Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Redis sets this limit by default at 10k clients per shard. It reserves 32 for descriptors for internal use. The organization can set a limit based on its needs during the configuration. When the set limit is reached, Redis will deny all new incoming connections and inform senders "max number of clients reached". To check for maximum connections, run the following command: rladmin info db db:<insert_db_id> where db:1 would be: rladmin info db db:1 Search in the output for max_connections. If the max connections are greater than the organizationally defined value, this is a finding. Note: Redis Enterprise 6 does support multiple users; however, it does not support the ability to limit connections per user. If using Redis Cluster, the max number of connections remains 10k; however, each node will use two connections (incoming/outgoing).
To modify the number of maximum sessions, run the following command: rladmin tune db <db_name> max_connections <number_of_connections> e.g., - rladmin tune db inline-jp-staging max_connections 15000
Redis Enterprise supports LDAP for access to the Redis Enterprise web UI. If all accounts are authenticated by the organization-level authentication/access mechanism and not by the DBMS, this is not a finding. LDAP can be checked by examining the process used during user login on the Redis web UI. If any accounts are managed by Redis Enterprise, review the system documentation for justification and approval of these accounts. Compare the documented accounts with those found on the system. If any Redis Enterprise-managed accounts exist that are not documented and approved, this is a finding.
Integrate Redis Enterprise with LDAP to provide organization-level authentication/access mechanism and account management for all users, groups, roles, and any other principals. For each DBMS-managed account that is not documented and approved, either transfer it to management by the external mechanism or document the need for it and obtain approval as appropriate. To enable LDAP: 1. Import the saslauthd configuration. 2. Restart saslauthd service. 3. Configure LDAP users. Configuring LDAP: To provide the LDAP configuration information: 1. Edit the configuration file located at /etc/opt/redislabs/saslauthd.conf or the installation directory used during initial configuration. 2. Provide the following information associated with each variable: - ldap_servers: the ldap servers that authenticate against and the port to use: Port 389 is standardly used for unencrypted LDAP connections Port 636 is standardly used for encrypted LDAP connections and is strongly recommended. - Ldap_tls_cacert_file (optional): The path to the CA Certificates. This is required for encrypted LDAP connections only. - ldap_filter: the filter used to search for users. - ldap_bind_dn: The distinguished name for the user that will be used to authenticate to the LDAP server. - ldap_password: The password used for the user specified in ldap_bind_dn 3. Import the saslauthd configuration into Redis Enterprise using the command below, which will distribute the configuration to all nodes in the cluster: rladmin cluster config saslauthd_ldap_conf <path_to_saslauthd.conf> Note: For this command to work on a new server installation, a cluster must be set up already. 4. Restart saslauthd: sudo supervisorctl restart saslauthd
Review the system documentation to determine if accounts have been set with appropriate, organizationally defined role-based permissions. Compare these settings with the settings on the actual DB. To find the database id, run the command: rladmin status extra all. 1. Log in to Redis Enterprise. 2. Navigate to the access controls tab. 3. Verify that each user is assigned an appropriate role. If a user is not assigned an appropriate role, this is a finding. If the appropriate role is not assigned to a user, or the roles and permission settings are not documented, this is a finding.
To modify the commands or keys a user is able to access, perform the following steps: 1. Log in to Redis Enterprise. 2. Navigate to the access controls tab. 3. Ensure the appropriate role is configured by inspecting the Redis ACL rules and Roles in the Redis ACL and Role sub-tabs. 4. If an appropriate role is not present, create the appropriate role. 5. On the users tab, assign the appropriate role to the user in question.
Redis Enterprise discretionary access control is configured through the use of individual roles. Verify that enforcement of role-based access control (RBAC) is implemented. Review the system documentation to determine if accounts have been set with appropriate, organizationally defined Discretionary Access Control permissions. Compare these settings with the settings on the actual DB. 1. Log in to Redis Enterprise. 2. Navigate to the access controls tab. 3. Verify that each user is assigned a role. If a user is not assigned an appropriate role, this is a finding. If the appropriate access is not assigned to a user, or the access and permission settings are not documented, this is a finding.
To assign a user to a role: 1. Log in to Redis Enterprise as an admin user. 2. Navigate to the access controls tab. 3. Ensure that each user is assigned a role according to organizationally defined policy. To configure a Redis ACL rule that can be assigned to a user role: 1. Navigate to access control >> redis acls. 2. Edit an existing Redis ACL by hovering over a Redis ACL and clicking "Edit". 3. Create a new Redis ACL by clicking "Add". 4. Enter a descriptive name for the Redis ACL. This will be used to reference the ACL rule to the role. 5. Define the ACL rule. 6. Click "Save". For more information: https://docs.redislabs.com/latest/rs/security/passwords-users-roles/
Review the system documentation to determine what organizationally defined Access Control permissions should be in place. Compare these settings with the settings on the actual DB. 1. Log in to Redis Enterprise. 2. Navigate to the access controls tab >> redis acls 3. Review ACLs for appropriate rules. If ACL rules are not defined as appropriate in system documentation, this is a finding. 4. Review roles. 5. Verify that each role is assigned an appropriate ACL. If a role is not assigned an appropriate ACL, this is a finding. 6. Review users. 7. Verify that each user is assigned a role. If a user is not assigned an appropriate role, this is a finding. If any user accounts implicitly gain “Full Access” through the user/role/ACL relationship and are not authorized, this is a finding.
To configure a Redis ACL rule that can be assigned to a user role: 1. Navigate to access control >> redis acls. 2. Edit an existing Redis ACL by hovering over a Redis ACL and clicking "Edit". 3. Create a new Redis ACL by clicking "Add". 4. Enter a descriptive name for the Redis ACL. This will be used to reference the ACL rule to the role. 5. Define the ACL rule. 6. Click "Save". Assign ACLs to roles and roles to users as appropriate. For more information: https://docs.redislabs.com/latest/rs/security/passwords-users-roles/
To verify this, perform the following steps: 1. Log in to the Redis Enterprise control plane. 2. Navigate to the access control tab. 3. Navigate to the users tab and review the roles for users. 4. For users without the need to modify the database, verify they are given a viewer or none for cluster management in the roles tab. 5. For users with access to databases, verify they are given the default role "Not Dangerous" or a more restrictive role that does not allow access to the dangerous command category. If a non-privileged user is granted a non-default role, this is a finding.
To ensure that a non-privileged user is not granted a non-default role, perform the following steps: 1. Log in to the Redis Enterprise control plane. 2. Navigate to the access control tab. 3. Navigate to the users tab and review the roles for users. 4. Assign users an appropriate role, and if necessary, create a new role for the user. 5. Modify and save the users' new role after ensuring the role is provided with the appropriate permissions.
To verify that each database is not using these modules, perform the following steps: 1. Log in to the Redis Enterprise control plane. 2. Navigate to the databases tab. 3. Inspect each database for Redis modules within the database application. If the databases display "None" next to the Redis Modules field, no modules are installed. If a module is present and a necessary use case is not documented, this is a finding.
To remove a module from the Redis Enterprise Software: 1. Log in to the adminUI as an administrator. 2. Navigate to the "settings" tab. 3. Under "redis modules" to the far-right of each individual module, click the trashcan icon to remove the associated module. To remove a module from an existing database, the database needs to be recreated without the authorized modules and migrate all applications and data to the new database. Once a module is installed within a database, removal is not supported.
Review the organization documentation to determine the organization-defined auditable events. To validate the log of an event, check the logs tab for configuration actions within Redis Enterprise. On the Redis Enterprise UI: 1. Log in to Redis Enterprise. 2. Navigate to the logs page. 3. Review the logs as needed to verify they meet organizationally defined audit events. On the underlying server, logs may also be found in /var/opt/redislabs/log/<log_name> The eventlog.log and cnm_http log files contain all logs. To check, perform an event that should trigger an organizationally defined audit log. Review logs in the UI, and in /var/opt/redislabs/log/eventlog.log and /var/opt/redislabs/log/cnm_http.log for applicable event logs. Check DBMS auditing to determine whether organization-defined auditable events are being audited by the system. To check the current verbosity (log level), run the following command from the underlying node (as root): ccs-cli hget dmc:<node_id> log_level and ccs-cli hget dmc:<node_id> mgmt_log_level If the field does not exist it means the DMC is working with its default log_level which is "info". If the action is not captured in the logs page audit trail, this is a finding.
Logging verbosity on Redis Enterprise can be changed for error messages and debugging purposes. Auditing and logging levels for user actions on the control plane does not change and cannot be configured. Configure the verbosity to the organizationally defined level: 1. Enter the relevant node and run the following commands (run on each desired node): - ccs-cli hset dmc:<node_id> log_level <log_level> - ccs-cli hset dmc:<node_id> mgmt_log_level <log_level> 2. Reconfigure the DMC: rlutil dmc_reconf dmc=<node_id> 3. Set a specific log level in the DMC for a given DB: - ccs-cli hset bdb:<db_id> log_level <log_level> - rlutil dmc_reconf bdb=<db_id> Logging levels include: 1. Debug (DBG) - at this level, anything goes, to include whatever a developer finds useful for debugging. This level should very rarely be active in production and is intended for developers only. 2. Trace (TRC) - used for tracking specific elements' lifespan, issues a few messages (only those important for tracing element) per flow. It might be used in production, under very restrictive and careful watch, for very short periods of time. 3. Info (INF) - positive events changing the behavior of app or one of its major elements: a key component started, configuration changed, etc. 4. Warn (WRN) - events that have temporary (usually recoverable) negative impact on one or more major application elements (server went down, a temporary lack or resources, etc.), such events lead to undesired impact on many sub-elements, while others can still function properly. 5. Error (ERR) - unexpected, harmful events - a key element/component cannot function properly, there is no way to recover proper functionality until this situation is resolved (configuration in accessible, or fundamentally broken, network unreachable, etc.). 6. Fatal (FTL) - unrecoverable state. Usually, the last message (or one of very few of them) in an app's lifetime. NOTICE: Level info (3) and above are enabled by default.
Auditing alerts can be selected on Redis Enterprise. With the RBAC settings, by default, only the Admin group can configure these events in the database. Additional roles with admin privileges can also be configured. To view which roles have admin level privileges: 1. Log in to Redis Enterprise. 2. Navigate to the Access control tab and review the users listed therein. To view which alerts are configured: 1. Log in to Redis Enterprise. 2. Navigate to the Databases tab. 3. Select any database to view and select the configuration tab. 4. Scroll down to determine which Alerts are selected to be emailed to the appropriate audiences (if any). If designated personnel are not able to configure auditable events, this is a finding.
Configure the DBMS's settings to allow designated personnel to select which auditable events are audited. This can be done on Redis Enterprise with ACLs and RBAC. To configure RBAC: 1. Log in to the Redis Control Plane as an admin user. 2. Navigate to the access control tab. 3. Provide the appropriate permissions and privileges as defined by the organization.
All local access to the server is handled by the underlying RHEL OS server that hosts the Redis Enterprise DBMS and is viewable in syslog. Additionally, RHEL can be configured to audit direct access to Redis Enterprise by modifying the rule set in /etc/audit/audit.rules to include the redis-cli and rladmin command found in /opt/redislabs/bin. To determine if the OS is auditing direct and privileged access/execution of the database and database configuration options on the server: cat to /etc/audit/audit.rules Examine the audit rules defined for rules that specify that command calls for /opt/redislabs/bin/redis-cli and /opt/redislabs/bin/rladmin are audited, if not present, this is a finding.
Configure the host RHEL OS to generate audit records whenever a user calls the redis-cli command. This can be done by adding a rule to the /etc/audit/audit.rules to generate records when /opt/redislabs/bin/redis-cli and /opt/redislabs/bin/rladmin is called. Example Linux commands: -a always,exit -F path=/opt/redislabs/bin/redis-cli -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change -a always,exit -F path=/opt/redislabs/bin/rladmin -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change The audit daemon must be restarted for the changes to take effect.
