View
82
Download
0
Category
Preview:
Citation preview
CISMongoDB3.2Benchmark
v1.0.0-06-07-2017
1|P a g e
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.
2|P a g e
TableofContentsOverview......................................................................................................................................................................4
IntendedAudience..............................................................................................................................................4
ConsensusGuidance...........................................................................................................................................4
TypographicalConventions............................................................................................................................5
ScoringInformation............................................................................................................................................5
ProfileDefinitions................................................................................................................................................6
Acknowledgements.............................................................................................................................................7
Recommendations....................................................................................................................................................8
1InstallationandPatching..............................................................................................................................8
1.1EnsuretheappropriateMongoDBsoftwareversion/patchesareinstalled(Scored)..........................................................................................................................................................8
2Authentication................................................................................................................................................10
2.1EnsurethatauthenticationisenabledforMongoDBdatabases(Scored)..............10
2.2EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored).......................................................................................................................................................12
2.3Ensureauthenticationisenabledintheshardedcluster(Scored)............................14
2.4Ensureanindustrystandardauthenticationmechanismisused(Scored)...........16
3AccessControl................................................................................................................................................18
3.1Ensurethatrole-basedaccesscontrolisenabledandconfiguredappropriately(Scored).......................................................................................................................................................18
3.2EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored).................................................................................................................................20
3.3EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored).......................................................................................................................................................22
3.4EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored)............................................................................................................24
3.5ReviewUser-DefinedRoles(Scored)......................................................................................26
3.6ReviewSuperuser/AdminRoles(Scored)............................................................................28
4DataEncryption.............................................................................................................................................30
4.1EnsureTLSorSSLprotectsallnetworkcommunications(Scored)..........................30
3|P a g e
4.2EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored).....32
5Auditing.............................................................................................................................................................34
5.1Ensurethatsystemactivityisaudited(Scored)................................................................34
5.2Ensurethatauditfiltersareconfiguredproperly(Scored)..........................................36
5.3Ensurethatloggingcapturesasmuchinformationaspossible(NotScored)......38
5.4Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored)....40
6OperatingSystemHardening...................................................................................................................41
6.1MongodbDatabaseRunningwithLeastPrivileges(Scored).......................................41
6.2EnsurethatMongoDBusesanon-defaultport(Scored)...............................................43
6.3EnsurethatoperatingsystemresourcelimitsaresetforMongoDB(NotScored).........................................................................................................................................................................44
6.4Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored)..............46
6.5EnsureThe'test'databaseisnotinstalled(NotScored)................................................47
7FilePermissions.............................................................................................................................................48
7.1Ensurethatkeyfilepermissionsaresetcorrectly(Scored).........................................48
7.2Ensurethatdatabasefilepermissionsaresetcorrectly(Scored).............................50
Appendix:ChangeHistory.................................................................................................................................53
4|P a g e
OverviewThisdocument,CISMongoDBBenchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforMongoDBversion3.2.ThisguidewastestedagainstMongoDB3.2runningonUbuntuLinux14.04,butappliestootherlinuxdistributionsaswell.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,pleasewriteusatfeedback@cisecurity.org.
IntendedAudience
Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateMongoDB.
ConsensusGuidance
This benchmark was created using a consensus review process comprised of subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal. Each CIS benchmark undergoes two phases of consensus review. The first phase occurs during initial benchmark development. During this phase, subject matter experts convene to discuss, create, and test working drafts of the benchmark. This discussion occurs until consensus has been reached on benchmark recommendations. The second phase begins after the benchmark has been published. During this phase, all feedback provided by the Internet community is reviewed by the consensus team for incorporation in the benchmark. If you are interested in participating in the consensus process, please visit https://community.cisecurity.org.
5|P a g e
TypographicalConventions
The following typographical conventions are used throughout this guide:
Convention Meaning Stylized Monospace font Used for blocks of code, command, and script examples. Text
should be interpreted exactly as presented. Monospacefont Used for inline code, commands, or examples. Text should be
interpreted exactly as presented. <italicfontinbrackets> Italic texts set in angle brackets denote a variable requiring
substitution for a real value. Italic font Used to denote the title of a book, article, or other publication. Note Additional information or caveats
ScoringInformation
A scoring status indicates whether compliance with the given recommendation impacts the assessed target's benchmark score. The following scoring statuses are used in this benchmark:
Scored
Failure to comply with "Scored" recommendations will decrease the final benchmark score. Compliance with "Scored" recommendations will increase the final benchmark score.
NotScored
Failure to comply with "Not Scored" recommendations will not decrease the final benchmark score. Compliance with "Not Scored" recommendations will not increase the final benchmark score.
6|P a g e
ProfileDefinitions
The following configuration profiles are defined by this Benchmark:
• Level 1 - MongoDB on Linux
ItemsinthisprofileapplytoMongoDBrunningonLinuxandintendto:
o be practical and prudent; o provide a clear security benefit; and o not inhibit the utility of the technology beyond acceptable means.
• Level 2 - MongoDB on Linux
Thisprofileextendsthe“Level1-MongoDBonLinux”profile.ItemsinthisprofileapplytoMongoDBrunningonLinuxandexhibitoneormoreofthefollowingcharacteristics:
o are intended for environments or use cases where security is paramount o acts as defense in depth measure o may negatively inhibit the utility or performance of the technology.
