If passwords are used for authentication, the MarkLogic Server must transmit only encrypted representations of passwords.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-220365	ML09-00-003800	SV-220365r622777_rule		High

Description
The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, passwords must be protected at all times, and encryption is the standard method for protecting passwords during transmission. DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. MarkLogic Types of Authentication: Basic* Digest Digest-Basic* Certificate Application Level Kerberos Ticket SAML * Indicates that the authentication method allows the username and password to be transmitted in clear text. For more information on the types of authentication MarkLogic offers, follow this link: https://docs.marklogic.com/9.0/guide/security/authentication#id_14250

Description

The DoD standard for authentication is DoD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires AO approval. In such cases, passwords must be protected at all times, and encryption is the standard method for protecting passwords during transmission. DBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. MarkLogic Types of Authentication: Basic* Digest Digest-Basic* Certificate Application Level Kerberos Ticket SAML * Indicates that the authentication method allows the username and password to be transmitted in clear text. For more information on the types of authentication MarkLogic offers, follow this link: https://docs.marklogic.com/9.0/guide/security/authentication#id_14250

STIG	Date
MarkLogic Server v9 Security Technical Implementation Guide	2022-09-12

Details

Check Text ( C-22080r401546_chk )
Review MarkLogic configuration settings for encrypting passwords in transit across the network. Perform the check from the MarkLogic Server Admin Interface with a user that holds administrative-level privileges. 1. Click the Groups icon. 2. Click the group in which the App Server to be checked resides (e.g., Default). 3. Click the App Servers icon on the left tree menu. 4. Select each of the App Servers. 5. Inspect the selected authentication method, if "basic" or "digest-basic" is selected, this is a finding. If Application Level is selected and the application server is not configured for SSL, this is a finding

Check Text ( C-22080r401546_chk )

Review MarkLogic configuration settings for encrypting passwords in transit across the network.

Perform the check from the MarkLogic Server Admin Interface with a user that holds administrative-level privileges.

1. Click the Groups icon.
2. Click the group in which the App Server to be checked resides (e.g., Default).
3. Click the App Servers icon on the left tree menu.
4. Select each of the App Servers.
5. Inspect the selected authentication method, if "basic" or "digest-basic" is selected, this is a finding.

If Application Level is selected and the application server is not configured for SSL, this is a finding

Fix Text (F-22069r401547_fix)
If the MarkLogic application server in question is configured with "digest" or "digest-basic" authentication or is configured with "Application Level" authentication and is not SSL enabled, implement the corrective action outlined below. Perform the fix from the MarkLogic Server Admin Interface with a user that holds administrative-level privileges. 1. Click the Groups icon. 2. Click the group in which the App Server to be checked resides (e.g., Default). 3. Click the App Servers icon on the left tree menu. 4. Select each of the App Servers. 5. Inspect the selected authentication method, if "basic" or "digest-basic" is selected, change the authentication method to something other than those two. If Application Level is selected, ensure the application server is configured for SSL.

Fix Text (F-22069r401547_fix)

If the MarkLogic application server in question is configured with "digest" or "digest-basic" authentication or is configured with "Application Level" authentication and is not SSL enabled, implement the corrective action outlined below.

Perform the fix from the MarkLogic Server Admin Interface with a user that holds administrative-level privileges.

1. Click the Groups icon.
2. Click the group in which the App Server to be checked resides (e.g., Default).
3. Click the App Servers icon on the left tree menu.
4. Select each of the App Servers.
5. Inspect the selected authentication method, if "basic" or "digest-basic" is selected, change the authentication method to something other than those two.

If Application Level is selected, ensure the application server is configured for SSL.