Review the system documentation for a description of how audit records are offloaded and how local audit log space is managed. Redis Enterprise leans on the RHEL host server rsyslog to unify and centralize logs as well as to send them to a centralized log management server or system. To verify that all of the logs are captured in syslog, view the redislabs.conf file in /etc/rsyslog.d. Verify that for each log produced by Redis Enterprise (found in /var/opt/redislabs/log), there is a line in redislabs.conf similar to: if $programname startswith '[Log name found in /var/opt/redislabs/log] ' then { action(type="omfile" file="/var/log/redislabs.log" template="RedisLabsEventTemplate" ) } To verify that Redis Enterprise is configured on the server to send all logs to a centralized log management system, examine the redislabs.conf file found in /etc/rsyslog.d. The file should include the line: action(type="omfwd" protocol="tcp" target="[organization defined logging server IP]" port="[organization defined logging server port]" template="RedisLabsEventTemplate" ) If redislabs.conf is not configured to capture all logs produced by Redis Enterprise or does not exist, this is a finding. If the Redis Enterprise audit records are not written directly to or systematically transfer to a centralized log management system, this is a finding.
Configure Redis Enterprise to use syslog for all logs generated. Ensure that redislabs.conf exists and is configured. Create the file as shown here: /etc/rsyslog.d/redislabs.conf The log entries can be categorized into events and alerts. Events are only logged, while alerts have a state attached to them. RS log entries include information about the specific event that occurred. In addition, rsyslog can be configured to add other information, like the event severity, for example. Since rsyslog entries do not include the severity information by default, use the following instructions to log that information (in Ubuntu): Add the following line to /etc/rsyslog.conf $template TraditionalFormatWithPRI,"%pri-text%:%timegenerated%:%HOSTNAME%:%syslogtag%:%msg:::drop-last-lf%\n" And modify $ActionFileDefaultTemplate to use the new template: $ActionFileDefaultTemplateTraditionalFormatWithPRI Save the changes and restart rsyslog for the changes to take effect. The alerts and events may be found under /var/log in messages log file. Command components: %pritext% adds the severity %timegenerated% adds the timestamp %HOSTNAME% adds the machine name %syslogtag% the RS message as detailed below in the Log entry structure section below. %msg:::droplastlf%n removes duplicated log entries Example configuration: template(name="RedisLabsEventTemplate" type="string" string="%syslogseverity-text%:%pri-text%:%timegenerated%:%HOSTNAME%:%syslogtag%:%msg:::drop-last-lf% -- %syslogtag% -- %programname% \n") if $programname startswith 'event_log' then { action(type="omfile" file="/var/log/redislabs.log" template="RedisLabsEventTemplate" ) } With this configuration, the syslog service will: Load a new template named RedisLabsEventTemplate that logs the message with the priority (syslogseverity-text) that will be info, crit, warning, etc. Use this template to write into the file /var/log/redislabs.log when the program is "event_log" (the Redis Enterprise log manager). Learn more about the template syntax in the syslog documentation. Restart syslog: systemctl restart rsyslog Testing the new configuration: Navigate to the Redis Enterprise web console and create a new database (or edit an existing database). There should be a new /var/log/redislabs.log file and the event that was generated.
Redis Enterprise does not provide a distinct tool for audit configuration but leans on the RHEL host server rsyslog to unify and centralize the logs. Review the Redis Enterprise documentation specific to syslog configuration. By default, Redis Enterprise sends the Event_log.log file that captures all logged actions in the UI to rsyslog. To verify that all of the logs are captured in syslog, view the redislabs.conf file in /etc/rsyslog.d. The redislabs.conf file is used to centrally configure the log structure and what information is added to all log output. If redislabs.conf does not exist, this is a finding. Verify that the redislabs.conf file includes a defined template() line that specifies what should be captured in accordance with organizational standards. If no template is being used, or the template is not configured to capture log information to organizational standards (such as severity information, timestamp, machine name), this is a finding.
Configure Redis Enterprise to use syslog for all logs generated. Ensure that redislabs.conf exists and is configured: Create the file as shown here: /etc/rsyslog.d/redislabs.conf The log entries can be categorized into events and alerts. Events are only logged, while alerts have a state attached to them. RS log entries include information about the specific event that occurred. In addition, rsyslog can be configured to add other information, like the event severity, for example. Since rsyslog entries do not include the severity information by default, use the following instructions to log that information (in Ubuntu): Add the following line to /etc/rsyslog.conf $template TraditionalFormatWithPRI,"%pri-text%:%timegenerated%:%HOSTNAME%:%syslogtag%:%msg:::drop-last-lf%\n" And modify $ActionFileDefaultTemplate to use the new template: $ActionFileDefaultTemplateTraditionalFormatWithPRI Save the changes and restart rsyslog for the changes to take effect. View the alerts and events under /var/log in messages log file. Command components: %pritext% adds the severity %timegenerated% adds the timestamp %HOSTNAME% adds the machine name %syslogtag% the RS message as detailed below in the Log entry structure section below. %msg:::droplastlf%n removes duplicated log entries Example configuration: template(name="RedisLabsEventTemplate" type="string" string="%syslogseverity-text%:%pri-text%:%timegenerated%:%HOSTNAME%:%syslogtag%:%msg:::drop-last-lf% -- %syslogtag% -- %programname% \n") if $programname startswith 'event_log' then { action(type="omfile" file="/var/log/redislabs.log" template="RedisLabsEventTemplate" ) } With this configuration, the syslog service will: Load a new template named RedisLabsEventTemplate that logs the message with the priority (syslogseverity-text) that will be info, crit, warning, etc. Use this template to write into the file /var/log/redislabs.log when the program is "event_log" (the Redis Enterprise log manager). Learn more about the template syntax in the syslog documentation. Restart syslog: systemctl restart rsyslog Testing the new configuration: Navigate to the Redis Enterprise web console and create a new database (or edit an existing database). There should be a new /var/log/redislabs.log file and the event that was generated.
Review organization documentation to determine the organization-defined audit record storage requirements. By default, Redis Enterprise will use whatever disk space is allocated for audit logs. It is the responsibility of the organization to ensure that the RHEL OS server hosting the service has been allocated enough storage space to avoid running out of log space. Interview the system administrator and review audit log configuration and alerts to investigate whether there have been any incidents where the Redis Enterprise server ran out of audit log space since the last time the space was allocated, or other corrective measures were taken. If such incidents have occurred, this is a finding. Review the Redis Enterprise control pane as an admin user. If alerts are present indicating that storage is full or is at 95 percent full, this is a finding.
Ensure that the server is configured with enough storage space to accommodate database and audit record storage. The right amount of storage will be dependent on a variety of factors such as: number of databases, database size, HA enabled, persistence enabled, etc. At no time should storage be more than 95 percent full. See the following documents for hardware requirements: https://docs.redislabs.com/latest/rs/administering/designing-production/hardware-requirements/ and https://docs.redislabs.com/latest/rs/installing-upgrading/file-locations/
Review the system documentation for a description of how audit records are offloaded. By default, all log entries shown on the log page in the Redis Enterprise UI are also written to syslog. Then, rsyslog can be configured to monitor the syslog. All alerts are logged to syslog if the alerts are configured to be enabled, in addition to other log entries. These logs can be configured to be offloaded to a centralized log management system. Verify that Redis Enterprise is configured on the server to send all logs to a centralized log management system by examining the redislabs.conf file found in /etc/rsyslog.d. The file should include the line: action(type="omfwd" protocol="tcp" target="[organization defined logging server IP]" port="[organization defined logging server port]" template="RedisLabsEventTemplate" ) If it does not, this is a finding. If the DBMS has a continuous network connection to the centralized log management system, but the DBMS audit records are not written directly to the centralized log management system or transferred in near-real-time, this is a finding. If the DBMS does not have a continuous network connection to the centralized log management system, and the DBMS audit records are not transferred to the centralized log management system weekly or more often, this is a finding.
Configure Redis Enterprise to offload log entries onto a separate log server by configuring the redislabs.conf and ensuring that all server logs from syslog are offloaded to a centralized backup server. To configure Redis Enterprise to use syslog for all logs generated, ensure that redislabs.conf exists and is configured. Create the file as shown here: /etc/rsyslog.d/redislabs.conf The log entries can be categorized into events and alerts. Events are only logged, while alerts have a state attached to them. RS log entries include information about the specific event that occurred. In addition, rsyslog can be configured to add other information, such as the event severity, for example. Since rsyslog entries do not include the severity information by default, use the following instructions to log that information (in Ubuntu): Add the following line to /etc/rsyslog.conf $template TraditionalFormatWithPRI,"%pri-text%:%timegenerated%:%HOSTNAME%:%syslogtag%:%msg:::drop-last-lf%\n" And modify $ActionFileDefaultTemplate to use the new template: $ActionFileDefaultTemplateTraditionalFormatWithPRI Save the changes and restart rsyslog for the changes to take effect. Alerts and events can be viewed under /var/log in messages log file. Command components: %pritext% adds the severity. %timegenerated% adds the timestamp. %HOSTNAME% adds the machine name. %syslogtag% the RS message as detailed below in the Log entry structure section below. %msg:::droplastlf%n removes duplicated log entries. Example configuration: template(name="RedisLabsEventTemplate" type="string" string="%syslogseverity-text%:%pri-text%:%timegenerated%:%HOSTNAME%:%syslogtag%:%msg:::drop-last-lf% -- %syslogtag% -- %programname% \n") if $programname startswith 'event_log' then { action(type="omfile" file="/var/log/redislabs.log" template="RedisLabsEventTemplate" ) } With this configuration, the syslog service will: Load a new template named RedisLabsEventTemplate that logs the message with the priority (syslogseverity-text) that will be info, crit, warning, etc. Use this template to write into the file /var/log/redislabs.log when the program is "event_log" (the Redis Enterprise log manager). Learn more about the template syntax in the syslog documentation. Restart syslog: systemctl restart rsyslog Testing the new configuration: Navigate to the Redis Enterprise web console and create a new database (or edit an existing database). There should be a new /var/log/redislabs.log file and the event that was generated.
To verify that Redis Enterprise has been configured to send appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity: 1. Log in to the Redis Enterprise UI as a user with the Admin role. 2. Navigate to the Settings tab and then to Alerts. 3. Verify that the appropriate Alerts are enabled to notify support staff when storage volume reaches 75 percent. 4. Navigate to the General subtab and scroll down to verify that an email server is set up to send out alert notifications. 5. Lastly, navigate to the Access Control tab and verify that the appropriate users listed are configured to receive alert notifications. To view on a specific database: 1. Navigate to the Databases tab on the UI. 2. Select the Databases from the list and then select configuration. 3. Scroll down to view the Alert settings. Also verify that the RHEL server OS is STIG compliant to notify support staff when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. If appropriate support staff are not notified immediately upon storage volume utilization reaching 75 percent, this is a finding.
To configure cluster alerts: 1. Log in to the Redis Enterprise AdminUI (repeat this step for the following sections as well). 2. Navigate to settings >> alerts. Alerts may be enabled for node or cluster events, such as high memory usage or throughput. Configurable alerts may be displayed as follows: - As a warning icon for the node and cluster - In the logs - In email notifications, if email alerts are configured Note: If alerts are enabled for "Node joined" or "Node removed" actions, "Receive email alerts" must also be enabled so the notifications are sent. To enable alerts for a cluster: In settings >> alerts, select the desired alerts to show for the cluster and click "Save". Database alerts: For each database, alerts may be enabled for database events, such as high memory usage or throughput. Configured alerts are shown: - As a warning icon (Warning) for the database - In the log - In emails, if email alerts are configured To enable alerts for a database: 1. In configuration for each database, click show advanced options to view and select the database alerts. 2. Click "Update". To send cluster or database alerts by email: 1. Log in to the Redis Enterprise UI. 2. Navigate to settings >> alerts, then select Receive email alerts at the bottom of the page. 3. Configure the email server settings. 4. In access control, select for each user the database and cluster alerts that are to be received by the user.
Review the OS or third-party logging software settings to determine whether a real-time alert will be sent to the appropriate personnel when auditing fails for any reason. If real-time alerts are not sent upon auditing failure, this is a finding.
Configure the system to provide an immediate real-time alert to appropriate support staff when an audit log failure occurs. It is possible to create scripts or implement third-party tools to enable real-time alerting for audit log failures, depending on the underlying OS. Additionally, it is recommended to enable the following alerts from within the Redis Enterprise AdminUI Console: 1. Log in to the AdminUI. 2. Navigate to settings >> alerts. - Receive email alerts (with the appropriate email server settings configured under settings >> general) - Node has sufficient disk space for AOF rewrite - Multiple nodes are down - this may cause data loss
If the application owner has determined that the need for system availability outweighs the need for a complete audit trail, this is not applicable. Otherwise, review the procedures, manual and/or automated, for monitoring the space used by audit trail(s) and for offloading audit records to a centralized log management system. If the procedures do not exist, this is a finding. If the procedures exist, request evidence that they are followed. If the evidence indicates that the procedures are not followed, this is a finding. If the procedures exist, inquire if the system has ever run out of audit trail space in the last two years or since the last system upgrade, whichever is more recent. If it has run out of space in this period, and the procedures have not been updated to compensate, this is a finding.