7|P a g e
Acknowledgements
Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide: Author Vinesh Redkar Security Consultant Contributor Chris Bielinski Philippe Langlois, Center for Internet Security Pralhad Chaskar Editor Karen Scarfone Tim Harrison CISSP, ICP, Center for Internet Security
8|P a g e
Recommendations1InstallationandPatching
ThissectionprovidesguidanceonensuringthattheMongoDBsoftwareisuptodatetoeliminateeasilyavoidablevulnerabilities.
1.1EnsuretheappropriateMongoDBsoftwareversion/patchesareinstalled(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
TheMongoDBinstallationversion,alongwiththepatchlevel,shouldbethemostrecentthatiscompatiblewiththeorganization'soperationalneeds.
Rationale:
UsingthemostrecentMongoDBsoftwareversionalongwithallapplicablepatcheshelpslimitthepossibilitiesforvulnerabilitiesinthesoftware.Theinstallationversionand/orpatchesappliedshouldbeselectedaccordingtotheneedsoftheorganization.Atminimum,thesoftwareversionshouldbesupported.
Note:AsofOctober2016,onlyMongoDBversions3.0and3.2arestillsupported.
9|P a g e
Audit:
RunthefollowingcommandfromwithintheMongoDBshelltodetermineiftheMongoDBsoftwareversioncomplieswithyourorganization’soperationalneeds:
> db.version()
Remediation:
UpgradetothelatestversionoftheMongoDBsoftware:
1. Backup the data set. 2. Download the binaries for the latest MongoDB revision from the MongoDB Download
Page and store the binaries in a temporary location. The binaries download as compressed files that extract to the directory structure used by the MongoDB installation.
3. Shutdown the MongoDB instance. 4. Replace the existing MongoDB binaries with the downloaded binaries. 5. Restart the MongoDB instance.
DefaultValue:
Patchesarenotinstalledbydefault.
References:
1. http://docs.mongodb.org/manual/tutorial/upgrade-revision/ 2. https://docs.mongodb.com/manual/release-notes/ 3. https://www.mongodb.com/download-center#community 4. https://www.mongodb.com/support-policy
CISControls:
4–ContinuousVulnerabilityAssessmentandRemediation
10|P a g e
2Authentication
ThissectioncontainsrecommendationsforrequiringauthenticationbeforeallowingaccesstotheMongoDBdatabase.
2.1EnsurethatauthenticationisenabledforMongoDBdatabases(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
Thissettingensuresthatallclients,users,and/orserversarerequiredtoauthenticatepriortobeinggrantedaccesstotheMongoDBdatabase.
Rationale:
Failuretoauthenticateclients,users,and/orserverscanenableunauthorizedaccesstotheMongoDBdatabaseandcanpreventtracingactionsbacktotheirsources.
Audit:
Runthefollowingcommandtoverifywhetherauthenticationisenabled(AuthvaluesettoTrue)ontheMongoDBserver.
cat /etc/mongod.conf | grep “Auth=”
11|P a g e
Remediation:
TheauthenticationmechanismshouldbeimplementedbeforeanyoneaccessestheMongoDBServer.
Toenabletheauthenticationmechanism:
• Start the MongoDB instance without authentication.
mongod --port 27017 --dbpath /data/db1]
• Create the system user administrator, ensuring that its password meets organizationally-defined password complexity requirements.
use admin db.createUser( { user: "siteUserAdmin", pwd: "password", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )
• Restart the MongoDB instance with authentication enabled.
mongod --auth --config /etc/mongod.conf
DefaultValue:
Notconfigured
References:
1. https://www.mongodb.com/blog/post/improved-password-based-authentication-mongodb-30-scram-explained-part-1
2. https://www.owasp.org/index.php/Authentication_Cheat_Sheet
CISControls:
16–AccountMonitoringandControl
12|P a g e
2.2EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
MongoDBshouldnotbesettobypassauthenticationviathelocalhostexception.Thelocalhostexceptionallowsyoutoenableauthorizationbeforecreatingthefirstuserinthesystem.
Note:ThisrecommendationonlyapplieswhentherearenouserscreatedintheMongoDBinstance.
Rationale:
DisablingthisexceptionwillpreventunauthorizedlocalaccesstotheMongoDBdatabase.Itwillalsoensuretraceabilityofeachdatabaseactivitytoaspecificuser.
Audit:
Toverifythelocalhostexceptionisdisabled,runthefollowingcommandtoensurethatenableLocalhostAuthBypassissetto0(false):
cat /etc/mongod.conf |grep "enableLocalhostAuthBypass"
Remediation:
SinceenableLocalhostAuthBypassisnotavailableusingthesetParameterdatabasecommand,usethesetParameteroptionintheconfigurationfiletosetittofalse.
setParameter: enableLocalhostAuthBypass: false
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/core/authentication/#localhost-exception
13|P a g e
Notes:
The--setParameteroptiononthecommandlinemayalsobeusedtoconfigurethis;however,havingitintheconfigfilemayprovidegreaterconfidencethatthissettingisconfiguredcorrectlyineveryinstance.
