Check: RD6X-00-008500
Redis Enterprise 6.x STIG:
RD6X-00-008500
(in versions v2 r2 through v1 r1)
Title
Redis Enterprise DBMS must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. (Cat II impact)
Discussion
The DOD standard for authentication of an interactive user is the presentation of a Common Access Card (CAC) or other physical token bearing a valid, current, DOD-issued Public Key Infrastructure (PKI) certificate, coupled with a Personal Identification Number (PIN) to be entered by the user at the beginning of each session and whenever reauthentication is required. Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances: (i) When authenticators change; (ii) When roles change; (iii) When security categories of information systems change; (iv) When the execution of privileged functions occurs; (v) After a fixed period of time; or (vi) Periodically. Within the DOD, the minimum circumstances requiring reauthentication are privilege escalation and role changes. For more information refer to: https://docs.redislabs.com/latest/rs/administering/access-control/.
Check Content
Review the system documentation and the configuration of Redis Enterprise and related applications and tools. If the information owner has identified additional cases where reauthentication is needed, but there are circumstances where the system does not ask the user to reauthenticate when those cases occur, this is a finding. Redis Enterprise requires users to reauthenticate after the configured time-out period has been met, but does not require reauthentication when permissions are updated; permissions are automatically updated and applied on both the database and the Redis Enterprise web UI. Only admin users can modify privileges and roles.
Fix Text
Confirm with information owner any circumstances under which a user is required to reauthenticate. If any exist, confirm they are properly documented. Configure Redis Enterprise settings to meet organizationally defined requirements: User account security To ensure user accounts are secured and not misused, RS supports enforcement of: - Password complexity - Password expiration - Account lock on failed attempts - Account inactivity timeout To enforce a more advanced password policy that meets the desired contractual and compliance requirements and associated organizational policies, it is recommend to use LDAP integration with an external identity provider, such as Active Directory. Resetting user passwords: To reset a user password from the CLI, run: rladmin cluster reset_password <username> The user is asked to enter and confirm the new password. Setting up local password complexity: RS allows for enforcement of a password complexity profile that meets most organizational needs. The password complexity profile is defined by: - At least 8 characters - At least one uppercase character - At least one lowercase character - At least one number (not first or last character) - At least one special character (not first or last character) - Does not contain the User ID or reverse of the User ID - No more than three repeating characters Note: The password complexity profile applies to when a new user is added or an existing user changes their password. To enforce the password complexity profile, run: curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u "<administrator-user-email>:<password>" -d '{"password_complexity":true}' https://<RS_server_address>:9443/v1/cluster Setting local user password expiration: RS allows for enforced password expiration to meet compliance and contractual requirements. To enforce an expiration of a local user password after a specified number of days, run: curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u "<administrator_user>:<password>" -d '{"password_expiration_duration":<number_of_days>}' https://<RS_server_address>:9443/v1/cluster To disable password expiration, set the number of days to 0. Account lock on failed attempts: To prevent unauthorized access to RS, organizations may enforce account lockout after a specified number of failed login attempts. Session timeout: When logging in to the web UI, the account is automatically logged out after 15 minutes of inactivity. To change the duration of inactivity that causes the timeout: From rladmin, run: rladmin cluster config cm_session_timeout_minutes <minutes> From the REST API, run: curl --request PUT \ --url https://localhost:9443/v1/cluster \ --header 'content-type: application/json' \ --data '{ "cm_session_timeout_minutes": <minutes> }'
Additional Identifiers
Rule ID: SV-251221r1018618_rule
Vulnerability ID: V-251221
Group Title: SRG-APP-000389-DB-000372
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002038 |
The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication. |
CCI-004895 |
Permit users to invoke the trusted communications path for communications between the user and the organization-defined security functions, including at a minimum, authentication and re-authentication. |
Controls
Number | Title |
---|---|
IA-11 |
Re-authentication |