SV-96577r1_rule
V-81863
SRG-APP-000148-DB-000103
MD3X-00-000310
CAT II
10
Prereq: To drop a user from a database, must have the "dropUser" action on the database.
For any user not a member of an appropriate organization and has access to a database in the system run the following command:
// Change to the appropriate database
use <database>
db.dropUser(<username>, {w: "majority", wtimeout: 5000}
If the MongoDB configuration file (default location: /etc/mongod.conf) does not contain
security: authorization: "enabled"
Edit the MongoDB configuration file, add these parameters, stop/start (restart) any mongod or mongos process using this MongoDB configuration file.
To view another user’s information, you must have the "viewUser" action on the other user’s database.
For each database in the system, run the following command:
db.getUsers()
Ensure each user identified is a member of an appropriate organization that can access the database.
If a user is found not be a member or an appropriate organization that can access the database, this is a finding.
Verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following:
security:
authorization: "enabled"
If this parameter is not present, this is a finding.
V-81863
False
MD3X-00-000310
To view another user’s information, you must have the "viewUser" action on the other user’s database.
For each database in the system, run the following command:
db.getUsers()
Ensure each user identified is a member of an appropriate organization that can access the database.
If a user is found not be a member or an appropriate organization that can access the database, this is a finding.
Verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following:
security:
authorization: "enabled"
If this parameter is not present, this is a finding.
M
3265