Modify DBMS, OS, or third-party logging application settings to alert appropriate personnel when a specific percentage of log storage capacity is reached.
Redis Enterprise uses the default logrotate daemon to schedule rotation of logs stored on the operating system. The configuration of log rotation may be found at /etc/logrotate.d. By default, the log rotation should occur on a daily basis. Redis Labs recommends sending log files to a remote logging server so that they can be more effectively maintained. To check the log rotation policy, perform the following steps: 1. sudo cat /etc/logrotate.conf (The location of the log rotation configuration may vary depending on operating system distribution.) 2. Investigate the log rotation policy to verify that the appropriate policy is applied for all logs. Check to verify that log rotation is not disabled and is appropriate for the application by investigating the logrotated configuration. If log rotation is not enabled or is not configured appropriately, this is a finding.
Redis Enterprise uses the default logrotate daemon to schedule rotation of logs stored on the operating system. The configuration of log rotation may be found at /etc/logrotate.d. By default, the log rotation should occur on a daily basis. Redis Labs recommends sending log files to a remote logging server so that they can be more effectively maintained. To modify the log rotation policy perform the following steps: 1. sudo vi /etc/logrotate.conf (The location of the log rotation configuration may vary depending on operating system distribution.) 2. Modify the log rotation configuration to meet the needs of the application.
To check the timestamp, perform the following steps: 1. Log in to the Redis Enterprise Control Plane. 2. Navigate to the settings tab. 3. Navigate to the general tab of the settings tab. 4. On screen find the Time zone setting. 5. Verify that the time zone is mapped to UTC. If the time zone isn't mapped to UTC, this is a finding.
To resolve an issue with the timestamps, perform the following steps: 1. Log in to the Redis Enterprise Control Plane. 2. Navigate to the settings tab. 3. Navigate to the general tab of the settings tab. 4. On screen find the Time zone setting. 5. Ensure that the time zone is mapped to UTC. 6. Click "Save".
To investigate the log files used by Redis Enterprise, perform the following steps: 1. SSH into the server running Redis Enterprise. 2. Issue the command cd /var/opt/redislabs/log 3. Issue the command ls -ltr ./ Investigate the permissions on these files. These permissions should be 640 or 660 and assigned to the installation user and group or another appropriate group. If the permissions are readable by other or assigned an inappropriate owner/group, this is a finding. Redis Enterprise does not support the ability to perform transaction logging.
To investigate the log files used by Redis Enterprise, perform the following steps: 1. SSH into the server running Redis Enterprise. 2. Issue the command chmod 640 /var/opt/redislabs/log/* to change permissions of log files that are not appropriately assigned permissions. 3. Issue the command chown owner:group -R /var/opt/redislabs/log/ if the ownership is not correct where the owner and group are substituted for the appropriate owner and group.
To investigate the log files used by Redis Enterprise, perform the following steps: 1. SSH into the server running Redis Enterprise. 2. Issue the command cd /var/opt/redislabs/log 3. Issue the command ls -ltr ./ Investigate the permissions on these files. These permissions should be 640 or 660 and assigned to the installation user and group or another appropriate group. If the permissions are readable by other or assigned an inappropriate owner/group, this is a finding. Redis Enterprise does not support the ability to perform transaction logging.
To investigate the log files used by Redis Enterprise, perform the following steps: 1. SSH into the server running Redis Enterprise. 2. Issue the command chmod 640 /var/opt/redislabs/log/* to change permissions of log files that are not appropriately assigned permissions. 3. Issue the command chown owner:group -R /var/opt/redislabs/log/ if the ownership is not correct where the owner and group are substituted for the appropriate owner and group.
To investigate the log files used by Redis Enterprise stored on the operating system, perform the following steps: 1. SSH into the server running Redis Enterprise. 2. Issue the command cd /var/opt/redislabs/log 3. Issue the command ls -ltr ./ Investigate the permissions on these files. These permissions should be 640 or 660 and assigned to the installation user and group or another appropriate group. If the permissions are readable by other or assigned an inappropriate owner/group, this is a finding. Redis Enterprise does not support the ability to perform transaction logging. Redis Enterprise also provides configurable role-based access control inherently within the product. This is available to users with the cluster viewer. To verify that users are provided the appropriate permissions that they are authorized to use, check each user's assigned roles. 1. Log in to Redis Enterprise. 2. Navigate to the access controls tab. 3. Navigate to the users tab. 4. Review all roles assigned to a user and verify that user is given the appropriate role for their authorization level. Roles with the Cluster Management Role of admin, cluster_member, cluster_viewer, or db_member are able to view logs in the UI. If the user is not given the appropriate role, this is a finding.
To investigate the log files used by Redis Enterprise, perform the following steps: 1. SSH into the server running Redis Enterprise. 2. Issue the command chmod 640 /var/opt/redislabs/log/* to change permissions of log files that are not appropriately assigned permissions. 3. Issue the command chown owner:group -R /var/opt/redislabs/log/ if the ownership is not correct where the owner and group are substituted for the appropriate owner and group. Redis Enterprise provides configurable role-based access control inherently within the product. To ensure that users are provided the appropriate permissions that they are authorized to use, check each user's assigned roles. 1. Log in to Redis Enterprise. 2. Navigate to the access controls tab. 3. Navigate to the users tab. 4. Ensure that each user is given a role appropriate for their authorization level.
For validating privilege on the OS, verify user ownership, group ownership, and permissions on the Redis audit directory. From Linux command line as root: > ls - ald /var/opt/redislabs/log/ (or whatever the organizationally defined location for Redis logs) If the User owner is not a defined admin, this is a finding. If the Group owner is not a defined admin group, this is a finding. If the directory is more permissive than 700, this is a finding. For validating privileges on the control plane, verify Redis Admin users listed on the control plane against documented approved admin users. If any users have unauthorized admin privileges, this is a finding.
Apply or modify access controls and permissions (in the file system/operating system) to tools used to view or modify audit log data. Tools must be accessible by authorized personnel only. /var/opt/redislabs/log/ (or whatever the organizationally defined location for Redis logs) should have an appropriate and documented admin user and group owner, and the directory should not have permissions more than 700. To update these permissions, run the following commands: chown redislabs:redislabs /var/opt/redislabs/log chmod 700 /var/opt/redislabs/log
For validating privilege on the OS, verify user ownership, group ownership, and permissions on the redis audit directory. From Linux command line as root: > ls - ald /var/opt/redislabs/log/ (or whatever the organizationally defined location for Redis logs) If the User owner is not a defined admin, this is a finding. If the Group owner is not a defined admin group, this is a finding. If the directory is more permissive than 700, this is a finding. For validating privileges on the control plane, verify Redis Admin users that are listed on the control plane against documented approved admin users. If any users have unauthorized admin privileges, this is a finding.
Apply or modify access controls and permissions (in the file system/operating system) to tools used to view or modify audit log data. Tools must be accessible by authorized personnel only. /var/opt/redislabs/log/ (or whatever the organizationally defined location for Redis logs) should have an appropriate and documented admin user and group owner and the directory should not have permissions more than 700. To update these permissions, run the following commands: chown redislabs:redislabs /var/opt/redislabs/log chmod 700 /var/opt/redislabs/log
For validating privilege on the OS, verify user ownership, group ownership, and permissions on the Redis audit directory: From Linux command line as root: > ls - ald /var/opt/redislabs/log/ (or whatever the organizationally defined location for Redis logs) If the User owner is not a defined admin, this is a finding. If the Group owner is not a defined admin group, this is a finding. If the directory is more permissive than 700, this is a finding. For validating privileges on the control plane, verify Redis Admin users that are listed on the control plane against documented approved admin users. If any users have unauthorized admin privileges, this is a finding.
Apply or modify access controls and permissions (in the file system/operating system) to tools used to view or modify audit log data. Tools must be accessible by authorized personnel only. /var/opt/redislabs/log/ (or whatever the organizationally defined location for Redis logs) should have an appropriate and documented admin user and group owner and the directory should not have permissions more than 700. To update these permissions, run the following commands: chown redislabs:redislabs /var/opt/redislabs/log chmod 700 /var/opt/redislabs/log
Modules may be added to the Redis Enterprise control plane (adminUI) by navigating to the settings tab and then modules. Only admin users can view the settings tab. To verify that users without explicit privileged status are not able to install modules, do the following: 1. Log in to the Redis Enterprise control plane (adminUI) with a user with administrative privileges. 2. Navigate to the access control tab. 3. Verify that only organizationally defined users have the appropriate privileges. If a user is not assigned appropriate permissions, this is a finding.
To ensure a regular user is unable to perform updates: 1. Log in to the Redis Enterprise control plane. 2. Navigate to the access controls tab. 3. In the users section, review each users role to ensure they are assigned the appropriate permissions. 4. If a user is not assigned appropriate permissions, ensure they are moved to an appropriate role.
Redis Enterprise is an application database and not intended to be used by human actors. Human actor activity has been generally abstracted to a control plane that resides outside of the database level. Redis Enterprise comes with roles for both the control plane and the data plane. Viewer roles and none provide access restrictions to make configuration changes to the database. To verify that users are in the appropriate role, perform the following steps: 1. Log in to the Redis Enterprise Control Plane. 2. Navigate to the access control tab. 3. Navigate to the users tab. 4. Verify that all users are assigned an appropriate role. If the principle is using custom roles, this may require investigating the permissions provided for each custom role. If it does not enforce access restrictions associated with changes to the configuration of the DBMS or database(s), this is a finding.
Redis Enterprise is an application database and not intended to be used by human actors. Human actor activity has been generally abstracted to a control plane that resides outside of the database level. To ensure that users are in the appropriate role, perform the following steps: 1. Log in to the Redis Enterprise Control Plane. 2. Navigate to the access control tab. 3. Navigate to the users tab. 4. Ensure that the principle is assigned the appropriate permissions for their function.
The RHEL server OS must be STIG-compliant to ensure only appropriate users have access. Verify user ownership, group ownership, and permissions on the directories where the Redis logs, binaries ,and modules reside: From Linux command line as root, perform the command ls –ald on the following directory paths: /var/opt/redislabs - Default storage location for the cluster data, system logs, backups and ephemeral, persisted data /var/opt/redislabs/log - System logs for Redis Enterprise Software /var/opt/redislabs/run - Socket files for Redis Enterprise Software /etc/opt/redislabs - Default location for cluster manager configuration and certificates /opt/redislabs - Main installation directory for all Redis Enterprise Software binaries /opt/redislabs/bin - Binaries for all the utilities for command line access and managements such as "rladmin" or "redis-cli" /opt/redislabs/config - System configuration files /opt/redislabs/lib - System library files /opt/redislabs/sbin - System binaries for tweaking provisioning If the user owner is not a defined admin, this is a finding. If the group owner is not a defined admin group, this is a finding. If the directory is more permissive than 700, this is a finding. Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files is done. This is performed on the RHEL OS utilizing syslog. Verify the list of files, directories, and database application objects (procedures, functions, and triggers) being monitored is complete. If monitoring does not occur or the list of monitored objects is not complete, this is a finding.
Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement. Syslog can be used to track and monitor access, deletions, and modification actions of the Redis logs, system configuration files, and binaries stored on the RHEL OS. Ensure that the permissions of the Redis logs, system configuration files, and binaries are set so that only those with admin privileges can modify them on the hosting RHEL OS. Permissions can be modified using the chmod command.
To install the software, the user must have root level access to each node it will be installed on. Review the procedure used to install Redis Enterprise. In this procedure, users are capable of selecting their own user to own the software. Typically, this is run under a Redis Labs system user. To check this requirement, investigate the user used and verify that only the appropriate people are able to access this account on the host operating system. If more than the appropriate people can access this account, this is a finding.
User must have root level access to the system prior to installing Redis Enterprise. Without this, the installation will not complete, and no changes will be made. Review the procedure used to install Redis Enterprise. In this procedure, users are capable of selecting their own user to own the software. Typically, this is run under a Redis Labs system user. To check this requirement, investigate the user used and ensure that only the appropriate people are able to access this account on the host operating system.