CISControls:
16–AccountMonitoringandControl
14|P a g e
2.3Ensureauthenticationisenabledintheshardedcluster(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
Authenticationisenabledinashardedclusterwhenkeyfilesarecreatedandconfiguredforallcomponents.Thisensuresthateveryclientthataccessestheclustermustprovidecredentials,toincludeMongoDBinstancesthataccesseachotherwithinthecluster.
Rationale:
EnforcingakeyonashardedclusterpreventsunauthorizedaccesstotheMongoDBdatabaseandprovidestraceabilityofdatabaseactivitiestoaspecificuserorcomponent.
Audit:
Runthefollowingcommandtoverifythatthekeyfileparameterisconfigured:
cat /etc/mongod.conf | grep “keyFile=”
Remediation:
Toenableauthenticationintheshardedcluster,performthefollowingsteps:
• Generate a key file. • On each component in the shared cluster, enable authentication by doing one of the
following: o In the configuration file /etc/mongod.conf, set the keyFile option to the key
file’s path and then start the component with this command:
keyFile = /srv/mongodb/keyfile
• When starting the component, set --keyFile option, which is an option for both mongos instances and mongod instances. Set the --keyFile to the key file’s path.
15|P a g e
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/v2.2/administration/sharded-clusters/
CISControls:
16–AccountMonitoringandControl
16|P a g e
2.4Ensureanindustrystandardauthenticationmechanismisused(Scored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
UsingoneormoreindustrystandardauthenticationmechanismshelpsorganizationsenforcetheiraccountandpasswordpoliciesfortheirMongoDBusers.
Rationale:
Withoutanindustrystandardauthenticationmechanisminplace,accountandpasswordmanagementismoretedious,andauthenticationmaynotalignwiththeorganization'spolicies.
Audit:
ToverifytheauthenticationmechanisminuseforMongoDB,runthefollowingcommands:
cat /etc/mongod.conf | grep “clusterAuthMode:” cat /etc/mongod.conf | grep “mode:” cat /etc/mongod.conf | grep “authorization:" cat /etc/mongod.conf | grep “authenticationMechanisms:”
Remediation:
Inordertoimplementanindustrystandardauthenticationmechanism,usethecorrespondingsamplefromthelistbelowasamodelforspecifyingtheauthenticationmechanismsintheMongoDBconfigurationfile.
x.509CertificatesforClientAuthentication:
security: clusterAuthMode: x509 net: ssl: mode: requireSSL PEMKeyFile: <path to TLS/SSL certificate and key PEM file> CAFile: <path to root CA PEM file>
SeethereferencesectionforalinktoadetailedprocedureforgeneratingthePEMKeyFileandCAFile.
17|P a g e
MongoDBwithKerberosAuthenticationonLinux:
security: authorization: enabled setParameter: authenticationMechanisms: GSSAPI storage: dbPath: /opt/mongodb/data
SeethereferencesectionforalinktoadetailedprocedureforestablishingtheKerberosserviceprincipalandkeytabfile.
References:
1. https://docs.mongodb.com/v3.2/tutorial/configure-x509-client-authentication/ 2. https://docs.mongodb.com/v3.2/tutorial/control-access-to-mongodb-with-kerberos-
authentication/ 3. https://docs.mongodb.com/v3.2/core/kerberos/#kerberos-service-principal 4. https://docs.mongodb.com/v3.2/core/kerberos/#keytab-files
Notes:
ConfiguringtheX.509certificateanddeployingKerberosisbeyondthescopeofthedocument.
CISControls:
16–AccountMonitoringandControl
18|P a g e
3AccessControl
ThissectioncontainsrecommendationsforrestrictingaccesstoMongoDBsystems.
3.1Ensurethatrole-basedaccesscontrolisenabledandconfiguredappropriately(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
Role-basedaccesscontrol(RBAC)isamethodofregulatingaccesstoresourcesbasedontherolesofindividualuserswithinanenterprise.Auserisgrantedoneormorerolesthatdeterminetheuser’saccesstodatabaseresourcesandoperations.Outsideofroleassignments,theuserhasnoaccesstothesystem.MongoDBcanuseRBACtogovernaccesstoMongoDBsystems.MongoDBdoesnotenableauthorizationbydefault.
Rationale:
Whenproperlyimplemented,RBACenablesuserstocarryoutawiderangeofauthorizedtasksbydynamicallyregulatingtheiractionsaccordingtoflexiblefunctions.Thisallowsanorganizationtocontrolemployees’accesstoalldatabasetablesthroughRBAC.
Audit:
ConnecttoMongoDBwiththeappropriateprivilegesandrunthefollowingcommand:
mongo --port 27017 -u <siteUserAdmin> -p <password> --authenticationDatabase <database name>
Identifyusers'rolesandprivileges:
> db.getUser() > db.getRole()
Verifythattheappropriateroleorroleshavebeenconfiguredforeachuser.
19|P a g e
Remediation:
1. Establish roles for MongoDB. 2. Assign the appropriate privileges to each role. 3. Assign the appropriate users to each role. 4. Remove any individual privileges assigned to users that are now addressed by the roles. 5. See the reference below for more Information.
