Class Bao 2.0 evaluation: Redis database configuration

Class Bao 2.0 evaluation: Redis database configuration

Preliminary investigation

Regarding the system situation in the early stage of equal protection, what we need to know here is the version of the database.

Check the database version: Operation and maintenance personnel generally configure the environment variables of the redis command. If the following command does not work, use find to find it. Some basic knowledge will not be discussed here.

1) View locally on the server

redis-server -v

redis-server --version

2) Log in to the database to query

Log in to the database: redis-cli -h 127.0.0.1 -p 6379 -h followed by ip, -p followed by port

Generally, you log in locally, and you can log in directly through redis-cli. Of course, the premise is that the Redis service port has not been modified.

After logging into the database, we enter: info

1. Identification

a) Login users should be identified and authenticated. The identity identifier must be unique, and the identity authentication information must have complexity requirements and be replaced regularly.

1. Identification and identification

By default, the redis database can be logged in directly without a password: directly enter redis-cli to log in.

So we need to check the redis configuration file, usually redis.conf, in the redis home directory

Check whether the requirepass parameter is not commented:

If it is not in the comment state, as shown in the picture above, ***y@123 following it is the password, which is stored in clear text.

If a password has been set, you will be prompted

Note: There is no concept of user here, only a password verification can be added.

2. Identification information is complex and changes regularly

There is no way to meet this requirement. There is no password complexity or maximum usage period setting function.

Here it is checked whether the user's current password complexity meets the requirements.

Extension: Redis database enables password verification

1) Configure through configuration file

Find the requirepass foobared parameter in redis.conf

Cancel the comment in front of requirepass, change foobared to the corresponding password, and then restart the database.

Try logging in again. You can connect but cannot execute some related commands.

You need to use the auth password command to log in

Or use redis-cli -h 127.0.0.1 -p 6379 -a "mypass" to log in (not recommended)

Because the clear text password will be saved in the history, which is not safe.

2) Configure via command line (temporary)

config set requirepass ***y@1234

config get requirepass

Then try to log in to redis with the old password configured in the configuration file, and you will find that the original one is not available and is rejected.

But after restarting redis, the password in the configuration file will be quoted.

b) It should have the function of handling login failure, and should configure and enable relevant measures such as ending the session, limiting the number of illegal logins, and automatically logging out when the login connection times out.

1. Login failure handling function

If this feature is not available, ask management if there are third-party measures.

Default is not met.

2. Automatic exit function after operation timeout

Check the redis configuration file, usually redis.conf, in the redis home directory

Check the value of timeout, the default is 0 and never exit.

What is set here is to require re-identification after 120 seconds of exit.

After this time it will require re-identification.

c) When performing remote management, necessary measures should be taken to prevent identification information from being eavesdropped during network transmission.

by default:

The captured packets are transmitted in clear text.

This requires asking the management personnel whether they have taken relevant measures to prevent the identification information from being eavesdropped during transmission.

Default is not met.

d) Two or more combinations of authentication technologies such as passwords, cryptography, and biotechnology should be used to authenticate users, and at least one of the authentication technologies should be implemented using cryptography.

This is generally not done. We just need to check on site whether it uses two-factor authentication.

2. Access control

Since the Redis database does not have the concept of user, you can log in with a single password verification and have all permissions. Therefore, for the control point of access control, some are not applicable and some are not in compliance. I think this can be determined according to the organization's own Requirements are used to make judgments. After all, there is currently no unified standard.

a) Accounts and permissions should be assigned to logged-in users

There is no user concept. Pass password verification and have all permissions.

b) The default account should be renamed or deleted, and the default password of the default account should be modified.

No default account exists. not applicable

c) Redundant and expired accounts should be deleted or deactivated in a timely manner to avoid the existence of shared accounts

No account concept.

d) The minimum permissions required for management users should be granted to achieve separation of permissions for management users.

There is no way to decentralize power, it can’t be done.

e) The access control policy should be configured by the authorized subject, and the access control policy stipulates the access rules of the subject to the object.

