Can the Redis Database be configured to use a password?
search cancel

Can the Redis Database be configured to use a password?

book

Article ID: 291051

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Pen testing revealed the Redis Database is not password protected, can a password be configured?

Environment

  • EDR Server: 7.5.1 and Higher

Resolution

Starting in EDR Server 7.5.1 the server can be configured to use password authentication along with a certificate.

1.  Open and edit /etc/cb/cb.conf, add the following values if they do not exist (Should match on primary and secondary servers)

SSLRedisCACertFile=/etc/cb/certs/cb-redis-ca.crt
SSLRedisCAKeyFile=/etc/cb/certs/cb-redis-ca.key

SSLRedisCertFile=/etc/cb/certs/cb-redis.crt
SSLRedisKeyFile=/etc/cb/certs/cb-redis.key

RedisUseSSL=True
RedisUsePassword=True
RedisPassword=<create a password>

2.  Skip to step 5 if the redis certificates already exist in /etc/cb/certs/.  Only EDR servers a) upgrading from an older version to 7.5.1+ or b) required to change the current redis certs should follow steps 2 to 4.
     Copy the python script found in Additional Notes (below) and create a file called "redis_cert_creation.py" on the Primary EDR server.

3.  Update permissions and run the file (Primary server only)

sudo chmod 770 redis_cert_creation.py

/usr/share/cb/virtualenv/bin/python3.10 redis_cert_creation.py

4.  For Cluster nodes, copy the same redis-ca-crt/key pair and the redis-crt/key pair created on the Primary server to each Secondry node. Confirm the permissions match the other certificate and key files in /etc/cb/certs/ directory.

scp /etc/cb/certs/redis* <minion IP>:/etc/cb/certs/

5.  Restart the EDR services.

Additional Information

  • For a standalone server, the best practice is to only allow tcp/80 and tcp/443 and tcp/8443 (depends on what port you set for UI) for sensor/web console traffic and tcp/22 for management. 
  • The Redis database is only vulnerable to "Unprotected by Password Authentication" when allowed remote access outside local or between the minions
  • Pen testing should be done against outside access and not based just on an open port 6379
  • Port should not be changed from 6379

redis_cert_creation.py 
#!/usr/share/cb/virtualenv/bin/python3.10
​
from cb.setup.initcb import ensure_redis_ca_cert
from cb.setup.initcb import ensure_redis_cert
from cb.setup.initcb import _update_cert_file_permissions
from cb.utils.config import Config
​
cb_config = Config()
​
class config():
 
      svc_user = cb_config.CbUser
      svc_group = cb_config.CbGroup
      ssl_redis_ca_cert_file = cb_config.SSLRedisCACertFile
      ssl_redis_ca_key_file = cb_config.SSLRedisCAKeyFile
      ssl_redis_cert_file = cb_config.SSLRedisCertFile
      ssl_redis_key_file = cb_config.SSLRedisKeyFile
​
cert_path = config.ssl_redis_cert_file.rsplit('/',1)[0]
​
ensure_redis_ca_cert(config)
ensure_redis_cert(config)
_update_cert_file_permissions(config, cert_path, cert_path)

 
Powered by Wolken Software