MongoDB must prohibit the use of cached authenticators after an organization-defined time period.
An XCCDF Rule
Description
<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-252177r879773_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
With MongoDB configured using SASL LDAP authentication and on certain Linux distributions, saslauthd starts with the caching of authentication credentials enabled.
Until restarted or until the cache expires, saslauthd will not contact the LDAP server to re-authenticate users in its authentication cache. This allows saslauthd to successfully authenticate users in its cache, even in the LDAP server is down or if the cached users' credentials are revoked.
To set the expiration time (in seconds) for the authentication cache, see the -t option of saslauthd (https://www.systutorials.com/docs/linux/man/8-saslauthd/).