Access to database files must be limited to relevant processes and to authorized, administrative users.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251247	RD6X-00-011500	SV-251247r804931_rule		Medium

Description
Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles.

STIG	Date
Redis Enterprise 6.x Security Technical Implementation Guide	2022-09-19

Details

Check Text ( C-54682r804929_chk )
Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files. If any user/role who is not an authorized system administrator with a need to know or database administrator with a need to know, or a system account for running DBMS processes, is permitted to read/view any of these files, this is a finding. Review the directory contents and files and verify that the appropriate file permissions are set. Verify that the file owner and group is set to Redis Labs or a group defined per site requirements. To check permissions of log files (Note: This may vary depending on the installation path.): # /var/opt/redislabs/log To check persisted files from memory if they are being used run the following command (Note: This may vary depending on the installation path.) # ls -ltr /var/opt/redislabs/persist/redis/ To check the default file permissions to verify that all authenticated users can only read and modify their own files: # cat/etc/login.defs\|grep UMASK Verify the value is set to 077 or an appropriate organizationally defined setting. Investigate the permissions on these files. If the permissions allow access by other, this is a finding.

Check Text ( C-54682r804929_chk )

Review the permissions granted to users by the operating system/file system on the database files, database log files, and database backup files.

If any user/role who is not an authorized system administrator with a need to know or database administrator with a need to know, or a system account for running DBMS processes, is permitted to read/view any of these files, this is a finding.

Review the directory contents and files and verify that the appropriate file permissions are set. Verify that the file owner and group is set to Redis Labs or a group defined per site requirements.

To check permissions of log files (Note: This may vary depending on the installation path.):
# /var/opt/redislabs/log

To check persisted files from memory if they are being used run the following command (Note: This may vary depending on the installation path.)
# ls -ltr /var/opt/redislabs/persist/redis/

To check the default file permissions to verify that all authenticated users can only read and modify their own files:
# cat/etc/login.defs|grep UMASK

Verify the value is set to 077 or an appropriate organizationally defined setting.

Investigate the permissions on these files. If the permissions allow access by other, this is a finding.

Fix Text (F-54636r804930_fix)
Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077": UMASK 077 Set the permissions of the log files (/var/opt/redislabs/log) and persisted files (/var/opt/redislabs/persist/redis/) to an appropriate organizationally defined setting.

Fix Text (F-54636r804930_fix)

Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077":

UMASK 077

Set the permissions of the log files (/var/opt/redislabs/log) and persisted files (/var/opt/redislabs/persist/redis/) to an appropriate organizationally defined setting.