UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

MongoDB must prohibit the use of cached authenticators after an organization-defined time period.


Overview

Finding ID Version Rule ID IA Controls Severity
V-252177 MD4X-00-005700 SV-252177r879773_rule Medium
Description
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
STIG Date
MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide 2023-12-18

Details

Check Text ( C-55633r813911_chk )
If MongoDB is configured to authenticate using SASL and LDAP check the saslauthd command line options in the system boot script that starts saslauthd (the location will be dependent on the specific Linux operating system and boot script layout and naming conventions).

If the "-t" option is not set for the "saslauthd" process in the system boot script, this is a finding.
Fix Text (F-55583r813912_fix)
With MongoDB configured using SASL LDAP authentication and on certain Linux distributions, saslauthd starts with the caching of authentication credentials enabled.

Until restarted or until the cache expires, saslauthd will not contact the LDAP server to re-authenticate users in its authentication cache. This allows saslauthd to successfully authenticate users in its cache, even in the LDAP server is down or if the cached users' credentials are revoked.

To set the expiration time (in seconds) for the authentication cache, see the -t option of saslauthd (https://www.systutorials.com/docs/linux/man/8-saslauthd/).