MongoDB must prohibit the use of cached authenticators after an organization-defined time period.

An XCCDF Rule

Description

<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-221194r879773_rule
Severity: Medium
References: CCI-002007
Updated: 9 months ago

If MongoDB is configured to authenticate using SASL and LDAP/Active Directory modify and restart the saslauthd command line options in the system boot script and set the "-t" option to the appropriate timeout in seconds.

From the Linux Command line (with root/sudo privs) run the following command to restart the saslauthd process after making the change for the "-t" parameter:

systemctl restart saslauthd
If any mongos process is running (a MongoDB shared cluster) the "userCacheInvalidationIntervalSecs" option to adjust the timeout in seconds can be changed from the default "30" seconds. 

This is accomplished by modifying the mongos configuration file (default location: /etc/mongos.conf) and then restarting mongos.

MongoDB must prohibit the use of cached authenticators after an organization-defined time period.

Description

Remediation - Manual Procedure