References:
1. http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/
CISControls:
14.4–ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
20|P a g e
3.2EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
EnsuringthatMongoDBrunsinatrustednetworkenvironmentinvolveslimitingthenetworkinterfacesonwhichMongoDBinstanceslistenforincomingconnections.AnyuntrustednetworkconnectionsshouldbedroppedbyMongoDB.
Rationale:
Thisconfigurationblocksconnectionsfromuntrustednetworks,leavingonlysystemsonauthorizedandtrustednetworksabletoattempttoconnecttotheMongoDB.Ifnotconfigured,thismayleadtounauthorizedconnectionsfromuntrustednetworkstoMongoDB.
Audit:
1. Verify that network exposure is limited, review the settings in the MongoDB configuration file:
cat /etc/mongod.conf |grep –A12 “net” | grep “bindIp"
2. Verify the relevant network settings on the Linux system itself:
iptables –L
Remediation:
ConfiguretheMongoDBconfigurationfiletolimititsexposuretoonlythenetworkinterfacesonwhichMongoDBinstancesshouldlistenforincomingconnections.
DefaultValue:
Notconfigured
21|P a g e
References:
1. http://docs.mongodb.org/manual/tutorial/configure-linux-iptables-firewall/ 2. http://docs.mongodb.org/manual/tutorial/configure-windows-netsh-firewall/
CISControls:
9.1–LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
22|P a g e
3.3EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
TheMongoDBserviceshouldnotberunusingaprivilegedaccountsuchas'root'becausethisunnecessarilyexposestheoperatingsystemtohighrisk.
Rationale:
Usinganon-privileged,dedicatedserviceaccountrestrictsthedatabasefromaccessingthecriticalareasoftheoperatingsystemwhicharenotrequiredbytheMongoDB.Thiswillalsomitigatethepotentialforunauthorizedaccessviaacompromised,privilegedaccountontheoperatingsystem.
Audit:
Runthefollowingcommandtogetlistingofallmongoinstances,thePIDnumber,andthePIDowner.
ps -ef | grep -E "mongos|mongod"
Remediation:
1. Create a dedicated user for performing MongoDB database activity. 2. Set the Database data files, the keyfile, and the SSL private key files to only be readable
by the mongod/mongos user. 3. Set the log files to only be writable by the mongod/mongos user and readable only by
root.
DefaultValue:
Notconfigured
23|P a g e
References:
1. http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/
CISControls:
5.1–MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
24|P a g e
3.4EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
Reviewingallrolesperiodicallyandeliminatingunneededrolesaswellasunneededprivilegesfromnecessaryroleshelpsminimizetheprivilegesthateachuserhas.
Rationale:
Althoughrole-basedaccesscontrol(RBAC)hasmanyadvantagesforregulatingaccesstoresources,overtimesomerolesmaynolongerbeneeded,andsomerolesmaygrantprivilegesthatarenolongerneeded.
Audit:
Performthefollowingcommandtoviewallrolesonthedatabaseonwhichthecommandruns,includingbothbuilt-inanduser-definedroles,aswellastheprivilegesgrantedbyeachrole.Ensurethatonlynecessaryrolesarelistedandonlythenecessaryprivilegesarelistedforeachrole.
db.runCommand( { rolesInfo: 1, showPrivileges: true, showBuiltinRoles: true } )
Remediation:
Torevokespecifiedprivilegesfromtheuser-definedroleonthedatabasewherethecommandisrun.TherevokePrivilegesFromRolecommandhasthefollowingsyntax:
{ revokePrivilegesFromRole: "<role>", privileges: [ { resource: { <resource> }, actions: [ “<action>", ... ] }, ... ], }
25|P a g e
References:
1. https://docs.mongodb.com/v3.2/reference/method/db.revokePrivilegesFromRole/ 2. https://docs.mongodb.com/v3.2/reference/command/revokePrivilegesFromRole/#dbcmd.r
evokePrivilegesFromRole
Notes:
YoumusthavethedropRoleactiononadatabasetodroparolefromthatdatabase.
CISControls:
14.4–ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
26|P a g e
3.5ReviewUser-DefinedRoles(Scored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
Reviewingallrolesperiodicallyandremovingallusersfromthoseroleswhodonotneedtobelongtothemhelpsminimizetheprivilegesthateachuserhas.
Rationale:
Althoughrole-basedaccesscontrol(RBAC)hasmanyadvantagesforregulatingaccesstoresources,overtimesomeusersmaybeassignedtorolesthatarenolongernecessary,suchasauserchangingjobswithintheorganization.Userswhohaveexcessiveprivilegesposeunnecessaryrisktotheorganization.
Audit:
Checkeachroleforeachdatabaseusingoneofthefollowingcommands.
Tospecifyarolefromthecurrentdatabase,specifytherolebyitsname:
db.runCommand( { rolesInfo: "<rolename>" } )
Tospecifyarolefromanotherdatabase,specifytherolebyadocumentthatspecifiestheroleanddatabase:
db.runCommand( { rolesInfo: { role: "<rolename>", db: "<database>" } } )
Remediation:
Toremoveauserfromoneormorerolesonthecurrentdatabase,usethefollowingcommand:
use <dbName> db.revokeRolesFromUser( "<username>", [ <roles> ])
References:
1. https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/ 2. https://docs.mongodb.com/manual/reference/command/rolesInfo/ 3. https://docs.mongodb.com/manual/reference/privilege-actions/#authr.revokeRole
27|P a g e
Notes:
Logged-inusermusthavetherevokeRoleactiononadatabasetorevokearoleonthatdatabase.Also,roleInfoworksforbothuser-definedrolesandbuilt-inroles.