The default directories that Redis Enterprise Software uses for data and metadata are: 1. /var/opt/redislabs - Default storage location for the cluster data, system logs, backups and ephemeral, persisted data 2. /var/opt/redislabs/log - System logs for Redis Enterprise Software 3. /var/opt/redislabs/run - Socket files for Redis Enterprise Software 4. /etc/opt/redislabs - Default location for cluster manager configuration and certificates 5. /tmp - Temporary files 6. /opt/redislabs - Main installation directory for all Redis Enterprise Software binaries 7. /opt/redislabs/bin - Binaries for all the utilities for command line access and managements such as "rladmin" or "redis-cli" 8. /opt/redislabs/config - System configuration files 9. /opt/redislabs/lib - System library files 10. /opt/redislabs/sbin - System binaries for tweaking provisioning To check this finding, examine the documentation for third-party applications and verify that no other applications are installed in these directories. It is recommended that Redis Enterprise be installed on a single tenant operating system. If another application is using these directories on the host operating system, this is a finding.
To resolve this issue, perform one of the two following actions: 1. Install Redis Enterprise on a single tenant operating system. 2. Uninstall third-party applications that have been installed in the Redis Enterprise directories and install them in separate directories.
To check each user's assigned role: 1. Log in to Redis Enterprise. 2. Navigate to the access controls tab. 3. Navigate to the users tab. 4. Review all roles assigned to a user and verify that user is given the appropriate role for their authorization level. If the user is not given the appropriate role, this is a finding.
To ensure that users are provided the appropriate permissions that they are authorized to use, check each user's assigned roles. 1. Log in to Redis Enterprise. 2. Navigate to the access controls tab. 3. Navigate to the users tab. 4. Locate desired user. 5. Assign appropriate permission based on desired authorization level.
The organization that is implementing Redis Enterprise must review the documentation and configuration to determine if it is configured in accordance with DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs. If Redis Enterprise is not configured in accordance with security configuration settings, this is a finding.
Follow all DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs and IAVMs to configure the Redis Enterprise security configuration settings.
To check this control, investigate the application documentation and understand what services and ports are in use within the application. Inspect the ports running on the server using the following command: sudo ss -tulw If any ports or services that are not approved are present in the output of this command, this is a finding. Redis Enterprise makes use of the following ports: 1. TCP 1968, Internal, Proxy traffic 2. TCP 3333, 3334, 3335, 3336, 3337, 3338, 3339, 36379, 36380, Internal, Cluster traffic 3. TCP 8001, Internal, External, Sentinel Traffic 4. TCP 8002, 8004, Internal, System health monitoring 5. TCP 8443 Internal, External, User Interface 6. TCP 8444, 9080, Internal, Proxy Traffic 7. TCP 9081. Internal, Active-Active 8. TCP 8070, 8071, Internal & External, Metrics Exporter 9. TCP 9443 (Recommended), 8080 (Recommended to be removed), REST API traffic 10. TCP 10000-19999, Internal, External, Active-Active Database traffic 11. TCP 20000-29999, Internal 12. UDP 53, 5353, Internal, External DNS/mDNS traffic
Use firewalld commands to remove any unnecessary ports from the appropriate zone. To do this, enter the following commands as root. This command will immediately remove a port from the configuration: $ firewall-cmd --zone=<zone> --remove-port=<port>/<protocol> This command will persistently remove a port from a configuration: $ firewall-cmd --permanent --zone=<zone> --remove-port=<port>/<protocol> Repeat the previous commands for any port that is unauthorized for use or is not used.
Review the system documentation and interview the database administrator. Identify all database software components. Review the version and release information. 1. Log in to the adminUI console as an authorized user. 2. Navigate to the cluster tab and select configuration. 3. Check the version number next to Redis Labs Enterprise Cluster. Access the below Redis website or use other means to verify the version is still supported: https://docs.redislabs.com/latest/rs/administering/product-lifecycle If the DBMS or any of the software components are not supported by the vendor, this is a finding.
Remove or decommission all unsupported software products. Upgrade unsupported DBMS or unsupported components to a supported version of the product.
Redis Enterprise comes with a suite of capabilities sorted into modules. These modules can be removed if deemed unnecessary. Modules are not needed for Redis Enterprise to function properly but can make some tasks easier. Check the installed modules in the UI at the following location: 1. Log in to the Redis Enterprise UI as an Admin user. 2. Navigate to the Settings tab. 3. View the Redis Modules tab. If unused components or features are installed and are not documented and authorized, this is a finding.
Modules are not needed for Redis Enterprise to function properly but can make some tasks easier. To view/remove installed modules from the UI: 1. Click "Settings" in the red banner. 2. Click Redis modules. 3. Find the module to be removed and click the trash can icon on the right.
Redis Enterprise comes with a suite of capabilities sorted into modules. These modules can be removed if deemed unnecessary. Check the installed modules in the UI at the following location: 1. Log in to the Redis Enterprise UI as an Admin user. 2. Navigate to the Settings tab. 3. View the Redis Modules tab. If unused components or features are present on the system, can be disabled, and are not disabled, this is a finding.
To view/remove installed modules from the UI: 1. Click "Settings" in the red banner. 2. Click Redis modules. 3. Find the module to be removed and click the trash can icon on the right.
Redis Enterprise has this feature available if any object used is approved by the ISSO. By default, external executables are not included in Redis Enterprise, and only admin users on the Redis Enterprise web UI or admins who have direct access to the server can add them. To determine what modules or executables are applied: 1. Log in to the Redis Enterprise web UI as an admin user. 2. Navigate to the settings and then Redis modules tabs. Verify that no unapproved external executables exist. If external executables do exist and are not approved by the ISSO, this is a finding.
To add or remove modules or executables: 1. Log in to the Redis Enterprise web UI as an admin user. 2. Navigate to the settings and then Redis modules tabs. From here, modules may be freely added or removed.
To check this control, investigate the application documentation and understand what services and ports are in use within the application. Inspect the ports running on the server using the following command: sudo ss -tulw If any ports or services that are not approved are present in the output of this command, this is a finding. Redis Enterprise makes use of the following ports: 1. TCP 1968, Internal, Proxy traffic 2. TCP 3333, 3334, 3335, 3336, 3337, 3338, 3339, 36379, 36380, Internal, Cluster traffic 3. TCP 8001, Internal, External, Sentinel Traffic 4. TCP 8002, 8004, Internal, System health monitoring 5. TCP 8443, Internal, External, User Interface 6. TCP 8444, 9080, Internal, Proxy Traffic 7. TCP 9081, Internal, Active-Active 8. TCP 8070, 8071, Internal & External, Metrics Exporter 9. TCP 9443 (Recommended), 8080 (Recommended to be removed), REST API traffic 10. TCP 10000-19999, Internal, External, Active-Active Database traffic 11. TCP 20000-29999, Internal 12. UDP 53, 5353, Internal, External DNS/mDNS traffic
Use firewalld commands to remove any unnecessary ports from the appropriate zone. To do this, enter the following commands as root: This command will immediately remove a port from the configuration: $ firewall-cmd --zone=<zone> --remove-port=<port>/<protocol> This command will persistently remove a port from a configuration: $ firewall-cmd --permanent --zone=<zone> --remove-port=<port>/<protocol> Repeat the previous commands for any port that is unauthorized for use or is not used.
Review the system documentation and the configuration of Redis Enterprise and related applications and tools. If the information owner has identified additional cases where reauthentication is needed, but there are circumstances where the system does not ask the user to reauthenticate when those cases occur, this is a finding. Redis Enterprise requires users to reauthenticate after the configured time-out period has been met, but does not require reauthentication when permissions are updated; permissions are automatically updated and applied on both the database and the Redis Enterprise web UI. Only admin users can modify privileges and roles.
Confirm with information owner any circumstances under which a user is required to reauthenticate. If any exist, confirm they are properly documented. Configure Redis Enterprise settings to meet organizationally defined requirements: User account security To ensure user accounts are secured and not misused, RS supports enforcement of: - Password complexity - Password expiration - Account lock on failed attempts - Account inactivity timeout To enforce a more advanced password policy that meets the desired contractual and compliance requirements and associated organizational policies, it is recommend to use LDAP integration with an external identity provider, such as Active Directory. Resetting user passwords: To reset a user password from the CLI, run: rladmin cluster reset_password <username> The user is asked to enter and confirm the new password. Setting up local password complexity: RS allows for enforcement of a password complexity profile that meets most organizational needs. The password complexity profile is defined by: - At least 8 characters - At least one uppercase character - At least one lowercase character - At least one number (not first or last character) - At least one special character (not first or last character) - Does not contain the User ID or reverse of the User ID - No more than three repeating characters Note: The password complexity profile applies to when a new user is added or an existing user changes their password. To enforce the password complexity profile, run: curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u "<administrator-user-email>:<password>" -d '{"password_complexity":true}' https://<RS_server_address>:9443/v1/cluster Setting local user password expiration: RS allows for enforced password expiration to meet compliance and contractual requirements. To enforce an expiration of a local user password after a specified number of days, run: curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u "<administrator_user>:<password>" -d '{"password_expiration_duration":<number_of_days>}' https://<RS_server_address>:9443/v1/cluster To disable password expiration, set the number of days to 0. Account lock on failed attempts: To prevent unauthorized access to RS, organizations may enforce account lockout after a specified number of failed login attempts. Session timeout: When logging in to the web UI, the account is automatically logged out after 15 minutes of inactivity. To change the duration of inactivity that causes the timeout: From rladmin, run: rladmin cluster config cm_session_timeout_minutes <minutes> From the REST API, run: curl --request PUT \ --url https://localhost:9443/v1/cluster \ --header 'content-type: application/json' \ --data '{ "cm_session_timeout_minutes": <minutes> }'
To audit this configuration: 1. Log in to Redis Enterprise Administrative Control Plane. 2. Go to databases tab. 3. Select the desired database and then the configuration subtab. 4. Verify that Default database access is enabled. If it is enabled, this is a finding.
To fix this issue perform the following actions: To audit this configuration: 1. Log in to Redis Enterprise Administrative Control Plane. 2. Go to databases tab. 3. Select each database and review the configuration by selecting edit. 4. Deselect the default database access tab. This configuration will break applications designed for use with Redis 5 prior to ACLs.
Redis stores and displays its user passwords in encrypted form, it also and transmits passwords as one-way hashed representations utilizing SHA256. Nevertheless, any User ID and Password stores should be verified by interviewing the DBA. Interview the DBA or ISSO and review any associated scripts, and applications defined within or external to the DBMS that access the database. The list must also include files, tables, or settings used to configure the operational environment for the DBMS and for interactive DBMS user accounts. Determine if any files contain database passwords. If any do, confirm that DBMS passwords stored internally or externally to the DBMS are encoded or encrypted. If any passwords are stored in clear text, this is a finding. Ask the DBA/System Administrator (SA)/Application Support staff if they have created an external password store for applications, batch jobs, and scripts to use on the database server. Verify that all passwords stored there are encrypted. If a password store is used and any password is not encrypted, this is a finding.
Develop, document, and maintain a list of DBMS database objects, database configuration files, associated scripts, applications defined within or external to the DBMS that access the database, and DBMS/user environment files/settings in the System Security Plan. Record whether they do or do not contain DBMS passwords. If passwords are present, ensure that they are correctly hashed using one-way, salted hashing functions, and that the hashes are protected by host system security.
Interview the system administrator to determine what, if any, the organizational policy is for cached authentication. By default, Redis Enterprise terminates authenticators after a user logs or times out. To view the current time out period for authentication, log in to the RHEL server that the Redis Enterprise database is hosted on as an admin user. 1. Type: rladmin 2. Once rladmin is started, type: info cluster Check documentation to verify that organizationally defined limits, if any, have been set. Compare documentation to actual settings found on the DB. If the settings do not match the documentation, this is a finding.
Configure Redis Enterprise settings to meet organizationally defined requirements. To configure the time out period, refer to Redis Enterprise Documentation: To set time out period for authentication, log in to the RHEL server that the Redis Enterprise database is hosted on as an admin user. Escalate to root privileges. 1. Type: rladmin 2. Once rladmin is started, type: cluster config cm_session_timeout_minutes <value_to_enter> By default, the timeout is set to 15 minutes.
