Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
The requirepass setting in Redis serves as a compatibility layer for the new ACL system starting from Redis 6. Relying on requirepass alone may lead to insufficient security as it only sets a password for the default user, while clients still authenticate using AUTH commands.
Describe the solution you'd like
Recommend the use of ACLs for user authentication instead of solely relying on the requirepass setting.
Required changes
Emphasize the use of ACLs for managing user authentication and permissions, minimizing reliance on the requirepass setting.
Additional context
The new Redis documentation highlights that starting from version 6, users are initialized with restrictive permissions by default. Transitioning to an ACL-based approach allows for better management of user permissions and enhances overall security.
Additional information
redis.conf
# IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatibility
# layer on top of the new ACL system. The option effect will be just setting
# the password for the default user. Clients will still authenticate using
# AUTH <password> as usually, or more explicitly with AUTH default <password>
# if they follow the new protocol: both will work.
#
# The requirepass is not compatible with aclfile option and the ACL LOAD
# command, these will cause requirepass to be ignored.
#
# requirepass foobared
# New users are initialized with restrictive permissions by default, via the
# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it
# is possible to manage access to Pub/Sub channels with ACL rules as well. The
# default Pub/Sub channels permission if new users is controlled by the
# acl-pubsub-default configuration directive, which accepts one of these values:
#
# allchannels: grants access to all Pub/Sub channels
# resetchannels: revokes access to all Pub/Sub channels
#
# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission.
#
# acl-pubsub-default resetchannels
The
requirepasssetting in Redis serves as a compatibility layer for the new ACL system starting from Redis 6. Relying on requirepass alone may lead to insufficient security as it only sets a password for the default user, while clients still authenticate using AUTH commands.Describe the solution you'd like Recommend the use of ACLs for user authentication instead of solely relying on the
requirepasssetting.Required changes Emphasize the use of ACLs for managing user authentication and permissions, minimizing reliance on the
requirepasssetting.Additional context The new Redis documentation highlights that starting from version 6, users are initialized with restrictive permissions by default. Transitioning to an ACL-based approach allows for better management of user permissions and enhances overall security.
Additional information redis.conf
Thank you.