STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

DISA Rule

SV-96577r1_rule

Vulnerability Number

V-81863

Group Title

SRG-APP-000148-DB-000103

Rule Version

MD3X-00-000310

Severity

CAT II

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Prereq: To drop a user from a database, must have the "dropUser" action on the database.

For any user not a member of an appropriate organization and has access to a database in the system run the following command:

// Change to the appropriate database
use <database>
db.dropUser(<username>, {w: "majority", wtimeout: 5000}

If the MongoDB configuration file (default location: /etc/mongod.conf) does not contain

security: authorization: "enabled"

Edit the MongoDB configuration file, add these parameters, stop/start (restart) any mongod or mongos process using this MongoDB configuration file.

Check Contents

To view another user’s information, you must have the "viewUser" action on the other user’s database.

For each database in the system, run the following command:

db.getUsers()

Ensure each user identified is a member of an appropriate organization that can access the database.

If a user is found not be a member or an appropriate organization that can access the database, this is a finding.

Verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following:

security:
authorization: "enabled"

If this parameter is not present, this is a finding.

Vulnerability Number

V-81863

Documentable

False

Rule Version

MD3X-00-000310

Severity Override Guidance

To view another user’s information, you must have the "viewUser" action on the other user’s database.

For each database in the system, run the following command:

db.getUsers()

Ensure each user identified is a member of an appropriate organization that can access the database.

If a user is found not be a member or an appropriate organization that can access the database, this is a finding.

Verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following:

security:
authorization: "enabled"

If this parameter is not present, this is a finding.

Check Content Reference

M

Target Key

3265

Comments