At this time, Redis Enterprise does not support OSCP and is partially compliant with RFC 5280. Verify that the host operating system is encrypted. If the host operating system is not encrypted or STIG-compliant, this is a finding. To test, have the user log in to the database. If certificates are not being validated by performing RFC 5280-compliant certification path validation (i.e., "pop up" certificate validation), this is a finding. If the host operating system is encrypted, run the following commands and verify that only DoD-approved PKI certificates are present and used for Redis Enterprise: # cd /etc/opt/redislabs # cat proxy_cert.pem If no DoD-approved certificates are found, this is a finding.
Configure Redis Enterprise settings to meet organizationally defined requirements. 1. Replace the RS server default certificates and key on all nodes with the CA-signed certificate and restart the proxy. To replace certificates using the rladmin CLI, run: rladmin cluster certificate set <cert-name> certificate_file <cert-file-name>.pem key_file <key-file-name>.pem Where: cert-name - The certificate name to replace: For management UI: cm For REST API: api For database endpoint: proxy For syncer: syncer For metrics exporter: metrics_exporter cert-file-name - The name of the certificate file key-file-name - The name of the key file Note: A certificate for the databases' endpoint should be assigned for the same domain as the cluster name. For example, for a cluster with the name "redislabs.com" the certificate should be for "*.redislabs.com". 2. Add the TLS client certificates in the UI including CA certificates and any intermediate certificates by chaining the certificate into one file (can use a cat command to chain the certificates). 3. On the client side, make sure to import and trust the CA and intermediate certificates (CA certificates can be chained with intermediate as one file to use and import).
All keys must be stored by the host RHEL OS that Redis Enterprise resides on. On the server, look for proxy_cert.pem found in /etc/opt/redislabs. If proxy_cert.pem has file permissions that would allow unauthorized users to access it, this is a finding. Keys can also be manipulated on the Redis Enterprise UI. RBAC prevents unauthorized users from doing this; to check: Review organization documentation to determine which users should have administrative privileges. From there: 1. Log in to Redis Enterprise UI as a user in the administrator role. 2. Navigate to the Access Control tab. 3. Compare the documented users to the users found in the user settings on the web UI. If any users have administrative privileges and are not documented, this is a finding. If access to the DBMS's private key(s) is not restricted to authenticated and authorized users, this is a finding.
Apply or modify access controls and permissions (in the file system/operating system) to tools used to view or modify where the certificates are stored. Tools must be accessible by authorized personnel only. /etc/opt/redislabs (or wherever the organizationally defined location for certificates are stored) should have an appropriate and documented admin user and group owner and the directory should not have permissions more than 700. To update these permissions, run the following commands: chown redislabs:redislabs /etc/opt/redislabs chmod 700 /etc/opt/redislabs/proxy_cert.pem
Review the Redis Enterprise configuration to verify user accounts are being mapped directly to unique identifying information within the validated PKI certificate. To test, have the user log in to the database and verify that the unique certificate to the authenticating user is used or prompted. If user accounts are not being mapped to authenticated identities, this is a finding.
Configure Redis Enterprise settings to meet organizationally defined requirements. Redis Enterprise uses LDAP to map authenticated identity directly to the DBMS user account. 1. Before enabling LDAP in Redis Software, it is important to verify: - Confirmation of the LDAP groups that correspond to the levels of access on which to authorize. Each LDAP group will be mapped to a Redis Software access control role. - Confirmation of Redis Software access control role for each LDAP group. If role-based access controls (RBAC) have not already been set up, do so before enabling LDAP. 2. The following LDAP info is needed: - Server URI, including host, port, and protocol details. - Certificate details for secure protocols. - Bind credentials, including Distinguished Name, password, and (optionally) client public and private keys for certificate authentication. - Authentication query details, whether template or query. - Authorization query details, whether attribute or query. - The Distinguished Names of LDAP groups that will be used to authorize access to Redis Software resources. 3. Use Settings | LDAP to enable LDAP access. 4. Map LDAP groups to access control roles. 5. Update database access control lists (ACLs) to authorize role access. If appropriate roles are already established, update them to include LDAP groups. For additional information: https://docs.redislabs.com/latest/rs/security/ldap/
If all interaction with the user for purposes of authentication is handled by a software component separate from the DBMS, this is not a finding. The Redis Enterprise web UI does inherently obscure passwords. For Redis CLI, which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations and that AO approval has been obtained. If not, this is a finding. Request evidence that all users of the tool are trained in the importance of using the "--askpass" option (and not using the plain-text password option), how to keep the password hidden, and that they adhere to this practice. If not, this is a finding.
For Redis CLI tools, which can accept a plain-text password, and any other essential tool with the same limitation: 1. Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval. 2. Train all users of the tool in the importance of not using the plain-text password option and in how to keep the password hidden by using the "--askpass" without the password option. The user will then be prompted and the password obfuscated. Example command for authentication: redis-cli -h <db_endpoint> -p <port> --askpass
Review the Redis Enterprise configuration to verify it is using NIST FIPS validated cryptographic modules for cryptographic operations. Redis Enterprise uses TLS 1.2 and has a cyber suite of options that is configurable through the rladmin, REST API, and on the Redis Enterprise web UI. Verify the host operating system is encrypted. If the host operating system is not encrypted, this is a finding. If the host operating system is encrypted, run the following commands and verify that only DoD-approved PKI certificates are present: # cd /etc/opt/redislabs # ls Verify the following file is present: proxy_cert.pem If no certificates are present, this is a finding. Verify TLS is configured to be used. To check this: 1. Log in to the Redis Enterprise web UI as an admin user. 2. Navigate to the Databases tab and select the database and then configuration. 3. Review the configuration and verify that TLS is enabled for all communications. If TLS is not configured to be used, this is a finding. To check the current TLS version, run the following commands on one of the servers that is hosting Redis Enterprise as a privileged user: # ccs-cli # hgetall min_control_tls_version If TLS is not FIPS compliant, this is a finding. To validate the openssl version, run the following command on one of the servers that is hosting Redis Enterprise as a privileged user: # openssl version If NIST FIPS validated modules are not being used for all cryptographic operations, this is a finding.
Configure Redis Enterprise settings to use NIST FIPS 140-2-validated cryptographic modules for cryptographic operations. To set the minimum TLS version that can be used for encrypting the data in transit between a Redis client and a Redis Enterprise cluster, use the REST API or the following rladmin command: rladmin> cluster config min_data_TLS_version <version> (e.g., 1.2) Ensure that openssl is on the latest version as required by organizational policies to be FIPS compliant.
Redis Enterprise databases can be configured and set to deny by default posture. Access is granted when the database is configured and can be granted by admins at a later time. Verify in the database configuration that the default user is disabled. This would force non-organizational users to authenticate with a username and password similar to any organizationally defined user. In web UI: 1. Log in to Redis Enterprise as an admin user. 2. Select the Database tab. 3. Select the Configuration subtab. 4. Confirm "Default database access" reads "nopass" and is "Inactive". If default database access is active and there is no password set, this is a finding.
When adding user access to the database, either during initial creation or at a later time, admins must establish a unique username and password for all users and the default user account must be disabled. In web UI: 1. Log in to Redis Enterprise as an admin user. 2. Select the Database tab. 3. Select the Configuration subtab. 4. Select "Edit". 5. Ensure that "Default database access" is unchecked.
Determine if the organization requires encryption. If Redis is deployed in an unclassified environment, this is not applicable. Determine if FIPS mode is enabled with the following command: # sudo fipscheck usage: fipscheck [-s <hmac-suffix>] <paths-to-files> fips mode is on If FIPS mode is "on", determine if the kernel command line is configured to use FIPS mode with the following command: # sudo grep fips /boot/grub2/grub.cfg /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet If the kernel command line is configured to use FIPS mode, determine if the system is in FIPS mode with the following command: # sudo cat /proc/sys/crypto/fips_enabled 1 If FIPS mode is not "on", the kernel command line does not have a FIPS entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding.
Configure the operating system to implement DoD-approved encryption by following the steps below: To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Enable FIPS mode with the following command: # sudo fips-mode-setup --enable Modify the kernel command line of the current kernel in the "grub.cfg" file by adding the following option to the GRUB_CMDLINE_LINUX key in the "/etc/default/grub" file and then rebuild the "grub.cfg" file: fips=1 Changes to "/etc/default/grub" require rebuilding the "grub.cfg" file as follows: On BIOS-based machines, use the following command: # sudo grub2-mkconfig -o /boot/grub2/grub.cfg On UEFI-based machines, use the following command: # sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg If /boot or /boot/efi reside on separate partitions, the kernel parameter "boot=<partition of /boot or /boot/efi>" must be added to the kernel command line. Identify a partition by running the df /boot or df /boot/efi command: # sudo df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 495844 53780 416464 12% /boot To ensure the "boot=" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command: # sudo blkid /dev/sda1 /dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4" For the example above, append the following string to the kernel command line: boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797 Reboot the system for the changes to take effect.
The DBMS relies on the underlying operating system's cryptographic modules to provision digital signatures. Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions. Determine if FIPS mode is enabled with the following command: # sudo fipscheck usage: fipscheck [-s <hmac-suffix>] <paths-to-files> fips mode is on If FIPS mode is "on", determine if the kernel command line is configured to use FIPS mode with the following command: # sudo grep fips /boot/grub2/grub.cfg /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet If the kernel command line is configured to use FIPS mode, determine if the system is in FIPS mode with the following command: # sudo cat /proc/sys/crypto/fips_enabled 1 If FIPS mode is not "on", the kernel command line does not have a FIPS entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding.
Configure the operating system to implement DoD-approved encryption by following the steps below: To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Enable FIPS mode with the following command: # sudo fips-mode-setup --enable Modify the kernel command line of the current kernel in the "grub.cfg" file by adding the following option to the GRUB_CMDLINE_LINUX key in the "/etc/default/grub" file and then rebuild the "grub.cfg" file: fips=1 Changes to "/etc/default/grub" require rebuilding the "grub.cfg" file as follows: On BIOS-based machines, use the following command: # sudo grub2-mkconfig -o /boot/grub2/grub.cfg On UEFI-based machines, use the following command: # sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg If /boot or /boot/efi reside on separate partitions, the kernel parameter "boot=<partition of /boot or /boot/efi>" must be added to the kernel command line. Identify a partition by running the df /boot or df /boot/efi command: # sudo df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 495844 53780 416464 12% /boot To ensure the "boot=" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command: # sudo blkid /dev/sda1 /dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4" For the example above, append the following string to the kernel command line: boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797 Reboot the system for the changes to take effect.
The DBMS relies on the underlying operating system's file integrity tools use of cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS-compliant cryptographic hashes. Determine if FIPS mode is enabled with the following command: # sudo fipscheck usage: fipscheck [-s <hmac-suffix>] <paths-to-files> fips mode is on If FIPS mode is "on", determine if the kernel command line is configured to use FIPS mode with the following command: # sudo grep fips /boot/grub2/grub.cfg /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet If the kernel command line is configured to use FIPS mode, determine if the system is in FIPS mode with the following command: # sudo cat /proc/sys/crypto/fips_enabled 1 If FIPS mode is not "on", the kernel command line does not have a FIPS entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding.
Configure the operating system to implement DoD-approved encryption by following the steps below: To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Enable FIPS mode with the following command: # sudo fips-mode-setup --enable Modify the kernel command line of the current kernel in the "grub.cfg" file by adding the following option to the GRUB_CMDLINE_LINUX key in the "/etc/default/grub" file and then rebuild the "grub.cfg" file: fips=1 Changes to "/etc/default/grub" require rebuilding the "grub.cfg" file as follows: On BIOS-based machines, use the following command: # sudo grub2-mkconfig -o /boot/grub2/grub.cfg On UEFI-based machines, use the following command: # sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg If /boot or /boot/efi reside on separate partitions, the kernel parameter "boot=<partition of /boot or /boot/efi>" must be added to the kernel command line. Identify a partition by running the df /boot or df /boot/efi command: # sudo df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda1 495844 53780 416464 12% /boot To ensure the "boot=" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command: # sudo blkid /dev/sda1 /dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4" For the example above, append the following string to the kernel command line: boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797 Reboot the system for the changes to take effect.
Verify the operating system implements FIPS compliant cryptographic modules. As the system administrator, run the following to determine if FIPS is enabled: # cat /proc/sys/crypto/fips_enabled If fips_enabled is not 1, this is a finding.
