MD3X-00-000010 - MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

Gavin M. Dennis

22 April 2022 18:55

Details

MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

Solution

Edit the MongoDB configuration file (default location: /etc/mongod.con) to include the following:

security:
authorization: 'enabled'

This will enable SCRAM-SHA-1 authentication (default).

Instruction on configuring the default authentication is provided here:

https://docs.mongodb.com/v3.4/tutorial/enable-authentication/

The high-level steps described by the above will require the following:

1. Start MongoDB without access control.
2. Connect to the instance.
3. Create the user administrator.
4. Restart the MongoDB instance with access control.
5. Connect and authenticate as the user administrator.
6. Create additional users as needed for your deployment.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MDB_Enterprise_Advanced_3-x_V1R2_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

800-53|AC-2(1)
CAT|II
CCI|CCI-000015
Rule-ID|SV-96557r1_rule
STIG-ID|MD3X-00-000010
Vuln-ID|V-81843

Source

Tenable.com/audits

PS. Before you go.

Request a quote to protect your organisation from cyber attacks and breaches.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section