Check: RD6X-00-011600
Redis Enterprise 6.x STIG:
RD6X-00-011600
(in versions v2 r2 through v1 r2)
Title
Redis Enterprise DBMS must maintain the confidentiality and integrity of information during preparation for transmission. (Cat II impact)
Discussion
Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, the DBMS, associated applications, and infrastructure must leverage transmission protection mechanisms. For more detailed information, refer to: https://docs.redislabs.com/latest/rs/administering/designing-production/security/
Check Content
Redis has optional support for TLS on all communication channels, including client connections, replication links, and the Redis Cluster bus protocol. By default, each cluster node has a different set of self-signed certificates. These certificates can be replaced with a DoD-acceptable certificate, preferably a certificate issued by an intermediate certificate authority (CA). For security reasons, Redis Enterprise only supports only the TLS protocol. Therefore, verify that the Redis client or secured tunnel solution is TLS v1.2 or above. First, verify that the host operating system is encrypted. If the host operating system is not encrypted, this is a finding. If the host operating system is encrypted, run the following commands and verify that only DoD-approved PKI certificates are present: # cd /etc/opt/redislabs # ls Verify the proxy_cert.pem file is present. If no certificates are found, this is a finding. Verify that TLS is configured to be used. To check this: 1. Log in to the Redis Enterprise web UI as an admin user. 2. Navigate to the Databases tab and select the database and then configuration. 3. Review the configuration and verify that TLS is enabled for all communications. If TLS is not configured to be used, this is a finding. To check the current TLS version, run the following commands on one of the servers that is hosting Redis Enterprise as a privileged user: # ccs-cli # hgetall min_control_tls_version If TLS is not FIPS compliant, this is a finding.
Fix Text
To configure TLS and configure only organizationally defined CA-signed certificates, refer to the following document: https://docs.redislabs.com/latest/rs/administering/cluster-operations/updating-certificates/
Additional Identifiers
Rule ID: SV-251248r961638_rule
Vulnerability ID: V-251248
Group Title: SRG-APP-000441-DB-000378
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002420 |
Maintain the confidentiality and/or integrity of information during preparation for transmission. |
Controls
Number | Title |
---|---|
SC-8(2) |
Pre / Post Transmission Handling |