To configure the operating system to implement DoD-approved encryption, review the official RHEL Documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations
Redis Enterprise provides separate user functionality by default. An administrative control plane helps facilitate configuration and a database layer helps facilitate application integrations with the database. This functionality is provided by default; however, the same user may be used for both the database layer and the administrative control plane. First, obtain the list of authorized admin users and general users. To check user functionality, perform the following steps: 1. Log in to the administrative control plane. 2. Navigate to the access controls tab. 3. Navigate to the roles tab. 4. Review all roles and verify that any role that provides access to the data path is configured with the cluster management role of "None". If a role provides access to both data and management paths, this is a finding.
Configure DBMS to separate database administration and general user functionality.
Review system documentation (SSP) and identify the documented management networks as well as the documented client networks. A management network can be defined through physical means or logical means to achieve network separation. Check the network interface to verify the administrative console is on a separate management network interface. If the control plane is set up to only be accessed via a defined management network, this is not a finding. If a management network does not exist or network separation is not established, verify the control plane can only be accessed via trusted approved machines. Review system documentation and obtain a list of approved machines for administrator use. Check the firewall rules on the server. An example command is: firewall-cmd --list-all Check for rules showing that only the trusted and approved machines have access to the ports for the control plane (default is 8443) and REST API interface (default 9443). Below is an example of the output: rich rules: rule family="ipv4" source address="<trusted ip>" forward-port port="8443" protocol="tcp" to-port="80" rule family="ipv4" source address="<trusted ip>" forward-port port="9443" protocol="tcp" to-port="80" If access is not limited using a management network, network separation such as vlans, or a firewall rule, this a finding.
Configure a management network defined through physical or logical means to achieve network separation. Update system documentation (SSP) and identify the documented management networks as well as the documented client networks. Configure the administrative control plane to only be accessible via the management network. Alternatively, ensure a firewall rule is enabled on the network layer and the administrative control plane is only available through trusted and approved IPs. Use firewalld (the host-based firewall service) on the server to set up a whitelist of IPs that it will accept to use the control plane and REST API ports. The default for these are 8443 and 9443. Below is an example: firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<Trusted IP address>" port protocol="tcp" port="8443" accept' firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<Trusted IP address>" port protocol="tcp" port="9443" accept' Restart the firewall to save the rule: systemctl restart firewalld
By default, each cluster node has a different set of self-signed certificates. These certificates can be replaced with a DoD-acceptable certificate, preferably a certificate issued by an intermediate certificate authority (CA). For security reasons, Redis Enterprise only supports the TLS protocol. Therefore, verify that the Redis client or secured tunnel solution is TLS v1.2 or above. Run the following commands and verify that certificates are present: # cd /etc/opt/redislabs # ls Verify the proxy_cert.pem file is present. If no certificates are present, this is a finding.
To configure TLS and configure only organizationally defined CA-signed certificates, refer to the following document: https://docs.redislabs.com/latest/rs/administering/cluster-operations/updating-certificates/
Redis Enterprise Software (RS) can use industry-standard encryption to protect data in transit between a Redis client and RS. For this purpose, RS uses transport layer security (TLS) protocol. Run the following commands and verify certificates are present: # cd /etc/opt/redislabs # ls Verify the proxy_cert.pem file is present. If no certificates are found, this is a finding. Verify that TLS is configured to be used. To check this: 1. Log in to the Redis Enterprise web UI as an admin user. 2. Navigate to the Databases tab and select the database and then configuration. 3. Review the configuration and verify that TLS is enabled for all communications. If TLS is not configured to be used, this is a finding. To check the current TLS version, run the following commands on one of the servers that is hosting Redis Enterprise as a privileged user: # ccs-cli # hgetall min_control_tls_version If TLS is not FIPS compliant, this is a finding.
To encrypt the connection to the database endpoint with TLS, enter the contents the client certificate to the TLS field. If configured, Redis Enterprise Software (RS) can use industry-standard encryption to protect the data in transit between a Redis client and RS. For this purpose, RS uses transport layer security (TLS) protocol, which is the more secure successor to SSL. To enable TLS, the RS cluster nodes, the database, and client must be configured as detailed below. Configuration of the RS nodes: By default, each cluster node has a different set of self-signed certificates. These certificates can be replaced with another certificate, preferably a certificate issued by an intermediate certificate authority (CA). Configuration of the database: To encrypt the connection to the database endpoint with TLS, enter the contents the client certificate to the TLS field. Note: Once TLS encryption is enabled for the database endpoint, the database does not accept unsecured connections. TLS encryption can significantly impact database throughput and latency. Adding TLS CA signed certificates to the proxy: The proxy is responsible for terminating the TLS connection. Server certificate and key are located on /etc/opt/redislabs:proxy_cert.pem - server certificate thatproxy_key.pem - server certificate key*any update on these requires a proxy restart Enabling of TLS is done via "ssl authentication" field in the UI. It is a requirement to add a client-side certificate as a TLS connection is done via client certificate authentication (not just server-side authentication). Installing CA signed certificates high-level steps: 1. Replace the RS server certificates and key on all nodes with the CA signed certificate and restart the proxy. Note: A certificate for the databases' endpoint should be assigned for the same domain as the cluster name. For example, for a cluster with the name "redislabs.com" the certificate should be for "*.redislabs.com". 2. Add the TLS client certificates in the UI including CA certificates and any intermediate certificates by chaining the certificate into one file (use a cat command to chain the certificates). 3. On the client side, import and trust the CA and intermediate certificates (chain the CA certificate with intermediate as one file to use and import). Client configuration: To connect to a database configured with TLS encryption, either use one of the Redis clients that inherently support SSL encryption, or use any Redis client and create a secured tunnel between the client machine and the RS nodes. To create a secure tunnel between the client machine and the RS nodes, use tools that enable this functionality, such as spiped or stunnel. An example of how to use stunnel is detailed below. Note: For security reasons, RS supports only the TLS protocol. Therefore, make sure the Redis client or secured tunnel solution used supports TLS, preferably TLS v1.2. When using self-signed certificates on the cluster nodes, make sure to copy these certificates to the client machines as well, thereby enabling the client to validate the cluster nodes. When using a certificate issued by an intermediate certificate authority (CA) on the cluster nodes, make sure that the CA root certificate is installed on the client machines. Example how to secure client connection with TLS using stunnel: The instructions below explain how to use stunnel for setting up a secure tunnel between a client machine and the RS nodes when the client is running on Ubuntu, using the default RS nodes' self-signed certificates, and a self-signed certificate on the client machine. 1. Install stunnel version 5 or higher on the client machine. Older versions of stunnel do not support the TLS protocol. 2. Create a self-signed certificate on the client machine. 3. Generate a private key by running the following commands: sudo su openssl genrsa -out /etc/stunnel/keyclient.pem 4096 4. Generate a client certificate by running the following commands: openssl req -new -x509 -key /etc/stunnel/keyclient.pem -out /etc/stunnel/cert.pem -days 1826 5. When prompted, enter the appropriate configuration details for the certificate. 6. Copy the RS node certificates from all nodes to the client machine. The certificates are saved in a file named proxy_cert.pem, which is stored in /etc/opt/redislabs in each node. 7. Rename the certificate files fetched from the RS nodes as certsvr.pem. For example: certsvr1.pem, certsvr2.pem. 8. Create a single file for all of the server certificates on the client machine, by running the following command from the OS CLI. For example: cat /etc/stunnel/certsvr1.pem /etc/stunnel/certsvr2.pem > /etc/stunnel/servercerts.pem 9. Configure stunnel for the connection to RS by using the steps below: 10. Create a redislabs.conf file in /etc/stunnel folder. 11. Make sure the certificates that have been generated exist in the following folder: /etc/stunnel. 12. Edit the redislabs.conf content to look as follows: cert = /etc/stunnel/cert.pem key = /etc/stunnel/keyclient.pem cafile = /etc/stunnel/servercerts.pem verify = 2 delay = yes output = /tmp/stunnel.log pid = /tmp/stunnel.pid[redislabs] client = yes accept = [server IP address]:[configured port] connect = [database endpoint value] Where [database endpoint value] is the database endpoint as can be retrieved from RS. Note: The value for the accept parameter is the local IP and port that is used for redirecting the traffic through the secure tunnel to the database endpoint configured in the connect parameter. 13. Copy the contents of the client certificate from cert.pem and enter them in the SSL Client Authentication field, in the RS UI, of the database to be secured. When done, be sure to save the change. 14. Start the stunnel service by running the following command: service stunnel restart Note: Any change made to the stunnel configuration requires restarting the stunnel service. 15. Check the stunnel log file to verify that the connection is working properly. The log file is created under the root folder within the configuration mentioned above. 16. Test the connection to the Redis database from the client machine. Use Redis-cli to run commands on the client machine, and the commands are redirected from the local machine's port [configured port] to the RS database endpoint. Note the connection to the Redis database is done through the local port; do not try to connect directly to the database endpoint. TLS version information: To set the minimum TLS version that can be used for encrypting the data in transit between a Redis client and a Redis Enterprise cluster, use the REST API or the following rladmin command: rladmin> cluster config min_data_TLS_version [version, e.g., 1.2] Note that if a client supports an older TLS version, the communication is not allowed.
Redis Enterprise Software (RS) can use industry-standard encryption to protect data in transit between a Redis client and RS. For this purpose, RS uses transport layer security (TLS) protocol. Run the following commands and verify certificates are present: # cd /etc/opt/redislabs # ls Verify that all present certificates are issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). If non DoD-approved PKI certificates are found, this is a finding. Verify TLS is configured to be used. To check this: 1. Log in to the Redis Enterprise web UI as an admin user. 2. Navigate to the Databases tab and select the database and then configuration. 3. Review the configuration and verify that TLS is enabled for all communications. If TLS is not configured to be used, this is a finding. To check the current TLS version, run the following commands on one of the servers that is hosting Redis Enterprise as a privileged user: # ccs-cli # hgetall min_control_tls_version If TLS is not FIPS compliant, this is a finding.
rladmin CLI or the REST API may be used to update the certificates. Using the CLI: To replace certificates using the rladmin CLI, run: rladmin cluster certificate set <cert-name> certificate_file <cert-file-name>.pem key_file <key-file-name>.pem Where: cert-name - The name of certificate to be replaced: For management UI: cm For REST API: api For database endpoint: proxy For syncer: syncer For metrics exporter: metrics_exporter cert-file-name - The name of the certificate file key-file-name - The name of the key file For example, to replace the cm certificate with the private key "key.pem" and the certificate file "cluster.pem": rladmin cluster certificate set cm certificate_file cluster.pem key_file key.pem To replace a certificate using the REST API, run: curl -k -X PUT -u "<username>:<password>" -H "Content-Type: application/json" -d '{ "name": "<cert_name>", "key": "<key>", "certificate": "<cert>" }' https://<cluster_address>:9443/v1/cluster/update_cert Where: cert_name - The name of the certificate to replace: For management UI: cm For REST API: api For database endpoint: proxy For syncer: syncer For metrics exporter: metrics_exporter key - The contents of the *_key.pem file cert - The contents of the *_cert.pem file When upgrading RS, the upgrade process copies the certificates on the first upgraded node to all of the nodes in the cluster. Tip: The key file contains \n end of line characters (EOL) that cannot be pasted into the API call. Use sed -z 's/\n/\\\n/g' to escape the EOL characters.
1. In the console UI, click the databases tab. 2. For each listed database, click it and select configuration. 3. Verify that "Persistence" is set to: "Append Only File (AOF) - fsync every write". If the setting is not configured or not documented to be set differently, this is a finding. 4. For each listed database, click it and select configuration. 5. Verify "Replication" is set enabled. If the setting is not configured or not documented to be set differently, this is a finding.
To enable persistence and replication in the Redis Enterprise UI, click the databases tab. For each database that requires reconfiguration, click it and select configuration. Ensure that the replication box is checked as well as the desired persistence level. Edit the parameters necessary to meet the desired organizational needs.
In the Redis Enterprise web UI, select settings and then alerts. Verify the alerts documented by the ISSO/ISSM are checked. If required alerts are not checked, this is a finding. In the Redis Enterprise web UI, select databases, then select the individual databases. For each database, select configuration. Verify that "Persistence", "Periodic backup", and "Alerts" are all configured as organizationally defined and documented by the ISSO or ISSM. Verify that organizationally defined path for the centralized log server is also applied and configured external to the database. If any of these items are not configured as documented, this is a finding.
In the Redis Enterprise web UI, select databases and then select the individual databases. For each database, select configuration. Check the box and configure the following as defined by the ISSO/ISSM: "Persistence", "Periodic backup", and "Alerts" Ensure that organizationally defined path for the centralized log server is also applied and configured external to the database.