No authorized subject.

f) The granularity of access control should be such that the subject is user level or process level, and the object is file or database table level.

No user concept.

g) Security marks should be set for important subjects and objects, and subjects’ access to information resources with security marks should be controlled.

Can't do it.

3. Security audit

a) The security audit function should be enabled, the audit covers every user, and important user behaviors and important security events should be audited.

Check the redis configuration file, usually redis.conf, in the redis home directory

Check the loglevel and logfile parameters. The version I installed has the following by default:

Redis supports setting the log level through the loglevel configuration item, which is divided into four levels, namely debug, verbose, notice, and warning.

Redis also supports setting the generation location of log files through the logfile configuration item. If set to an empty string, redis will output the log to standard output and the log will be sent to /dev/null.

Here we configure it to output the log to the following file.

After restarting, the log will be written to this file.

So here we need to determine two parameters: loglevel and logfile.

And logfile must be configured, because if not configured, the corresponding log will not be retained.

b) Audit records should include the date and time of the event, user, event type, whether the event was successful and other audit-related information

By default, the log time follows the system time. For example, if I just restart the database, the corresponding log will be generated.

c) Audit records should be protected and backed up regularly to avoid unexpected deletion, modification or overwriting, etc.

The permissions of log files stored on the operating system must not exceed 644. They should not be deleted by default and should be saved permanently.

For regular backups, just ask the administrator if they have done so.

d) The audit process should be protected against unauthorized interruption

Compliant by default.

Log file output cannot be interrupted, but the logging level can be modified.

4. Intrusion prevention

The following terms are: Not applicable

a) The principle of minimal installation should be followed and only the required components and applications should be installed.

b) Unnecessary system services, default shares and high-risk ports should be closed

d) A data validity check function should be provided to ensure that the content input through the human-machine interface or the communication interface meets the system setting requirements.

f) It should be able to detect intrusions into important nodes and provide alarms when serious intrusions occur.

Involved:

c) Management terminals managed through the network should be restricted by setting the terminal access method or network address range.

Find the redis configuration file, usually redis.conf. You can find NETWORK first. There will be a bind below.

In the case of comments, it is access from any IP. You can set the specified IP and separate it with spaces. Here just look at the ip address following bind.

e) Should be able to discover possible known vulnerabilities and patch them in a timely manner after sufficient testing and evaluation.

This is judged by combining missing scans, testing and other methods. Redis is famous for its many loopholes. .

For example, unauthorized access vulnerabilities can be successfully tested locally. I won't go into details here. Let the penetration engineers take a look, and then we can wait for their report to confirm whether there is a corresponding vulnerability.

5. Data integrity

For this database, the following two items are not met by default. Ask managers if they have taken steps to ensure data integrity.

a) Verification technology or cryptography technology should be used to ensure the integrity of important data during transmission, including but not limited to identification data, important business data, important audit data, important configuration data, important video data and important personal information, etc.

b) Verification technology or cryptography technology should be used to ensure the integrity of important data during the storage process, including but not limited to identification data, important business data, important audit data, important configuration data, important video data and important personal information, etc.

6. Data confidentiality

The confidentiality is the same. For this database, the following two defaults are not met. Ask managers whether they have taken steps to ensure data confidentiality.

a) Cryptography technology should be used to ensure the confidentiality of important data during transmission, including but not limited to identification data, important business data and important personal information, etc.

b) Cryptography technology should be used to ensure the confidentiality of important data during the storage process, including but not limited to identification data, important business data and important personal information, etc.

7. Data backup and recovery

a) Local data backup and recovery functions for important data should be provided

There is nothing much to say about this. Just ask the management staff how the backup is done and whether there are measures to ensure that the backup data is valid (test records are enough).

b) Off-site real-time backup function should be provided, and the communication network should be used to back up important data to the backup site in real time.

Ask the administrator

c) Hot redundancy of important data processing systems should be provided to ensure high availability of the system

This depends on the actual situation to determine whether hot redundancy is necessary. No one thinks it is applicable.