STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

If DBMS authentication, using passwords, is employed, MongoDB must enforce the DoD standards for password complexity and lifetime.

DISA Rule

SV-96579r1_rule

Vulnerability Number

V-81865

Group Title

SRG-APP-000164-DB-000401

Rule Version

MD3X-00-000320

Severity

CAT II

CCI(s)

• CCI-000192 - The information system enforces password complexity by the minimum number of upper case characters used.

Weight

10

Fix Recommendation

Either configure MongoDB for Native LDAP authentication where LDAP is configured to enforce password complexity and lifetime.
OR
Configure MongoDB Kerberos authentication where Kerberos is configured to enforce password complexity and lifetime.

Check Contents

If MongoDB is using Native LDAP authentication where the LDAP server is configured to enforce password complexity and lifetime, this is not a finding.

If MongoDB is using Kerberos authentication where Kerberos is configured to enforce password complexity and lifetime, this is not a finding.

If MongoDB is configured for SCRAM-SHA1, MONGODB-CR, LDAP Proxy authentication, this is a finding.

See: https://docs.mongodb.com/v3.4/core/authentication/#authentication-methods

Vulnerability Number

V-81865

Documentable

False

Rule Version

MD3X-00-000320

Severity Override Guidance

If MongoDB is using Native LDAP authentication where the LDAP server is configured to enforce password complexity and lifetime, this is not a finding.

If MongoDB is using Kerberos authentication where Kerberos is configured to enforce password complexity and lifetime, this is not a finding.

If MongoDB is configured for SCRAM-SHA1, MONGODB-CR, LDAP Proxy authentication, this is a finding.

See: https://docs.mongodb.com/v3.4/core/authentication/#authentication-methods

Check Content Reference

M

Target Key

3265

Comments