MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-252149	MD4X-00-001600	SV-252149r863318_rule		High

Description
MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

STIG	Date
MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide	2022-09-12

Details

Check Text ( C-55605r813827_chk )
Verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following: security: authorization: enabled If this parameter is not present, this is a finding. If using organization-mandated authorization, verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following to ensure LDAP auth is enabled as well: security: ldap: servers: [list of ldap servers] If this parameter is not present, this is a finding.

Check Text ( C-55605r813827_chk )

Verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following:

security:
authorization: enabled

If this parameter is not present, this is a finding.

If using organization-mandated authorization, verify that the MongoDB configuration file (default location: /etc/mongod.conf) contains the following to ensure LDAP auth is enabled as well:

security:
ldap:
servers: [list of ldap servers]

If this parameter is not present, this is a finding.

Fix Text (F-55555r813828_fix)
Edit the %MongoDB configuration file% (default location: /etc/mongod.conf) to include the following: security: authorization: enabled This will enable SCRAM-SHA-256 authentication (default). Instruction on configuring the default authentication is provided here: https://docs.mongodb.com/v4.4/tutorial/enable-authentication/ The high-level steps described by the above will require the following: 1. Start MongoDB without access control. 2. Connect to the instance. 3. Create the user administrator. 4. Restart the MongoDB instance with access control. 5. Connect and authenticate as the user administrator. 6. Create additional users as needed for deployment. Configuration information for LDAP for MongoDB can be found here: https://docs.mongodb.com/v4.4/core/security-ldap-external/ https://docs.mongodb.com/v4.4/core/security-ldap-external/#configuration

Fix Text (F-55555r813828_fix)

Edit the %MongoDB configuration file% (default location: /etc/mongod.conf) to include the following:

security:
authorization: enabled

This will enable SCRAM-SHA-256 authentication (default).

Instruction on configuring the default authentication is provided here: https://docs.mongodb.com/v4.4/tutorial/enable-authentication/

The high-level steps described by the above will require the following:

1. Start MongoDB without access control.
2. Connect to the instance.
3. Create the user administrator.
4. Restart the MongoDB instance with access control.
5. Connect and authenticate as the user administrator.
6. Create additional users as needed for deployment.

Configuration information for LDAP for MongoDB can be found here: https://docs.mongodb.com/v4.4/core/security-ldap-external/
https://docs.mongodb.com/v4.4/core/security-ldap-external/#configuration