CISControls:
16.1–PerformRegularAccountReviewsReviewallsystemaccountsanddisableanyaccountthatcannotbeassociatedwithabusinessprocessandowner.
28|P a g e
3.6ReviewSuperuser/AdminRoles(Scored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
Rolesprovideseveraladvantagesthatmakeiteasiertomanageprivilegesinadatabasesystem.Securityadministratorscancontrolaccesstotheirdatabasesinawaythatmirrorsthestructureoftheirorganizations(theycancreaterolesinthedatabasethatmapdirectlytothejobfunctionsintheirorganizations).Theassignmentofprivilegesissimplified.Insteadofgrantingthesamesetofprivilegestoeachindividualuserinaparticularjobfunction,theadministratorcangrantthissetofprivilegestoarolerepresentingthatjobfunctionandthengrantthatroletoeachuserinthatjobfunction.
Rationale:
ReviewingtheSuperuser/Adminroleswithinadatabasehelpsminimizethepossibilityofprivilegedunwantedaccess.
Audit:
Superuserrolesprovidetheabilitytoassignanyuseranyprivilegeonanydatabase,whichmeansthatuserswithoneoftheserolescanassignthemselvesanyprivilegeonanydatabase:
db.runCommand( { rolesInfo: "dbOwner" } ) db.runCommand( { rolesInfo: "userAdmin" } ) db.runCommand( { rolesInfo: "userAdminAnyDatabase" } )
RootroleprovidesaccesstotheoperationsandalltheresourcesofthereadWriteAnyDatabase,dbAdminAnyDatabase,userAdminAnyDatabase,clusterAdminroles,restorecombined.
db.runCommand( { rolesInfo: "readWriteAnyDatabase" } ) db.runCommand( { rolesInfo: "dbAdminAnyDatabase" } ) db.runCommand( { rolesInfo: "userAdminAnyDatabase" } ) db.runCommand( { rolesInfo: "clusterAdmin" } )
ClusterAdministrationRolesareusedforadministeringthewholesystemratherthanjustasingledatabase.
db.runCommand( { rolesInfo: "hostManager" } )
29|P a g e
Remediation:
Toremoveauserfromoneormorerolesonthecurrentdatabase.
use <dbName> db.revokeRolesFromUser( "<username>", [ <roles> ])
References:
1. https://docs.mongodb.com/v3.0/reference/built-in-roles/#built-in-roles 2. https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/
CISControls:
5.1–MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
16.1–PerformRegularAccountReviewsReviewallsystemaccountsanddisableanyaccountthatcannotbeassociatedwithabusinessprocessandowner.
30|P a g e
4DataEncryption
Thissectioncontainsrecommendationsforsecuringdataatrest(stored)anddatainmotion(transiting)forMongoDB.
4.1EnsureTLSorSSLprotectsallnetworkcommunications(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
UseTLSorSSLtoprotectallincomingandoutgoingconnections.ThisshouldincludeusingTLSorSSLtoencryptcommunicationbetweenmongodandmongoscomponentsofaMongoDBclientaswellasbetweenallapplicationsandMongoDB.
MostMongoDBdistributionsincludesupportforSSLorTLS.
Rationale:
ThispreventssniffingofcleartexttrafficbetweenMongoDBcomponentsorperformingaman-in-the-middleattackforMongoDB.
Audit:
ToverifythattheserverrequiresSSLorTLSuse(net.ssl.modevaluesettorequireSSL),runoneofthefollowingcommands:
cat /etc/mongos.conf | grep –A20 ‘net’ | grep –A10 ‘ssl’ | grep ‘mode’
Remediation:
ConfigureMongoDBserverstorequiretheuseofSSLorTLStoencryptallMongoDBnetworkcommunications.
ToimplementSSLorTLStoencryptallMongoDBnetworkcommunication,performthefollowingsteps:
31|P a g e
Formongod(“PrimarydaemonprocessfortheMongoDBsystem”)
Intheconfigurationfile/etc/mongod.conf,setthePEMKeyFileoptiontothecertificatefile’spathandthenstartthecomponentwiththiscommand:
ssl: mode: requireSSL PEMKeyFile: /etc/ssl/mongodb.pem CAFile: /etc/ssl/ca.pem
Andrestartmonogdbinstancewithmongod --config /etc/mongod.conf
Or
mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/tutorial/configure-ssl/
Notes:
Value Description
disabled TheserverdoesnotuseTLS/SSL.
allowSSL ConnectionsbetweenserversdonotuseTLS/SSL.Forincomingconnections,theserveracceptsbothTLS/SSLandnon-TLS/non-SSL.
preferSSL ConnectionsbetweenserversuseTLS/SSL.Forincomingconnections,theserveracceptsbothTLS/SSLandnon-TLS/non-SSL.
requireSSL TheserverusesandacceptsonlyTLS/SSLencryptedconnections.
