Documentation - V-251221

Title

Redis Enterprise DBMS must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

Description

<VulnDiscussion>The DOD standard for authentication of an interactive user is the presentation of a Common Access Card (CAC) or other physical token bearing a valid, current, DOD-issued Public Key Infrastructure (PKI) certificate, coupled with a Personal Identification Number (PIN) to be entered by the user at the beginning of each session and whenever reauthentication is required. Without reauthentication, users may access resources or perform tasks for which they do not have authorization. ...

Fix Text (Documentation Requirement)

Confirm with information owner any circumstances under which a user is required to reauthenticate. If any exist, confirm they are properly documented. Configure Redis Enterprise settings to meet organizationally defined requirements: User account security To ensure user accounts are secured and not misused, RS supports enforcement of: - Password complexity - Password expiration - Account lock on failed attempts - Account inactivity timeout To enforce a more advanced password policy that meets the desired contractual and compliance requirements and associated organizational policies, it is recommend to use LDAP integration with an external identity provider, such as Active Directory. Resetting user passwords: To reset a user password from the CLI, run: rladmin cluster reset_password <...