MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

An XCCDF Rule

Description

<VulnDiscussion>MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-252149r879522_rule
Severity: High
References: CCI-000015
Updated: 9 months ago

Edit the %MongoDB configuration file% (default location: /etc/mongod.conf) to include the following:

security:
  authorization: enabled

This will enable SCRAM-SHA-256 authentication (default).
Instruction on configuring the default authentication is provided here: https://docs.mongodb.com/v4.4/tutorial/enable-authentication/

The high-level steps described by the above will require the following:

1. Start MongoDB without access control.
2. Connect to the instance.
3. Create the user administrator.
4. Restart the MongoDB instance with access control.
5. Connect and authenticate as the user administrator.
6. Create additional users as needed for deployment.

Configuration information for LDAP for MongoDB can be found here: https://docs.mongodb.com/v4.4/core/security-ldap-external/
https://docs.mongodb.com/v4.4/core/security-ldap-external/#configuration

MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

Description

Remediation - Manual Procedure