MongoDB must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.

An XCCDF Rule

Description

Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. It is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards. NSA-approved cryptography for classified networks is hardware based. This requirement addresses the compatibility of a DBMS with the encryption devices.

ID: SV-265945r1028621_rule
Version: MD7X-00-008300
Severity: High
References: CCI-002450
Updated: about 2 months ago

Remediation Templates

Enable FIPS mode for MongoDB Enterprise.

Edit the MongoDB database configuration file (default location: /etc/mongod.conf) to contain the following parameter setting:

net:
   tls:      FIPSMode: true

Stop/start (restart) the mongod or mongos instance using this configuration and run the following command to verify the output is "true":

> db.getSiblingDB("admin").runCommand({getCmdLineOpts: 1}).parsed.net.tls.FIPSMode

The output of this command must be "true".

Alternatively, run the following command to search the mongod logfile for "FIPS mode 140-2 activated":

$ grep "FIPS 140-2 mode activated" /var/log/mongodb/mongod.log

There should be a line similar to what is shown below:

{"t":{"$date":"2024-05-21T19:17:49.262+00:00"},"s":"I",  "c":"NETWORK",  "id":23172,   "ctx":"main","msg":"FIPS 140-2 mode activated"}

MongoDB must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.

Description

Remediation Templates

A Manual Procedure