MongoDB must prohibit the use of cached authenticators after an organization-defined time period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-252177 | MD4X-00-005700 | SV-252177r855518_rule | Medium |
| Description |
|---|
| If cached authentication information is out-of-date, the validity of the authentication information may be questionable. |
| STIG | Date |
|---|---|
| MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide | 2022-09-12 |
Details
| Check Text ( C-55633r813911_chk ) |
|---|
| If MongoDB is configured to authenticate using SASL and LDAP check the saslauthd command line options in the system boot script that starts saslauthd (the location will be dependent on the specific Linux operating system and boot script layout and naming conventions). If the "-t" option is not set for the "saslauthd" process in the system boot script, this is a finding. |
| Fix Text (F-55583r813912_fix) |
|---|
| With MongoDB configured using SASL LDAP authentication and on certain Linux distributions, saslauthd starts with the caching of authentication credentials enabled. Until restarted or until the cache expires, saslauthd will not contact the LDAP server to re-authenticate users in its authentication cache. This allows saslauthd to successfully authenticate users in its cache, even in the LDAP server is down or if the cached users' credentials are revoked. To set the expiration time (in seconds) for the authentication cache, see the -t option of saslauthd (https://www.systutorials.com/docs/linux/man/8-saslauthd/). |