CISControls:
14.2–EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
32|P a g e
4.2EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
TheFederalInformationProcessingStandard(FIPS)isacomputersecuritystandardusedtocertifysoftwaremodulesandlibrariesthatencryptanddecryptdatasecurely.YoucanconfigureMongoDBtorunwithaFIPS140-2certifiedlibraryforOpenSSL.
Rationale:
FIPSisindustrystandardthatdictateshowdatashouldbeencryptedinrestandduringtransmission.
Audit:
ToverifythattheserverusesFIPSMode(net.ssl.FIPSModevaluesettotrue),runfollowingcommands:
mongos --config /etc/mongos.conf
net: ssl: FIPSMode: true
or
ToverifyFIPSmodeisrunning,checktheserverlogfileforamessagethatFIPSisactive:
FIPS 140-2 mode activated
33|P a g e
Remediation:
ConfiguringFIPSmode,ensurethatyourcertificateisFIPScompliant.RunmongodormongosinstanceinFIPSmode.
Makechangestoconfigurationfile,toconfigureyourmongodormongosinstancetouseFIPSmode,shutdowntheinstanceandupdatetheconfigurationfilewiththefollowingsetting:
net: ssl: FIPSMode: true
Startmongodormongosinstancewithaconfigurationfile.
mongod --config /etc/mongod.conf
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/v3.2/tutorial/configure-fips/
CISControls:
14.2–EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
14.5–EncryptatRestSensitiveInformationSensitiveinformationstoredonsystemsshallbeencryptedatrestandrequireasecondaryauthenticationmechanism,notintegratedintotheoperatingsystem,inordertoaccesstheinformation.
34|P a g e
5Auditing
ThissectioncontainsrecommendationsrelatedtoconfiguringauditlogginginMongoDB.
5.1Ensurethatsystemactivityisaudited(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
Trackaccessandchangestodatabaseconfigurationsanddata.MongoDBEnterpriseincludesasystemauditingfacilitythatcanrecordsystemevents(e.g.useroperations,connectionevents)onaMongoDBinstance.Theseauditrecordspermitforensicanalysisandallowadministratorstoverifypropercontrols.
Rationale:
Systemlevellogscanbehandywhiletroubleshootinganoperationalproblemorhandlingasecurityincident.
Audit:
ToverifythatsystemactivityisbeingauditedforMongoDB,runthefollowingcommandtoconfirmtheauditLog.destinationvalueissetcorrectly:
cat /etc/mongod.conf |grep –A4 "auditLog" | grep "destination"
Remediation:
SetthevalueofauditLog.destinationtotheappropriatevaluefromthefollowingoptions:
syslog
Toenableauditingandprintauditeventstosyslog
mongod --dbpath data/db --auditDestination syslog
console
Toenableauditingandprintauditeventstostandardoutput(i.e.,stdout)
mongod --dbpath data/db --auditDestination console
35|P a g e
JsonFile
ToenableauditingandprintauditeventstoafileinJSONformat.PrintingauditeventstofileinJSONformatdegradesserverperformancemorethanprintingtoafileinBSONformat.
mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json
BsonFile
ToenableauditingandprintauditeventstoafileinBSONbinaryformat
mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/tutorial/configure-auditing/
CISControls:
6.2–EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
36|P a g e
5.2Ensurethatauditfiltersareconfiguredproperly(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
MongoDBEnterprisesupportsauditingofvariousoperations.Whenenabled,theauditfacility,bydefault,recordsallauditableoperationsasdetailedinAuditEventActions,Details,andResults.Tospecifywhicheventstorecord,theauditfeatureincludesthe--auditFilteroption.ThischeckisonlyforEnterpriseeditions.
Rationale:
Alloperationscarriedoutonthedatabasearelogged.Thishelpsinbacktrackingandtracinganyincidentthatoccurs.
Audit:
ToverifythatauditfiltersareconfiguredonMongoDBaspertheorganization’srequirements,runthefollowingcommand:
cat /etc/mongod.conf |grep –A10 "auditLog" | grep "filter"
Remediation:
Settheauditfiltersbasedontheorganization’srequirements.
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/manual/reference/audit-message/ 2. https://docs.mongodb.com/manual/tutorial/configure-audit-filters/
37|P a g e
CISControls:
6.2–EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
38|P a g e
5.3Ensurethatloggingcapturesasmuchinformationaspossible(NotScored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
TheSystemLog.quietoptionstopsloggingofinformationsuchas:
• connection events • authentication events • replication sync activities • evidence of some potentially impactful commands being run (eg: drop, dropIndexes,
validate)
Thisinformationshouldbeloggedwheneverpossible.ThischeckisonlyforEnterpriseeditions.
Rationale:
TheuseofSystemLog.quietmakestroubleshootingproblemsandinvestigatingpossiblesecurityincidentsmuchmoredifficult.
Audit:
ToverifythattheSystemLog.quietoptionisdisabled(valueofFalse),runthefollowingcommand:
cat /etc/mongod.conf |grep "SystemLog.quiet"
Remediation:
SetSystemLog.quiettoFalseinthe/etc/mongod.conffiletodisableit.
