Check: RD6X-00-008800
Redis Enterprise 6.x STIG:
RD6X-00-008800
(in versions v2 r2 through v2 r1)
Title
If passwords are used for authentication, Redis Enterprise DBMS must store only hashed, salted representations of passwords. (Cat II impact)
Discussion
The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires authorizing official (AO) approval. In such cases, database passwords stored in clear text, using reversible encryption, or using unsalted hashes would be vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes when stored internally or externally to the DBMS.
Check Content
Redis stores and displays its user passwords in encrypted form, it also and transmits passwords as one-way hashed representations utilizing SHA256. Nevertheless, any User ID and Password stores should be verified by interviewing the database administrator (DBA). Interview the DBA or ISSO and review any associated scripts, and applications defined within or external to the DBMS that access the database. The list must also include files, tables, or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts. Determine if any files contain database passwords. If any do, confirm that DBMS passwords stored internally or externally to the DBMS are encoded or encrypted. If any passwords are stored in clear text, this is a finding. Ask the DBA/system administrator (SA)/application support staff if they have created an external password store for applications, batch jobs, and scripts to use on the database server. Verify that all passwords stored there are encrypted. If a password store is used and any password is not encrypted, this is a finding.
Fix Text
Develop, document, and maintain a list of DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings in the System Security Plan. Record whether they do or do not contain DBMS passwords. If passwords are present, ensure that they are correctly hashed using one-way, salted hashing functions, and that the hashes are protected by host system security.
Additional Identifiers
Rule ID: SV-251223r1018619_rule
Vulnerability ID: V-251223
Group Title: SRG-APP-000171-DB-000074
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000196 |
The information system, for password-based authentication, stores only cryptographically-protected passwords. |
CCI-004062 |
For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash. |
Controls
Number | Title |
---|---|
IA-5(1) |
Password-based Authentication |