redis service not locked down

[noci2012]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [V] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [V] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

*SECURITY

This is a potential security issue:
Redis binds to LAN, LO0, possibly exposing redis to the internet through IPv6. (or attacks through cracked systems on the LAN side).
redis redis-serv 99897 6 tcp4 127.0.0.1:6379 :
redis redis-serv 99897 7 tcp6 ::1:6379 :
redis redis-serv 99897 8 tcp4 192.168.x.x:6379 :
redis redis-serv 99897 9 tcp6 xxxx:xxxx:xxxx:xxxx::1:6379 :
redis redis-serv 99897 10 stream /var/run/redis/redis.sock
Is the binding for LAN really needed?

Configuration file /usr/local/etc/redis.conf is world readable, this might leak sensitive information
possibly use the next command for hardening the config... (disabling dynamic reconfig)
rename-command CONFIG

No password is configured for Redis, theis MAY be ok for socket, Localhost access, it should not be used this way on any network, please use requirepass or disable LAN access.

To Reproduce

Read redis.conf, basic configuration
SSH login, open shell, use

ls -l /usr/local/etc/redis.conf
sockstat -l | grep redis
grep rename-command  /usr/local/etc/redis.conf    # shows nothing
grep requirepass    /usr/local/etc/redis.conf    # shows nothing

Expected behavior

Non leaking redis database, enought are leaking already, the port is actively hunted for.

Describe alternatives you considered

None

Screenshots

None

Relevant log files

None

Additional context

Redis is a target for data theft in general.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.7.10 (amd64).
Intel® i7 Quad Core
Network Intel... ? (igc).