STIGQter STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

DISA Rule

SV-96557r1_rule

Vulnerability Number

V-81843

Group Title

SRG-APP-000023-DB-000001

Rule Version

MD3X-00-000010

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Edit the MongoDB configuration file (default location: /etc/mongod.con) to include the following:

security:
authorization: "enabled"

This will enable SCRAM-SHA-1 authentication (default).

Instruction on configuring the default authentication is provided here:

https://docs.mongodb.com/v3.4/tutorial/enable-authentication/

The high-level steps described by the above will require the following:

1. Start MongoDB without access control.
2. Connect to the instance.
3. Create the user administrator.
4. Restart the MongoDB instance with access control.
5. Connect and authenticate as the user administrator.
6. Create additional users as needed for your deployment.

Check Contents

Verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following:

security:
authorization: "enabled"

If this parameter is not present, this is a finding.

Vulnerability Number

V-81843

Documentable

False

Rule Version

MD3X-00-000010

Severity Override Guidance

Verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following:

security:
authorization: "enabled"

If this parameter is not present, this is a finding.

Check Content Reference

M

Target Key

3265

Comments