If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding. Verify the operating system implements encryption to protect the confidentiality and integrity of information at rest. If a disk or filesystem requires encryption, ask the system owner, DBA, and SA to demonstrate the use of filesystem and/or disk-level encryption. If this is required and is not found, this is a finding. To check if full disk encryption is enabled, log in to RHEL as an admin user and run the following commands: # lsblk Identify the partition that Redis Enterprise is located on. # blkid /dev/[name of partition] If the output shows TYPE="crypto_LUKS" then the partition is encrypted. If encryption must be used and is not employed, this is a finding.
Red Hat Enterprise Linux natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation website: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption
Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from modification, which must include, at a minimum, PII and classified information. If no information is identified as requiring such protection, this is not a finding. Verify the operating system implements encryption to protect the confidentiality and integrity of information at rest. If a disk or filesystem requires encryption, ask the system owner, DBA, and SA to demonstrate the use of filesystem and/or disk-level encryption. If this is required and is not found, this is a finding. To check if full disk encryption is enabled, log in to RHEL as an Admin user and run the following commands: # lsblk Identify the partition that Redis Enterprise is located on. # blkid /dev/[name of partition] If the output shows TYPE="crypto_LUKS" then the partition is encrypted. If encryption must be used and is not employed, this is a finding.
Red Hat Enterprise Linux natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation website: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption
Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from disclosure, which must include, at a minimum, PII and classified information. If the documentation indicates no information requires such protections, this is not a finding. Verify the operating system implements encryption to protect the confidentiality and integrity of information at rest. If a disk or filesystem requires encryption, ask the system owner, DBA, and SA to demonstrate the use of filesystem and/or disk-level encryption. If this is required and is not found, this is a finding. To check if full disk encryption is enabled, log in to RHEL as an Admin user and run the following commands: # lsblk Identify the partition that Redis Enterprise is located on. # blkid /dev/[name of partition] If the output shows TYPE="crypto_LUKS" then the partition is encrypted. If encryption must be used and is not employed, this is a finding.
Red Hat Enterprise Linux natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time. For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition: part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE] Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation. Detailed information on encrypting partitions using LUKS can be found on the Red Hat Documentation website: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-encryption
Review the procedures for the refreshing of development/test data from production. Review any scripts or code that exists for the movement of production data to development/test systems, or to any other location or for any other purpose. Verify that copies of production data are not left in unprotected locations. If the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding.
Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy, and to ensure copies of production data are not left in unsecured locations.
Verify all returned users with security permissions are documented as requiring the permissions. In the web UI, select access control >> Redis acls. Verify that the documented users have the correct ACL(s) assigned to them by clicking the "Used By" link for each listed ACL. Verify that all documented ACLs match each of the listed ACLs. If "Redis ACL name" and "Used By" do not match the documentation, this is a finding.
Users and ACLs can be created and modified from the Redis Enterprise UI by navigating to the access control tab as an admin user. Update the user roles and ACLs to reflect organizational requirements.
Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files. If any user/role who is not an authorized system administrator with a need to know or database administrator with a need to know, or a system account for running DBMS processes, is permitted to read/view any of these files, this is a finding. Review the directory contents and files and verify that the appropriate file permissions are set. Verify that the file owner and group is set to Redis Labs or a group defined per site requirements. To check permissions of log files (Note: This may vary depending on the installation path.): # /var/opt/redislabs/log To check persisted files from memory if they are being used run the following command (Note: This may vary depending on the installation path.) # ls -ltr /var/opt/redislabs/persist/redis/ To check the default file permissions to verify that all authenticated users can only read and modify their own files: # cat/etc/login.defs|grep UMASK Verify the value is set to 077 or an appropriate organizationally defined setting. Investigate the permissions on these files. If the permissions allow access by other, this is a finding.
Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077": UMASK 077 Set the permissions of the log files (/var/opt/redislabs/log) and persisted files (/var/opt/redislabs/persist/redis/) to an appropriate organizationally defined setting.
Redis has optional support for TLS on all communication channels, including client connections, replication links, and the Redis Cluster bus protocol. By default, each cluster node has a different set of self-signed certificates. These certificates can be replaced with a DoD-acceptable certificate, preferably a certificate issued by an intermediate certificate authority (CA). For security reasons, Redis Enterprise only supports only the TLS protocol. Therefore, verify that the Redis client or secured tunnel solution is TLS v1.2 or above. First, verify that the host operating system is encrypted. If the host operating system is not encrypted, this is a finding. If the host operating system is encrypted, run the following commands and verify that only DoD-approved PKI certificates are present: # cd /etc/opt/redislabs # ls Verify the proxy_cert.pem file is present. If no certificates are found, this is a finding. Verify that TLS is configured to be used. To check this: 1. Log in to the Redis Enterprise web UI as an admin user. 2. Navigate to the Databases tab and select the database and then configuration. 3. Review the configuration and verify that TLS is enabled for all communications. If TLS is not configured to be used, this is a finding. To check the current TLS version, run the following commands on one of the servers that is hosting Redis Enterprise as a privileged user: # ccs-cli # hgetall min_control_tls_version If TLS is not FIPS compliant, this is a finding.
To configure TLS and configure only organizationally defined CA-signed certificates, refer to the following document: https://docs.redislabs.com/latest/rs/administering/cluster-operations/updating-certificates/
If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding. If Redis Enterprise DBMS, associated applications, and infrastructure do not employ protective measures against unauthorized disclosure and modification during reception, this is a finding. Redis Enterprise Software (RS) can use industry-standard encryption to protect data in transit between a Redis client and RS. For this purpose, RS uses transport layer security (TLS) protocol. Run the following commands and verify certificates are present: # cd /etc/opt/redislabs # ls Verify the proxy_cert.pem file is present. If no certificates are found, this is a finding. Verify that TLS is configured to be used. To check this: 1. Log in to the Redis Enterprise web UI as an admin user. 2. Navigate to the Databases tab and select the database and then configuration. 3. Review the configuration and verify that TLS is enabled for all communications. If TLS is not configured to be used, this is a finding. To check the current TLS version, run the following commands on one of the servers that is hosting Redis Enterprise as a privileged user: # ccs-cli # hgetall min_control_tls_version If TLS is not FIPS compliant, this is a finding.
To encrypt the connection to the database endpoint with TLS, enter the contents the client certificate to the TLS field. If configured, Redis Enterprise Software (RS) can use industry-standard encryption to protect the data in transit between a Redis client and RS. For this purpose, RS uses transport layer security (TLS) protocol, which is the more secure successor to SSL. To enable TLS, the RS cluster nodes, the database, and client must be configured as detailed below. Configuration of the RS nodes: By default, each cluster node has a different set of self-signed certificates. These certificates can be replaced with another certificate, preferably a certificate issued by an intermediate certificate authority (CA). Configuration of the database: To encrypt the connection to the database endpoint with TLS, enter the contents the client certificate to the TLS field. Note: Once TLS encryption is enabled for the database endpoint, the database does not accept unsecured connections. TLS encryption can significantly impact database throughput and latency. Adding TLS CA signed certificates to the proxy: The proxy is responsible for terminating the TLS connection. Server certificate and key are located on /etc/opt/redislabs:proxy_cert.pem - server certificate thatproxy_key.pem - server certificate key*any update on these requires a proxy restart Enabling of TLS is done via the "ssl authentication" field in the UI. It is a requirement to add a client-side certificate as a TLS connection via client certificate authentication (not just server-side authentication). Installing CA signed certificates: Replace the RS server certificates and key on all nodes with the CA signed certificate and restart the proxy. Note: A certificate for the databases' endpoint should be assigned for the same domain as the cluster name. For example, for a cluster with the name "redislabs.com" the certificate should be for "*.redislabs.com". Add the TLS client certificates in the UI including CA certificates and any intermediate certificates by chaining the certificate into one file (use a cat command to chain the certificates). On the client side make sure to import and trust the CA and intermediate certificates (chain the CA certificate with intermediate as one file to use and import). Client configuration: To connect to a database configured with TLS encryption, either use one of the Redis clients that inherently support SSL encryption, or use any Redis client and create a secured tunnel between the client machine and the RS nodes. To create a secure tunnel between the client machine and the RS nodes, use tools that enable this functionality, such as spiped or stunnel. An example of how to use stunnel is detailed below. Note: For security reasons, RS supports only the TLS protocol. Therefore, make sure that the Redis client or secured tunnel solution used supports TLS, preferably TLS v1.2. When using self-signed certificates on the cluster nodes, make sure to copy these certificates to the client machines as well, thereby enabling the client to validate the cluster nodes. When using a certificate issued by an intermediate certificate authority (CA) on the cluster nodes, make sure that the CA root certificate is installed on the client machines. Example of how to secure client connection with TLS using stunnel: The instructions below explain how to use stunnel for setting up a secure tunnel between a client machine and the RS nodes when the client is running on Ubuntu, using the default RS nodes' self-signed certificates, and a self-signed certificate on the client machine. 1. Install stunnel version 5 or higher on the client machine. Older versions of stunnel do not support the TLS protocol. 2. Create a self-signed certificate on the client machine: 3. Generate a private key by running the following commands: sudo su openssl genrsa -out /etc/stunnel/keyclient.pem 4096 4. Generate a client certificate by running the following commands: openssl req -new -x509 -key /etc/stunnel/keyclient.pem -out /etc/stunnel/cert.pem -days 1826 5. When prompted, enter the appropriate configuration details for the certificate. 6. Copy the RS node certificates from all nodes to the client machine. The certificates are saved in a file named proxy_cert.pem, which is stored in /etc/opt/redislabs in each node. 7. Rename the certificate files fetched from the RS nodes as certsvr.pem. For example: certsvr1.pem, certsvr2.pem. 8. Create a single file for all of the server certificates on the client machine by running the following command from the OS CLI. For example: cat /etc/stunnel/certsvr1.pem /etc/stunnel/certsvr2.pem > /etc/stunnel/servercerts.pem 9. Configure stunnel for the connection to RS by using the steps below: 10. Create a redislabs.conf file in /etc/stunnel folder. 11. Make sure that the certificates that have been generated exist in the following folder: /etc/stunnel. 12. Edit the redislabs.conf content to look as follows:cert = /etc/stunnel/cert.pem key = /etc/stunnel/keyclient.pem cafile = /etc/stunnel/servercerts.pem verify = 2 delay = yes output = /tmp/stunnel.log pid = /tmp/stunnel.pid[redislabs] client = yes accept = [server IP address]:[configured port] connect = [database endpoint value] Where [database endpoint value] is the database endpoint as can be retrieved from RS. Note: The value for the accept parameter is the local IP and port that is used for redirecting the traffic through the secure tunnel to the database endpoint configured in the connect parameter. 13. Copy the contents of the client certificate from cert.pem and enter them in the SSL Client Authentication field, in the RS UI, of the database to be secured. When done, be sure to save the change. 14. Start the stunnel service by running the following command: service stunnel restart Note: Any change made to the stunnel configuration requires restarting the stunnel service. 15. Check the stunnel log file to verify that the connection is working properly. The log file is created under the root folder within the configuration mentioned above. 16. Test the connection to the Redis database from the client machine. Use redis-cli to run commands on the client machine, and the commands are redirected from the local machine's port [configured port] to the RS database endpoint. Note that the connection to the Redis database is done through the local port; do not try to connect directly to the database endpoint. TLS version information: To set the minimum TLS version that can be used for encrypting the data in transit between a Redis client and a Redis Enterprise cluster, use the REST API or the following rladmin command: rladmin> cluster config min_data_TLS_version [version, e.g., 1.2] Note that if a client supports an older TLS version, the communication is not be allowed.
Redis does not rely on a query language and there is no known method of SQL injection that would apply to Redis. Redis is a key value store and relies on commands that do not have a unified query language. Redis has an embedded LUA interpreter that is recommended to disable. Interview the system administrator and ask if the practice of disabling LUA scripting is a documented practice or has been completed. To check if LUA scripting is disabled on the desired database: 1. Connect to one of the nodes/servers in the redis enterprise cluster as an admin (sudo su -). 2. Type: rladmin status to get the DB ID of the database on which LUA scripting is to be disabled 3. Run the following command, substituting in the bdb_id from the previous step: ccs-cli hget bdb:<bdb_id> If the response is NIL or doesn't return EVAL, EVALSHA, this is a finding. If no documentation exists or if the database otherwise accepts LUA scripts, this is a finding.
