STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

MongoDB must prohibit the use of cached authenticators after an organization-defined time period.

DISA Rule

SV-96629r1_rule

Vulnerability Number

V-81915

Group Title

SRG-APP-000400-DB-000367

Rule Version

MD3X-00-000710

Severity

CAT II

CCI(s)

• CCI-002007 - The information system prohibits the use of cached authenticators after an organization-defined time period.

Weight

10

Fix Recommendation

If MongoDB is configured to authenticate using SASL and LDAP/Active Directory modify and restart the saslauthd command line options in the system boot script and set the "-t" option to the appropriate timeout in seconds.

From the Linux Command line (with root/sudo privs) run the following command to restart the saslauthd process after making the change for the "-t" parameter:

systemctl restart saslauthd

If any mongos process is running (a MongoDB shared cluster) the "userCacheInvalidationIntervalSecs" option to adjust the timeout in seconds can be changed from the default "30" seconds.

This is accomplished by modifying the mongos configuration file (default location: /etc/mongos.conf) and then restarting mongos.

Check Contents

If MongoDB is configured to authenticate using SASL and LDAP/Active Directory check the saslauthd command line options in the system boot script that starts saslauthd (the location will be dependent on the specific Linux operating system and boot script layout and naming conventions).

If the "-t" option is not set for the "saslauthd" process in the system boot script, this is a finding.

If any mongos process is running (a MongoDB shared cluster) the "userCacheInvalidationIntervalSecs" option can be used to specify the cache timeout.

The default is "30" seconds and the minimum is "1" second.

Vulnerability Number

V-81915

Documentable

False

Rule Version

MD3X-00-000710

Severity Override Guidance

If MongoDB is configured to authenticate using SASL and LDAP/Active Directory check the saslauthd command line options in the system boot script that starts saslauthd (the location will be dependent on the specific Linux operating system and boot script layout and naming conventions).

If the "-t" option is not set for the "saslauthd" process in the system boot script, this is a finding.

If any mongos process is running (a MongoDB shared cluster) the "userCacheInvalidationIntervalSecs" option can be used to specify the cache timeout.

The default is "30" seconds and the minimum is "1" second.

Check Content Reference

M

Target Key

3265

Comments