each session or add an exception to make the site trusted in future sessions.
Check Content
By default, each cluster node has a different set of self-signed certificates. These certificates can be replaced with a DoD-acceptable certificate, preferably a certificate issued by an intermediate certificate authority (CA). For security reasons, Redis Enterprise only supports the TLS protocol. Therefore, verify that the Redis client or secured tunnel solution is TLS v1.2 or above. Run the following commands and verify that certificates are present: # cd /etc/opt/redislabs # ls Verify the proxy_cert.pem file is present. If no certificates are present, this is a finding.
Fix Text
To configure TLS and configure only organizationally defined CA-signed certificates, refer to the following document: https://docs.redislabs.com/latest/rs/administering/cluster-operations/updating-certificates/
Additional Identifiers
Rule ID: SV-251237r961116_rule
Vulnerability ID: V-251237
Group Title: SRG-APP-000223-DB-000168
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001664 |
Recognize only session identifiers that are system-generated. |
Controls
Number | Title |
---|---|
SC-23(3) |
Unique Session Identifiers with Randomization |