logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Can the Redis Database be configured to use a password?

EDR: Can the Redis Database be configured to use a password?

Environment

  • EDR Server: 7.5.1 and Higher

Question

Pen testing revealed the Redis Database is not password protected, can a password be configured?

Answer

Starting in 7.5.1 the server can be configured to use password authentication along with a certificate.

1.  Open and edit /etc/cb/cb.conf, add the following values if they do not exist (Should match on primary and minion servers) 
SSLRedisCACertFile=/etc/cb/certs/cb-redis-ca.crt
SSLRedisCAKeyFile=/etc/cb/certs/cb-redis-ca.key

SSLRedisCertFile=/etc/cb/certs/cb-redis.crt
SSLRedisKeyFile=/etc/cb/certs/cb-redis.key

RedisUseSSL=True
RedisUsePassword=True
RedisPassword=<create a password>
2.  Skip to step 5 if the redis certificates already exist in /etc/cb/certs/.  Only EDR servers a) upgrading from an older version to 7.5.1+ or b) required to change the current redis certs should follow steps 2 to 4.
     Copy the python script found in Additional Notes (below) and create a file called "redis_cert_creation.py" on the Primary EDR server.

3.  Update permissions and run the file (Primary server only) 
sudo chmod 770 redis_cert_creation.py

/usr/share/cb/virtualenv/bin/python3.10 redis_cert_creation.py
4.  For Cluster nodes, copy the same redis-ca-crt/key pair and the redis-crt/key pair created on the Primary server to each Minion node.    Confirm the permissions match the other certificate and key files in /etc/cb/certs/ directory. 
scp /etc/cb/certs/redis* <minion IP>:/etc/cb/certs/
5.  Restart the services.

Additional Notes

  • For a standalone server, the best practice is to only allow tcp/80 and tcp/443 and tcp/8443 (depends on what port you set for UI) for sensor/web console traffic and tcp/22 for management. 
  • The Redis database is only vulnerable to "Unprotected by Password Authentication" when allowed remote access outside local or between the minions
  • Pen testing should be done against outside access and not based just on an open port 6379
  • Port should not be changed from 6379

redis_cert_creation.py 
#!/usr/share/cb/virtualenv/bin/python3.10

from cb.setup.initcb import ensure_redis_ca_cert
from cb.setup.initcb import ensure_redis_cert
from cb.setup.initcb import _update_cert_file_permissions
from cb.utils.config import Config

cb_config = Config()

class config():
 
      svc_user = cb_config.CbUser
      svc_group = cb_config.CbGroup
      ssl_redis_ca_cert_file = cb_config.SSLRedisCACertFile
      ssl_redis_ca_key_file = cb_config.SSLRedisCAKeyFile
      ssl_redis_cert_file = cb_config.SSLRedisCertFile
      ssl_redis_key_file = cb_config.SSLRedisKeyFile

cert_path = config.ssl_redis_cert_file.rsplit('/',1)[0]

ensure_redis_ca_cert(config)
ensure_redis_cert(config)
_update_cert_file_permissions(config, cert_path, cert_path)

 

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
CB_Support
Creation Date:
‎10-23-2020
Views:
1531
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.