MongoDB must enforce access restrictions associated with changes to the configuration of MongoDB or database(s).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-252175	MD4X-00-005400	SV-252175r855515_rule		Medium

Description
Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.

Description

Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.

STIG	Date
MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide	2022-09-12

Details

Check Text ( C-55631r855513_chk )
To verify that access restrictions are being enforced, create a test user and a custom role and then confirm expected operations: Once authenticated as a DBA administrator, use db.createUser() to create an additional user. The following operation adds a user myTester to the test database who has read-only access on the test database: use test db.createUser( { user: "myTester", pwd: password, roles: [ { role: "read", db: "test" } ] } ) Log out, then log back in as the "test" database user. Issue the following to attempt to write to the test database with a read-only privilege: use test db.testCollection.insert( { x: 1 } ) This operation will fail with a WriteResult error: WriteCommandError({ "ok" : 0, "errmsg" : "not authorized on test to execute command { insert: \"###\", ordered: \"###\", lsid: { id: \"###\" }, $db: \"###\" }", "code" : 13, "codeName" : "Unauthorized" }) If the operation does not fail, this is a finding.

Check Text ( C-55631r855513_chk )

To verify that access restrictions are being enforced, create a test user and a custom role and then confirm expected operations:

Once authenticated as a DBA administrator, use db.createUser() to create an additional user. The following operation adds a user myTester to the test database who has read-only access on the test database:

use test
db.createUser(
{
user: "myTester", pwd: password,
roles: [
{ role: "read", db: "test" }
]
}
)

Log out, then log back in as the "test" database user. Issue the following to attempt to write to the test database with a read-only privilege:

use test
db.testCollection.insert( { x: 1 } )

This operation will fail with a WriteResult error:

WriteCommandError({
"ok" : 0,
"errmsg" : "not authorized on test to execute command { insert: \"###\", ordered: \"###\", lsid: { id: \"###\" }, $db: \"###\" }",
"code" : 13,
"codeName" : "Unauthorized"
})

If the operation does not fail, this is a finding.

Fix Text (F-55581r855514_fix)
Verify that authentication has been enabled in the %MongoDB configuration file%: https://docs.mongodb.com/v4.4/reference/configuration-options/. If authorization is enabled, review the following to list existing user permissions. https://docs.mongodb.com/v4.4/reference/privilege-actions/ Connect to MongoDB. For each database (show dbs), identify the user's roles for the database. use database db.getUser(%username%) The server will return a document with the user's roles. To revoke a user's role from a database, use the method below: db.revokeRolesFromUser( %username%, [ roles ], { writeConcern } ) https://docs.mongodb.com/v4.4/reference/method/db.revokeRolesFromUser/ To grant a role to a user, use the method below: db.grantRolesToUser( %username%, [ roles ], { writeConcern } ) https://docs.mongodb.com/v4.4/reference/method/db.grantRolesToUser/

Fix Text (F-55581r855514_fix)

Verify that authentication has been enabled in the %MongoDB configuration file%:

https://docs.mongodb.com/v4.4/reference/configuration-options/.

If authorization is enabled, review the following to list existing user permissions.

https://docs.mongodb.com/v4.4/reference/privilege-actions/

Connect to MongoDB.

For each database (show dbs), identify the user's roles for the database.

use database
db.getUser(%username%)

The server will return a document with the user's roles.

To revoke a user's role from a database, use the method below:

db.revokeRolesFromUser( %username%, [ roles ], { writeConcern } )

https://docs.mongodb.com/v4.4/reference/method/db.revokeRolesFromUser/

To grant a role to a user, use the method below:

db.grantRolesToUser( %username%, [ roles ], { writeConcern } )

https://docs.mongodb.com/v4.4/reference/method/db.grantRolesToUser/