Redis Enterprise DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

An XCCDF Rule

Description

<VulnDiscussion>Redis Enterprise permits the installation of logic modules through a control plane layer to the database, which requires privilege access to the control plane. This is provisioned for support during database runtime by a user with permissions to create a database. The ability to load modules directly within the database is not supported in Redis Enterprise; however, it is supported in open-source Redis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251208r1018617_rule
Severity: Medium
References: CCI-001812 CCI-003980
Updated: 17 days ago

To ensure a regular user is unable to perform updates:
1. Log in to the Redis Enterprise control plane.
2. Navigate to the access controls tab.
3. In the users section, review each users role to ensure they are assigned the appropriate permissions.
4. If a user is not assigned appropriate permissions, ensure they are moved to an appropriate role.

Redis Enterprise DBMS must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

Description

Remediation - Manual Procedure