References:
1. https://docs.mongodb.com/manual/reference/configuration-options/#systemLog.quiet
39|P a g e
CISControls:
6.2–EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
40|P a g e
5.4Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
Bydefault,newlogentrieswilloverwriteoldentriesafterarestartofthemongodorMongolsservice.EnablingthesystemLog.logAppendsettingcausesnewentriestobeappendedtotheendofthelogfileratherthanoverwritingtheexistingcontentofthelogwhenthemongosormongodinstancerestarts.
Rationale:
Allowingoldentriestobeoverwrittenbynewentriesinsteadofappendingnewentriestotheendofthelogmaydestroyoldlogdatathatisneededforavarietyofpurposes.
Audit:
Toverifythatnewlogentrieswillbeappendedtotheendofthelogfileafterarestart(systemLog.logAppendvaluesettotrue),runthefollowingcommand:
cat /etc/mongod.conf |grep "systemLog.logAppend"
Remediation:
Set systemLog.logAppendtotrueinthe/etc/mongod.conffile.
References:
1. https://docs.mongodb.com/manual/reference/configuration-options/#systemLog.logAppend
CISControls:
6.3–EnsureAuditLoggingSystemsAreNotSubjecttoLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.
41|P a g e
6OperatingSystemHardening
ThissectioncontainsrecommendationsrelatedtohardeningtheoperatingsystemrunningbelowMongoDB.
6.1MongodbDatabaseRunningwithLeastPrivileges(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
Thissettingensuresthatmonogdservicerunasleastprivilegeuser.
Rationale:
Anyonewhohasbeenavictimofviruses,worms,andothermalicioussoftware(malware)willappreciatethesecurityprincipleof“leastprivilege.”Ifallprocessesranwiththesmallestsetofprivilegesneededtoperformtheuser'stasks,itwouldbemoredifficultformaliciousandannoyingsoftwaretoinfectamachineandpropagatetoothermachines.
Audit:
ConnectMongoDBService
mongod --port 27017 --dbpath /data/db1
Itwillhighlightiftheserviceisrunningasrootprivilegeornot.
Remediation:
CreateauserwhichisonlyusedforrunningMongodbanddirectlyrelatedprocesses.Thisusermustnothaveadministrativerightstothesystem.
Stepstocreateuser
useradd -m -d /home/mongodb -s /bin/bash -g mongodb -u 1234 mongodb
Andthensetownershiptomongodbuseronly
sudo chown -R mongodb:mongodb /data/db
42|P a g e
CISControls:
5.1–MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
43|P a g e
6.2EnsurethatMongoDBusesanon-defaultport(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
ChangingtheportusedbyMongoDBmakesitharderforattackerstofindthedatabaseandtargetit.
Rationale:
Standardportsareusedinautomatedattacksandbyattackerstoverifywhichapplicationsarerunningonaserver.
Audit:
ToverifytheportnumberusedbyMongoDB,executethefollowingcommandandensurethattheportnumberisnot27017:
cat /etc/mongod.conf |grep “port”
Remediation:
ChangetheportforMongoDBservertoanumberotherthan27017.
Impact:
HackersfrequentlyscanIPaddressesforcommonlyusedports,soit'snotuncommontouseadifferentportto"flyundertheradar".Thisisjusttoavoiddetection,otherthanthatthereisnoaddedsafetybyusingadifferentport.
References:
1. https://docs.mongodb.com/manual/reference/default-mongodb-port/
CISControls:
9 – LimitationandControlofNetworkPorts,Protocols,andServices
44|P a g e
6.3EnsurethatoperatingsystemresourcelimitsaresetforMongoDB(NotScored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
Operatingsystemsprovidewaystolimitandcontroltheusageofsystemresourcessuchasthreads,files,andnetworkconnectionsonaper-processandper-userbasis
Rationale:
Theseulimitspreventasingleuserfromconsumingtoomanysystemresources.
Audit:
ToverifytheresourcelimitssetforMongoDB,runthefollowingcommands.
ExtracttheprocessIDforMongoDB:
ps -ef|grep mongod
Viewthelimitsassociatedwiththatprocessnumber:
cat /proc/1322/limits
Remediation:
Everydeploymentmayhaveuniquerequirementsandsettings.RecommendedthresholdsandsettingsareparticularlyimportantforMongoDBdeployments:
• f (file size): unlimited • t (cpu time): unlimited • v (virtual memory): unlimited [1] • n (open files): 64000 • m (memory size): unlimited [1] [2] • u (processes/threads): 64000
Restartthemongodandmongosinstancesafterchangingtheulimitsettingstoensurethatthechangestakeeffect.
45|P a g e
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/manual/reference/ulimit/#recommended-ulimit-settings
46|P a g e
6.4Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
MongoDBsupportstheexecutionofJavaScriptcodeforcertainserver-sideoperations:mapReduce,group,and$where.Ifyoudonotusetheseoperations,server-sidescriptingshouldbedisabled.
Rationale:
Ifserver-sidescriptingisnotneededandisnotdisabled,thisintroducesunnecessaryriskthatanattackermaytakeadvantageofinsecurecoding.
