If DBMS authentication using passwords is employed, Redis Enterprise DBMS must enforce the DOD standards for password complexity and lifetime.

An XCCDF Rule

Description

<VulnDiscussion>OS/enterprise authentication and identification must be used (SRG-APP-000023-DB-000001). Native DBMS authentication may be used only when circumstances make it unavoidable and must be documented and authorizing official (AO)-approved. The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, the DOD standards for password complexity and lifetime must be implemented. DBMS products that can inherit the rules for these from the operating system or access control program (e.g., Microsoft Active Directory) must be configured to do so. For other DBMSs, the rules must be enforced using available configuration parameters or custom code.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-251428r1018620_rule
Severity: Medium
References: CCI-000192 CCI-004066
Updated: 17 days ago

Configure LDAP/AD to enforce password complexity.

To enable LDAP:
1. Import the saslauthd configuration.
2. Restart saslauthd service.
3. Configure LDAP users.
To provide the LDAP configuration information:
1. Edit the configuration file located at /etc/opt/redislabs/saslauthd.conf or the installation directory used during initial configuration.

2. Provide the following information associated with each variable:
ldap_servers: the ldap servers that authenticate against and the port to use
- Port 389 is standardly used for unencrypted LDAP connections.
- Port 636 is standardly used for encrypted LDAP connections and is strongly recommended.
- Ldap_tls_cacert_file: The path to the CA Certificates. This is required for encrypted LDAP connections only.
- ldap_filter: the filter used to search for users.
- ldap_bind_dn: The distinguished name for the user that will be used to authenticate to the LDAP server.
- ldap_password: The password used for the user specified in ldap_bind_dn.

3. Import the saslauthd configuration into Redis Enterprise using the command below, which will distribute the configuration to all nodes in the cluster:
rladmin cluster config saslauthd_ldap_conf <path_to_saslauthd.conf>

Note: For this command to work on a new server installation, a cluster must be set up already.

4. Restart saslauthd:
sudo supervisorctl restart saslauthd

An example configuration for reference may be found below:
ldap_servers: ldaps://ldap1.mydomain.com:636 ldap://ldap2.mydomain.com:636
ldap_tls_cacert_file: /path/to/the/CARootCert.crt
ldap_search_base: ou=coolUsers,dc=company,dc=com
ldap_search_base: ou=coolUsers,dc=company,dc=com
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn: cn=admin,dc=company,dc=com
ldap_password: secretSquirrel

To set up an LDAP user, select an external account type when configuring the user following the procedure to configure users.

If LDAP cannot be configured, configure the password complexity profile. To enable the password complexity profile, run the following curl command against the REST API:
curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u "<administrator-user-email>:<password>" -d '{"password_complexity":true}' https://<RS_server_address>:9443/v1/cluster
To disable the password complexity requirement, run the same command, but set "password_complexity" to "false".

If DBMS authentication using passwords is employed, Redis Enterprise DBMS must enforce the DOD standards for password complexity and lifetime.

Description

Remediation - Manual Procedure