STIGQter STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

MongoDB must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.

DISA Rule

SV-96609r1_rule

Vulnerability Number

V-81895

Group Title

SRG-APP-000267-DB-000163

Rule Version

MD3X-00-000530

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Edit the MongoDB configuration file (default location: /etc/mongod.conf) and add the following parameter "redactClientLogData" in the security section of that file:

security:
redactClientLogData: "true"

Stop/start (restart) any mongod or mongos using the MongoDB configuration file.

Check Contents

A mongod or mongos running with "security.redactClientLogData" redacts any message accompanying a given log event before logging.

This prevents the mongod or mongos from writing potentially sensitive data stored on the database to the diagnostic log. Metadata such as error or operation codes, line numbers, and source file names are still visible in the logs.

Verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following:

security:
redactClientLogData: "true"

If this parameter is not present, this is a finding.

Vulnerability Number

V-81895

Documentable

False

Rule Version

MD3X-00-000530

Severity Override Guidance

A mongod or mongos running with "security.redactClientLogData" redacts any message accompanying a given log event before logging.

This prevents the mongod or mongos from writing potentially sensitive data stored on the database to the diagnostic log. Metadata such as error or operation codes, line numbers, and source file names are still visible in the logs.

Verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following:

security:
redactClientLogData: "true"

If this parameter is not present, this is a finding.

Check Content Reference

M

Target Key

3265

Comments