Audit:
Ifserver-sidescriptingisnotrequired,verifythatitisdisabled(javascriptEnabledvalueoffalse)usingthefollowingcommand:
cat /etc/mongod.conf |grep –A10 "security" | grep "javascriptEnabled"
Remediation:
Ifserver-sidescriptingisnotrequired,disableitbyusingthe--noscriptingoptiononthecommandline.
DefaultValue:
Enabled
CISControls:
18.9–SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
47|P a g e
6.5EnsureThe'test'databaseisnotinstalled(NotScored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
ThedefaultMongoDBinstallationcomeswithanunuseddatabasecalled'test'.Itisrecommendedthatthetestdatabasebedropped.
Rationale:
Thetestdatabasecanbeaccessedbyallusersandcanbeusedtoconsumesystemresources.DroppingthetestdatabasewillreducetheattacksurfaceoftheMongoDBserver.
Audit:
Executethefollowingquerytodetermineifthetestdatabaseispresent:
show dbs
Remediation:
Executethefollowingcommandmongoshelltodropthetestdatabase:
use test
db.dropDatabase()
CISControls:
18.9–SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
48|P a g e
7FilePermissions
Thissectionprovidesrecommendationsforsettingpermissionsforthekeyfileandthedatabasefile.
7.1Ensurethatkeyfilepermissionsaresetcorrectly(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
Thekeyfileisusedforauthenticationintheshardedcluster.Implementingproperfilepermissionsonthekeyfilewillpreventunauthorizedaccesstoit.
Rationale:
ProtectingthekeyfilestrengthensauthenticationintheshardedclusterandpreventsunauthorizedaccesstotheMongoDBdatabase.
Audit:
ToverifythepermissionsfortheMongoDBkeyfile,runthefollowingcommand:
cat /etc/mongod.conf | grep “keyFile=”
Remediation:
SetthekeyFileownershiptomongodbuserandremoveotherpermissionsbyexecutingthesecommands:
chmod 600 /keyfile sudo chown mongodb:mongodb /keyfile
49|P a g e
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/v3.0/tutorial/enable-internal-authentication/
CISControls:
16.14–Encrypt/HashAllAuthenticationFilesandMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
50|P a g e
7.2Ensurethatdatabasefilepermissionsaresetcorrectly(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
MongoDBdatabasefilesneedtobeprotectedusingfilepermissions.
Rationale:
Thiswillrestrictunauthorizedusersfromaccessingthedatabase.
Audit:
ToverifythatthepermissionsfortheMongoDBdatabasefileareconfiguredsecurely,runthefollowingcommands.
Findoutthedatabaselocationusingthefollowingcommand:
cat /etc/mongod.conf |grep "dbpath"
Usethedatabaselocationaspartofthefollowingcommandtoviewandverifythepermissionssetforthedatabasefile:
ls –l /var/lib/mongodb
Remediation:
Setownershipofthedatabasefiletomongodbuserandremoveotherpermissionsusingthefollowingcommands:
chmod 600 /var/lib/mongodb sudo chown mongodb:mongodb /var/lib/mongodb
DefaultValue:
Notconfigured
CISControls:
14.4–ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
51|P a g e
Appendix:SummaryTableControl Set
Correctly Yes No
1 Installation and Patching 1.1 Ensure the appropriate MongoDB software version/patches are
installed (Scored) o o
2 Authentication 2.1 Ensure that authentication is enabled for MongoDB databases
(Scored) o o
2.2 Ensure that MongoDB does not bypass authentication via the localhost exception (Scored) o o
2.3 Ensure authentication is enabled in the sharded cluster (Scored) o o 2.4 Ensure an industry standard authentication mechanism is used
(Scored) o o
3 Access Control 3.1 Ensure that role-based access control is enabled and configured
appropriately (Scored) o o
3.2 Ensure that MongoDB only listens for network connections on authorized interfaces (Scored) o o
3.3 Ensure that MongoDB is run using a non-privileged, dedicated service account (Scored) o o
3.4 Ensure that each role for each MongoDB database is needed and grants only the necessary privileges (Scored) o o
3.5 Review User-Defined Roles (Scored) o o 3.6 Review Superuser/Admin Roles (Scored) o o 4 Data Encryption 4.1 Ensure TLS or SSL protects all network communications
(Scored) o o
4.2 Ensure Federal Information Processing Standard (FIPS) is enabled (Scored) o o
5 Auditing 5.1 Ensure that system activity is audited (Scored) o o 5.2 Ensure that audit filters are configured properly (Scored) o o 5.3 Ensure that logging captures as much information as possible
(Not Scored) o o
5.4 Ensure that new entries are appended to the end of the log file (Not Scored) o o
6 Operating System Hardening 6.1 Mongodb Database Running with Least Privileges (Scored) o o 6.2 Ensure that MongoDB uses a non-default port (Scored) o o
52|P a g e
6.3 Ensure that operating system resource limits are set for MongoDB (Not Scored) o o
6.4 Ensure that server-side scripting is disabled if not needed (Not Scored) o o
6.5 Ensure The 'test' database is not installed (Not Scored) o o 7 File Permissions 7.1 Ensure that key file permissions are set correctly (Scored) o o 7.2 Ensure that database file permissions are set correctly (Scored) o o
53|P a g e
Appendix:ChangeHistoryDate Version Changes for this version 06-06-2017 1.0.0 Initial Release
Recommended