UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Redis Enterprise DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.


Overview

Finding ID Version Rule ID IA Controls Severity
V-251208 RD6X-00-007000 SV-251208r879751_rule Medium
Description
Redis Enterprise permits the installation of logic modules through a control plane layer to the database, which requires privilege access to the control plane. This is provisioned for support during database runtime by a user with permissions to create a database. The ability to load modules directly within the database is not supported in Redis Enterprise; however, it is supported in open-source Redis.
STIG Date
Redis Enterprise 6.x Security Technical Implementation Guide 2023-12-18

Details

Check Text ( C-54643r804812_chk )
Modules may be added to the Redis Enterprise control plane (adminUI) by navigating to the settings tab and then modules. Only admin users can view the settings tab.

To verify that users without explicit privileged status are not able to install modules, do the following:
1. Log in to the Redis Enterprise control plane (adminUI) with a user with administrative privileges.
2. Navigate to the access control tab.
3. Verify that only organizationally defined users have the appropriate privileges.

If a user is not assigned appropriate permissions, this is a finding.
Fix Text (F-54597r804813_fix)
To ensure a regular user is unable to perform updates:
1. Log in to the Redis Enterprise control plane.
2. Navigate to the access controls tab.
3. In the users section, review each users role to ensure they are assigned the appropriate permissions.
4. If a user is not assigned appropriate permissions, ensure they are moved to an appropriate role.