MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

From MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide

Associated with: CCI-000015

SV-96557r1_rule MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

Vulnerability discussion

Check content

Verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following: security: authorization: "enabled" If this parameter is not present, this is a finding.

Fix text

Edit the MongoDB configuration file (default location: /etc/mongod.con) to include the following: security: authorization: "enabled" This will enable SCRAM-SHA-1 authentication (default). Instruction on configuring the default authentication is provided here: https://docs.mongodb.com/v3.4/tutorial/enable-authentication/ The high-level steps described by the above will require the following: 1. Start MongoDB without access control. 2. Connect to the instance. 3. Create the user administrator. 4. Restart the MongoDB instance with access control. 5. Connect and authenticate as the user administrator. 6. Create additional users as needed for your deployment.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.