STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

MongoDB must enforce access restrictions associated with changes to the configuration of MongoDB or database(s).

DISA Rule

SV-96625r1_rule

Vulnerability Number

V-81911

Group Title

SRG-APP-000380-DB-000360

Rule Version

MD3X-00-000670

Severity

CAT II

CCI(s)

• CCI-001813 - The information system enforces access restrictions.

Weight

10

Fix Recommendation

Prereq: To view a user's roles, must have the "viewUser" privilege.
https://docs.mongodb.com/v3.4/reference/privilege-actions/

Connect to MongoDB.

For each database, identify the user's roles for the database.

use <database>
db.getUser("[username]")

The server will return a document with the user's roles.

To revoke a user's role from a database use the db.revokeRolesFromUser() method.
https://docs.mongodb.com/v3.4/reference/method/db.revokeRolesFromUser/

To grant a role to a user use the db.grantRolesToUser() method. https://docs.mongodb.com/v3.4/reference/method/db.grantRolesToUser/

Check Contents

Review the security configuration of the MongoDB database(s).

If unauthorized users can start the mongod or mongos processes or edit the MongoDB configuration file (default location: /etc/mongod.conf), this is a finding.

If MongoDB does not enforce access restrictions associated with changes to the configuration of the database(s), this is a finding.

To assist in conducting reviews of permissions, the following MongoDB commands describe permissions of databases and users:

Permissions of concern in this respect include the following, and possibly others:
- any user with a role of userAdminAnyDatabase role or userAdmin role
- any database or with a user have a role or privilege with "C" (create) or "w" (update) privileges that are not necessary

MongoDB commands to view roles in a particular database:
db.getRoles( { rolesInfo: 1, showPrivileges:true, showBuiltinRoles: true })

Vulnerability Number

V-81911

Documentable

False

Rule Version

MD3X-00-000670

Severity Override Guidance

Review the security configuration of the MongoDB database(s).

If unauthorized users can start the mongod or mongos processes or edit the MongoDB configuration file (default location: /etc/mongod.conf), this is a finding.

If MongoDB does not enforce access restrictions associated with changes to the configuration of the database(s), this is a finding.

To assist in conducting reviews of permissions, the following MongoDB commands describe permissions of databases and users:

Permissions of concern in this respect include the following, and possibly others:
- any user with a role of userAdminAnyDatabase role or userAdmin role
- any database or with a user have a role or privilege with "C" (create) or "w" (update) privileges that are not necessary

MongoDB commands to view roles in a particular database:
db.getRoles( { rolesInfo: 1, showPrivileges:true, showBuiltinRoles: true })

Check Content Reference

M

Target Key

3265

Comments