Redis Enterprise DBMS must prevent unauthorized and unintended information transfer via shared system resources.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-251246	SRG-APP-000243-DB-000373	RD6X-00-011400	SV-251246r961149_rule	2024-09-04	2

Description
The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. For more information, refer to: https://redis.io/topics/acl more information on creating clearly defined categories and adding/editing users to categories and ACLs. and https://docs.redislabs.com/latest/rs/administering/access-control/user-roles/

Description

The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. For more information, refer to: https://redis.io/topics/acl more information on creating clearly defined categories and adding/editing users to categories and ACLs. and https://docs.redislabs.com/latest/rs/administering/access-control/user-roles/

ℹ️ Check
Verify all returned users with security permissions are documented as requiring the permissions. In the web UI, select access control >> Redis acls. Verify that the documented users have the correct ACL(s) assigned to them by clicking the "Used By" link for each listed ACL. Verify that all documented ACLs match each of the listed ACLs. If "Redis ACL name" and "Used By" do not match the documentation, this is a finding.

ℹ️ Check

Verify all returned users with security permissions are documented as requiring the permissions. In the web UI, select access control >> Redis acls. Verify that the documented users have the correct ACL(s) assigned to them by clicking the "Used By" link for each listed ACL. Verify that all documented ACLs match each of the listed ACLs. If "Redis ACL name" and "Used By" do not match the documentation, this is a finding.

✔️ Fix
Users and ACLs can be created and modified from the Redis Enterprise UI by navigating to the access control tab as an admin user. Update the user roles and ACLs to reflect organizational requirements.