Can the Redis Database be configured to use a password?
search cancel

Can the Redis Database be configured to use a password?

book

Article ID: 291051

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Pen testing revealed the Redis Database is not password protected, can a password be configured?

Environment

  • EDR Server: 7.5.1 and Higher

Resolution

Starting in EDR Server 7.5.1 the server can be configured to use password authentication along with a certificate.

  1. Open and edit /etc/cb/cb.conf, add the following values if they do not exist (Clustered instances require the same settings and password on the minion nodes.) 
    SSLRedisCACertFile=/etc/cb/certs/cb-redis-ca.crt
SSLRedisCAKeyFile=/etc/cb/certs/cb-redis-ca.key

SSLRedisCertFile=/etc/cb/certs/cb-redis.crt
SSLRedisKeyFile=/etc/cb/certs/cb-redis.key

RedisUseSSL=True
RedisUsePassword=True
RedisPassword=<create a password>
  2. Verify if the Redis certificates already exists in /etc/cb/certs
    • Installations 7.5.1 or newer will have these files already generated
    • If they are missing, continue to next steps.
  3. Copy the python script found in Additional Notes (below) and create a file called "redis_cert_creation.py" on the Primary EDR server.
  4. Update permissions and run the file (Primary server only)  
    sudo chmod 770 redis_cert_creation.py

/usr/share/cb/virtualenv/bin/python3 redis_cert_creation.py
  5. For Clusters, sync the certificates to the minion nodes. This requires the cluster to be stopped. 
    /usr/share/cb/cbcluser sync-certs
  6. Start the EDR services. 

Additional Information

  • For a standalone server, the best practice is to only allow tcp/80 and tcp/443 and tcp/8443 (depends on what port you set for UI) for sensor/web console traffic and tcp/22 for management. 
  • The Redis database is only vulnerable to "Unprotected by Password Authentication" when allowed remote access outside local or between the minions
  • Pen testing should be done against outside access and not based just on an open port 6379
  • Port should not be changed from 6379


redis_cert_creation.py

#!/usr/share/cb/virtualenv/bin/python3.10
​
from cb.setup.initcb import ensure_redis_ca_cert
from cb.setup.initcb import ensure_redis_cert
from cb.setup.initcb import update_cert_file_permissions
from cb.utils.config import Config
​
cb_config = Config()
​
class config():
 
      svc_user = cb_config.CbUser
      svc_group = cb_config.CbGroup
      ssl_redis_ca_cert_file = cb_config.SSLRedisCACertFile
      ssl_redis_ca_key_file = cb_config.SSLRedisCAKeyFile
      ssl_redis_cert_file = cb_config.SSLRedisCertFile
      ssl_redis_key_file = cb_config.SSLRedisKeyFile
​
cert_path = config.ssl_redis_cert_file.rsplit('/',1)[0]
​
ensure_redis_ca_cert(config)
ensure_redis_cert(config)
update_cert_file_permissions(config, cert_path, cert_path)
Powered by Wolken Software