STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

MongoDB must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

DISA Rule

SV-96641r1_rule

Vulnerability Number

V-81927

Group Title

SRG-APP-000178-DB-000083

Rule Version

MD3X-00-000800

Severity

CAT I

CCI(s)

• CCI-000206 - The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

Weight

10

Fix Recommendation

For the "mongo shell", "mongodump", "mongorestore", "mongoimport", "mongoexport", which can accept a plain-text password, and any other essential tool with the same limitation:

Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval.

Train all users of the tool in the nature of using the plain-text password option and in how to keep the password protected from unauthorized viewing/capture and document they have been trained.

Check Contents

For the MongoDB command-line tools "mongo shell", "mongodump", "mongorestore", "mongoimport", "mongoexport", which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations and that AO approval has been obtained.

If it is not documented, this is a finding.

Request evidence that all users of these MongoDB command-line tools are trained in the use of the "-p" option plain-text password option and how to keep the password protected from unauthorized viewing/capture and that they adhere to this practice.

If evidence of training does not exist, this is a finding.

Vulnerability Number

V-81927

Documentable

False

Rule Version

MD3X-00-000800

Severity Override Guidance

For the MongoDB command-line tools "mongo shell", "mongodump", "mongorestore", "mongoimport", "mongoexport", which cannot be configured not to accept a plain-text password, and any other essential tool with the same limitation, verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations and that AO approval has been obtained.

If it is not documented, this is a finding.

Request evidence that all users of these MongoDB command-line tools are trained in the use of the "-p" option plain-text password option and how to keep the password protected from unauthorized viewing/capture and that they adhere to this practice.

If evidence of training does not exist, this is a finding.

Check Content Reference

M

Target Key

3265

Comments