Check: RD6X-00-009500
Redis Enterprise 6.x STIG:
RD6X-00-009500
(in version v1 r1)
Title
Redis Enterprise DBMS must use NIST FIPS 140-2-validated cryptographic modules for cryptographic operations. (Cat I impact)
Discussion
Use of weak or not validated cryptographic algorithms undermines the purposes of utilizing encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated cryptographic modules may not implement algorithms correctly. Unapproved cryptographic modules or algorithms should not be relied on for authentication, confidentiality, or integrity. Weak cryptography could allow an attacker to gain access to and modify data stored in the database as well as the administration settings of the DBMS. Applications, including DBMSs, utilizing cryptography are required to use approved NIST FIPS 140-2-validated cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The security functions validated as part of FIPS 140-2 for cryptographic modules are described in FIPS 140-2 Annex A. NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. For more detailed information, refer to: https://docs.redislabs.com/latest/rs/administering/designing-production/security/
Check Content
Review the Redis Enterprise configuration to verify it is using NIST FIPS 140-2-validated cryptographic modules for cryptographic operations. Redis Enterprise uses TLS 1.2 and has a cyber suite of options that is configurable through the rladmin, REST API, and on the Redis Enterprise web UI. Verify the host operating system is encrypted. If the host operating system is not encrypted, this is a finding. If the host operating system is encrypted, run the following commands and verify that only DoD-approved PKI certificates are present: # cd /etc/opt/redislabs # ls Verify the following file is present: proxy_cert.pem If no certificates are present, this is a finding. Verify TLS is configured to be used. To check this: 1. Log in to the Redis Enterprise web UI as an admin user. 2. Navigate to the Databases tab and select the database and then configuration. 3. Review the configuration and verify that TLS is enabled for all communications. If TLS is not configured to be used, this is a finding. To check the current TLS version, run the following commands on one of the servers that is hosting Redis Enterprise as a privileged user: # ccs-cli # hgetall min_control_tls_version If TLS is not FIPS 140-2 compliant, this is a finding. To validate the openssl version, run the following command on one of the servers that is hosting Redis Enterprise as a privileged user: # openssl version If NIST FIPS 140-2-validated modules are not being used for all cryptographic operations, this is a finding.
Fix Text
Configure Redis Enterprise settings to use NIST FIPS 140-2-validated cryptographic modules for cryptographic operations. To set the minimum TLS version that can be used for encrypting the data in transit between a Redis client and a Redis Enterprise cluster, use the REST API or the following rladmin command: rladmin> cluster config min_data_TLS_version <version> (e.g., 1.2) Ensure that openssl is on the latest version as required by organizational policies to be FIPS 140-2 compliant.
Additional Identifiers
Rule ID: SV-251229r804877_rule
Vulnerability ID: V-251229
Group Title: SRG-APP-000179-DB-000114
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000803 |
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
Controls
Number | Title |
---|---|
IA-7 |
Cryptographic Module Authentication |