Title

Redis Enterprise DBMS must provide centralized configuration of the content to be captured in audit records generated by all components of Redis Enterprise DBMS. (Cat II impact)

Discussion

If the configuration of the DBMS's auditing is spread across multiple locations in the database management software, or across multiple commands, only loosely related, it is harder to use and takes longer to reconfigure in response to events. Additional information can be found at: https://docs.redislabs.com/latest/rs/administering/logging/rsyslog-logging/ and https://redislabs.com/blog/sending-redis-cluster-alerts-to-slack-with-syslog/

Check Content

Redis Enterprise does not provide a distinct tool for audit configuration but leans on the RHEL host server rsyslog to unify and centralize the logs. Review the Redis Enterprise documentation specific to syslog configuration. By default, Redis Enterprise sends the Event_log.log file that captures all logged actions in the UI to rsyslog. To verify that all of the logs are captured in syslog, view the redislabs.conf file in /etc/rsyslog.d. The redislabs.conf file is used to centrally configure the log structure and what information is added to all log output. If redislabs.conf does not exist, this is a finding. Verify that the redislabs.conf file includes a defined template() line that specifies what should be captured in accordance with organizational standards. If no template is being used, or the template is not configured to capture log information to organizational standards (such as severity information, timestamp, machine name), this is a finding.

Fix Text

Configure Redis Enterprise to use syslog for all logs generated. Ensure that redislabs.conf exists and is configured: Create the file as shown here: /etc/rsyslog.d/redislabs.conf The log entries can be categorized into events and alerts. Events are only logged, while alerts have a state attached to them. RS log entries include information about the specific event that occurred. In addition, rsyslog can be configured to add other information, like the event severity, for example. Since rsyslog entries do not include the severity information by default, use the following instructions to log that information (in Ubuntu): Add the following line to /etc/rsyslog.conf $template TraditionalFormatWithPRI,"%pri-text%:%timegenerated%:%HOSTNAME%:%syslogtag%:%msg:::drop-last-lf%\n" And modify $ActionFileDefaultTemplate to use the new template: $ActionFileDefaultTemplateTraditionalFormatWithPRI Save the changes and restart rsyslog for the changes to take effect. View the alerts and events under /var/log in messages log file. Command components: %pri­text% ­adds the severity %timegenerated% ­adds the timestamp %HOSTNAME% ­adds the machine name %syslogtag% ­the RS message as detailed below in the Log entry structure section below. %msg:::drop­last­lf%n ­ removes duplicated log entries Example configuration: template(name="RedisLabsEventTemplate" type="string" string="%syslogseverity-text%:%pri-text%:%timegenerated%:%HOSTNAME%:%syslogtag%:%msg:::drop-last-lf% -- %syslogtag% -- %programname% \n") if $programname startswith 'event_log' then { action(type="omfile" file="/var/log/redislabs.log" template="RedisLabsEventTemplate" ) } With this configuration, the syslog service will: Load a new template named RedisLabsEventTemplate that logs the message with the priority (syslogseverity-text) that will be info, crit, warning, etc. Use this template to write into the file /var/log/redislabs.log when the program is "event_log" (the Redis Enterprise log manager). Learn more about the template syntax in the syslog documentation. Restart syslog: systemctl restart rsyslog Testing the new configuration: Navigate to the Redis Enterprise web console and create a new database (or edit an existing database). There should be a new /var/log/redislabs.log file and the event that was generated.

Additional Identifiers

Rule ID: SV-251194r879729_rule

Vulnerability ID: V-251194

Group Title: SRG-APP-000356-DB-000315

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.