STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

When invalid inputs are received, MongoDB must behave in a predictable and documented manner that reflects organizational and system objectives.

DISA Rule

SV-96639r1_rule

Vulnerability Number

V-81925

Group Title

SRG-APP-000447-DB-000393

Rule Version

MD3X-00-000780

Severity

CAT II

CCI(s)

• CCI-002754 - The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.

Weight

10

Fix Recommendation

Document validation can be added at the time of creation of a collection. Existing collections can also be modified with document validation rules. Use the "validator" option to create or update a collection with the desired validation rules.

Check Contents

As a user with the "dbAdminAnyDatabase" role, execute the following on the database of interest:

use myDB
db.getCollectionInfos()

Where "myDB" is the name of the database on which validator rules are to be inspected. This returns an array of documents containing all collections information within myDB. For each collection's information received.

If the "options" sub-document within each does not contain a "validator" sub-document, this is a finding.

Vulnerability Number

V-81925

Documentable

False

Rule Version

MD3X-00-000780

Severity Override Guidance

As a user with the "dbAdminAnyDatabase" role, execute the following on the database of interest:

use myDB
db.getCollectionInfos()

Where "myDB" is the name of the database on which validator rules are to be inspected. This returns an array of documents containing all collections information within myDB. For each collection's information received.

If the "options" sub-document within each does not contain a "validator" sub-document, this is a finding.

Check Content Reference

M

Target Key

3265

Comments