Redis does not rely on a query language and there is no known method of SQL injection that would apply to Redis. Redis is a key value store and relies on commands that do not have a unified query language. Redis has an embedded LUA interpreter that is recommended to disable. To disable the interpreter run the following REST API command: curl -v -kL -u "<user>:<password>" --location-trusted -H "Content-type: application/json" -d '{ "disabled_commands": "EVAL, EVALSHA" }' -X PUT https://<URL>:PORT/v1/bdbs/<DB_ID>
Redis does not rely on a query language and there is no known method of SQL injection that would apply to Redis. Redis is a key value store and relies on commands that do not have a unified query language. Redis has an embedded LUA interpreter that is recommended to disable. Interview the system administrator and ask if the practice of disabling LUA scripting is a documented practice or has been completed. To check if LUA scripting is disabled on the desired database: 1. Connect to one of the nodes/servers in the redis enterprise cluster as an admin (sudo su -). 2. Type: rladmin status to get the DB ID of the database on which LUA scripting is to be disabled. 3. Run the following command, substituting in the bdb_id from the previous step: ccs-cli hget bdb:<bdb_id> If the response is NIL or doesn't return EVAL, EVALSHA, this is a finding If no documentation exists or if the database otherwise accepts LUA scripts, this is a finding.
Redis does not rely on a query language and there is no known method of SQL injection that would apply to Redis. Redis is a key value store and relies on commands that do not have a unified query language. Redis has an embedded LUA interpreter that is recommended to disable. To disable the interpreter run the following REST API command: curl -v -kL -u "<user>:<password>" --location-trusted -H "Content-type: application/json" -d '{ "disabled_commands": "EVAL, EVALSHA" }' -X PUT https://<URL>:PORT/v1/bdbs/<DB_ID>
When the Redis software is upgraded to a new version, the old version install file remains on the server. The users must remove this manually. To verify if the old install files have been deleted, check the locations below: /opt/redislabs - Main Installation directory for all Redis Enterprise Software binaries /opt/redislabs/config - System configuration files /opt/redislabs/lib - System library files /var/opt/redislabs - Default storage location for the cluster data, system logs, backups and ephemeral, persisted data /tmp - Temporary files The GREP command can be used to search for old Redis files in the above locations. If software components that have been replaced or made unnecessary are not removed, this is a finding.
When a new update is available and installed, all old install files must be removed from the locations below: /opt/redislabs - Main Installation directory for all Redis Enterprise Software binaries /opt/redislabs/config - System configuration files /opt/redislabs/lib - System library files /var/opt/redislabs - Default storage location for the cluster data, system logs, backups and ephemeral, persisted data /tmp - Temporary files The GREP command can be used to search for old Redis files in the above locations. If software from a previous/outdated version of Redis Enterprise remains in any of the following locations/directories, run the following to remove it: rm -r <file_name>
To determine the current version of the software, perform the steps below: 1. Log in to the Redis Enterprise UI as an Admin user. 2. Navigate to the Cluster tab in the red banner. 3. Click on the Configuration option. 4. Find the Version number of the Cluster, Latest Redis version supported, and Latest Memcached version supported. 5. Compare to current Redis Enterprise version available. If the organization is not following their own defined time periods to apply updates, this is a finding.
To update to the current version of the software, perform the following steps listed from the Redis Labs Enterprise site. To upgrade the Redis Enterprise Software (RS) software on a cluster, upgrade each of the nodes and then upgrade each of the databases in the cluster. - To upgrade the cluster to v6.0, the cluster must first be on 5.4.0 or above and the databases must be running Redis 5. - To upgrade the cluster to v5.6, the cluster must first be on 5.0.2-30 or above. - To upgrade the cluster to v5.4, the cluster must first be on 5.0 or above. - To upgrade the cluster to v5.2, the cluster must first be on 4.5 or above. The upgrade process for a Redis Enterprise Software cluster is "ongoing" when the nodes in the cluster have mixed versions. The upgrade is only considered complete when all of the nodes are upgraded to the new version. WARNING Using features from the newer version before all nodes are upgraded can produce unexpected results or cause failures in the cluster. Upgrading a node: Upgrading the software on a node requires installing the RS installation package on all of the machines on which RS is installed. WARNING: The master node must be upgraded before upgrading the other nodes. It is recommended to keep all nodes up until the upgrade is completed on all nodes. The node role is shown in the output of the rladmin status nodes command. The installation path and user cannot be changed during upgrade. Node upgrade fails if the SSL certificates were configured in version 5.0.2 or above by manually updating the certificates on the disk instead of updating them through the API. For assistance with this issue, contact Support. Run install.sh from the directory where the media was untarred just like what is done for a new installation. The software recognizes this is an upgrade and proceeds accordingly. As with a new installation, user must sudo or be root to do the upgrade. To upgrade a node, run: sudo ./install.sh The node upgrade process restarts the services running RS, which causes a short interruption to connections to the proxy, node, and databases. WARNING: To ensure cluster and databases' availability, it is important to upgrade the nodes one by one, and not attempt to upgrade more than one node at a time. To make sure that the node is functioning properly, run rlcheck and rladmin status extra all on the node both before and after the upgrade. If the RS management UI is open in the browser while upgrading the nodes, make sure to refresh the browser before trying to work with the UI again. Upgrading a database Some RS upgrades add support for new Redis versions. In these cases, Redis Labs recommends upgrading the databases to the new Redis version, although this is not mandatory because RS upgrades are backward compatible. RS also supports a mix of Redis database versions. RS always supports two Redis versions. By default, new Redis databases are created with the latest version, and existing databases get upgraded to the latest version according to the instructions detailed below. If there is a desire to change the default Redis version to the previous version supported, it is recommended to use the tune cluster default_redis_version command in the rladmin CLI and set it to the previous Redis version supported. To determine whether the Redis database versions match the latest Redis version supported by RS: In the rladmin CLI, run the status command. If the Redis version is not the latest supported, an indication appears in the command output next to the database's status. In the Management UI, Navigate to the Cluster >> Configuration page. The page lists the latest Redis version supported. If the Redis database versions are older than the version supported by RS, Redis Labs recommends upgrading the Redis databases. To upgrade the database: - Ensure that all of the nodes in the RS cluster are upgraded. Databases cannot be upgraded before all of the nodes in the cluster are upgraded. - In the rladmin CLI on any node in the cluster, run this command for each database: rladmin upgrade db <database_name | database_ID> During the database upgrade process, the database is restarted. As a result: For databases that have replication enabled, a failover is done before the master database restarts to make sure that there is no downtime. For databases without replication but with persistence enabled, the database is unavailable during the restart because data is restored from the persistence file. The length of the downtime is different for each persistence option. For example, AOF usually takes longer than an RDB file. For databases that have neither replication nor persistence enabled, the database loses all its data after it is restarted. Upgrading Active-Active databases When upgrading an Active-Active (CRDB) database, the following may also be upgraded: Protocol version - RS 5.4.2 and higher include a new CRDB protocol version to support new Active-Active features. The CRDB protocol is backward-compatible so that RS 5.4.2 CRDB instances can understand write-operations that come from instances with the older CRDB protocol, but CRDB instances with the older protocol cannot understand write-operations of instances with the newer protocol version. As a result, after upgrading the CRDB protocol on one instance, instances that were not upgraded yet cannot receive write updates from the upgraded instance. The upgraded instance receives updates from upgraded and non-upgraded instances. Note: Upgrade all instances of a specific CRDB within a reasonable time frame to avoid temporary inconsistencies between the instances. Make sure that all instances of a specific CRDB are upgraded before performing global operations on the CRDB, such as removing instances and adding new instances. After upgrading an instance to use the new protocol version, it automatically receives any missing write-operations. Feature set version: RS 5.6.0 and higher include a new feature set version to support new Active-Active features. When updating the feature set version for an Active-Active database, the feature set version is updated for all of the database instances. To upgrade a CRDB instance: Upgrade RS on each node in the clusters where the CRDB instances are located. To confirm the status of the CRDB instances, run: rladmin status The statuses of the CRDB instances on the node can indicate: OLD REDIS VERSION OLD CRDB PROTOCOL VERSION OLD CRDB FEATURESET VERSION crdb-upgrade-node To upgrade each CRDB instance including the Redis version and CRDB protocol version, run: rladmin upgrade db <database_name | database_ID> If the protocol version is old, read the warning message carefully and confirm. crdb-upgrade-protocol The CRDB instance uses the new Redis version and CRDB protocol version. To upgrade the CRDB instance without upgrading the protocol version: If the feature set version is old, all of the CRDB instances must be upgraded. Then, to update the feature set for each active-active database, run: crdb-cli crdb update --crdb-guid <CRDB-GUID> --featureset-version yes Retrieve the <CRDB-GUID> with the following command: crdb-cli crdb list Look for the fully qualified domain name (CLUSTER-FDQN) of the cluster and use the associated GUID.
This requirement is a permanent finding and cannot be fixed. Redis Enterprise does not currently support session or transactional auditing on the database. Redis Enterprise does not generate all the DoD-required audit records; therefore this is a finding. The site must seek AO or ISSO approval for use of Redis Enterprise 6.x with the understanding that not all of the DoD audit requirements are being met.
This requirement is a permanent finding and cannot be fixed. This audit requirement must be continuously monitored. It must be marked as an "open" finding to serve as a reminder to the AO and other stakeholders that this is an approved risk and needs to be reviewed periodically.
Redis Enterprise Software supports Lightweight Directory Access Protocol (LDAP) admin console users. LDAP must be enabled to enforce password complexity. If LDAP is not in use, a password complexity profile can be configured in Redis Enterprise; however, it currently does not meet the DoD standard. Review the LDAP settings relating to password complexity. To check the LDAP settings: 1. Log in to the server housing the Redis Enterprise as an admin user. 2. CAT /etc/opt/redislabs/saslauthd.conf or the installation choice used during initial configuration. 3. Verify the following is configured: ldap_servers Ldap_tls_cacert_file ldap_filter ldap_bind_dn ldap_password If LDAP cannot be configured, this check can be downgraded if the password complexity profile has been configured: - At least eight characters - At least one uppercase character - At least one lowercase character - At least one number (not first or last character) - At least one special character (not first or last character) In addition, the password: - Cannot contain the user ID or reverse of the user ID - Cannot have more than three repeating characters To verify this, either attempt a password change or view the password complexity settings in the REST API. If LDAP or the password complexity profile is not in use, this is a finding.
Configure LDAP/AD to enforce password complexity. To enable LDAP: 1. Import the saslauthd configuration. 2. Restart saslauthd service. 3. Configure LDAP users. To provide the LDAP configuration information: 1. Edit the configuration file located at /etc/opt/redislabs/saslauthd.conf or the installation directory used during initial configuration. 2. Provide the following information associated with each variable: ldap_servers: the ldap servers that authenticate against and the port to use - Port 389 is standardly used for unencrypted LDAP connections. - Port 636 is standardly used for encrypted LDAP connections and is strongly recommended. - Ldap_tls_cacert_file: The path to the CA Certificates. This is required for encrypted LDAP connections only. - ldap_filter: the filter used to search for users. - ldap_bind_dn: The distinguished name for the user that will be used to authenticate to the LDAP server. - ldap_password: The password used for the user specified in ldap_bind_dn. 3. Import the saslauthd configuration into Redis Enterprise using the command below, which will distribute the configuration to all nodes in the cluster: rladmin cluster config saslauthd_ldap_conf <path_to_saslauthd.conf> Note: For this command to work on a new server installation, a cluster must be set up already. 4. Restart saslauthd: sudo supervisorctl restart saslauthd An example configuration for reference may be found below: ldap_servers: ldaps://ldap1.mydomain.com:636 ldap://ldap2.mydomain.com:636 ldap_tls_cacert_file: /path/to/the/CARootCert.crt ldap_search_base: ou=coolUsers,dc=company,dc=com ldap_search_base: ou=coolUsers,dc=company,dc=com ldap_filter: (sAMAccountName=%u) ldap_bind_dn: cn=admin,dc=company,dc=com ldap_password: secretSquirrel To set up an LDAP user, select an external account type when configuring the user following the procedure to configure users. If LDAP cannot be configured, configure the password complexity profile. To enable the password complexity profile, run the following curl command against the REST API: curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u "<administrator-user-email>:<password>" -d '{"password_complexity":true}' https://<RS_server_address>:9443/v1/cluster To disable the password complexity requirement, run the same command, but set "password_complexity" to "false".