CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB...

CISMongoDB3.2Benchmark

v1.0.0-06-07-2017

1|P a g e

ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.

2|P a g e

TableofContentsOverview......................................................................................................................................................................4

IntendedAudience..............................................................................................................................................4

ConsensusGuidance...........................................................................................................................................4

TypographicalConventions............................................................................................................................5

ScoringInformation............................................................................................................................................5

ProfileDefinitions................................................................................................................................................6

Acknowledgements.............................................................................................................................................7

Recommendations....................................................................................................................................................8

1InstallationandPatching..............................................................................................................................8

1.1EnsuretheappropriateMongoDBsoftwareversion/patchesareinstalled(Scored)..........................................................................................................................................................8

2Authentication................................................................................................................................................10

2.1EnsurethatauthenticationisenabledforMongoDBdatabases(Scored)..............10

2.2EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored).......................................................................................................................................................12

2.3Ensureauthenticationisenabledintheshardedcluster(Scored)............................14

2.4Ensureanindustrystandardauthenticationmechanismisused(Scored)...........16

3AccessControl................................................................................................................................................18

3.1Ensurethatrole-basedaccesscontrolisenabledandconfiguredappropriately(Scored).......................................................................................................................................................18

3.2EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored).................................................................................................................................20

3.3EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored).......................................................................................................................................................22

3.4EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored)............................................................................................................24

3.5ReviewUser-DefinedRoles(Scored)......................................................................................26

3.6ReviewSuperuser/AdminRoles(Scored)............................................................................28

4DataEncryption.............................................................................................................................................30

4.1EnsureTLSorSSLprotectsallnetworkcommunications(Scored)..........................30

3|P a g e

4.2EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored).....32

5Auditing.............................................................................................................................................................34

5.1Ensurethatsystemactivityisaudited(Scored)................................................................34

5.2Ensurethatauditfiltersareconfiguredproperly(Scored)..........................................36

5.3Ensurethatloggingcapturesasmuchinformationaspossible(NotScored)......38

5.4Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored)....40

6OperatingSystemHardening...................................................................................................................41

6.1MongodbDatabaseRunningwithLeastPrivileges(Scored).......................................41

6.2EnsurethatMongoDBusesanon-defaultport(Scored)...............................................43

6.3EnsurethatoperatingsystemresourcelimitsaresetforMongoDB(NotScored).........................................................................................................................................................................44

6.4Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored)..............46

6.5EnsureThe'test'databaseisnotinstalled(NotScored)................................................47

7FilePermissions.............................................................................................................................................48

7.1Ensurethatkeyfilepermissionsaresetcorrectly(Scored).........................................48

7.2Ensurethatdatabasefilepermissionsaresetcorrectly(Scored).............................50

Appendix:ChangeHistory.................................................................................................................................53

4|P a g e

OverviewThisdocument,CISMongoDBBenchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforMongoDBversion3.2.ThisguidewastestedagainstMongoDB3.2runningonUbuntuLinux14.04,butappliestootherlinuxdistributionsaswell.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,pleasewriteusatfeedback@cisecurity.org.

IntendedAudience

Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateMongoDB.

ConsensusGuidance

This benchmark was created using a consensus review process comprised of subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal. Each CIS benchmark undergoes two phases of consensus review. The first phase occurs during initial benchmark development. During this phase, subject matter experts convene to discuss, create, and test working drafts of the benchmark. This discussion occurs until consensus has been reached on benchmark recommendations. The second phase begins after the benchmark has been published. During this phase, all feedback provided by the Internet community is reviewed by the consensus team for incorporation in the benchmark. If you are interested in participating in the consensus process, please visit https://community.cisecurity.org.

5|P a g e

TypographicalConventions

The following typographical conventions are used throughout this guide:

Convention Meaning Stylized Monospace font Used for blocks of code, command, and script examples. Text

should be interpreted exactly as presented. Monospacefont Used for inline code, commands, or examples. Text should be

interpreted exactly as presented. <italicfontinbrackets> Italic texts set in angle brackets denote a variable requiring

substitution for a real value. Italic font Used to denote the title of a book, article, or other publication. Note Additional information or caveats

ScoringInformation

A scoring status indicates whether compliance with the given recommendation impacts the assessed target's benchmark score. The following scoring statuses are used in this benchmark:

Scored

Failure to comply with "Scored" recommendations will decrease the final benchmark score. Compliance with "Scored" recommendations will increase the final benchmark score.

NotScored

Failure to comply with "Not Scored" recommendations will not decrease the final benchmark score. Compliance with "Not Scored" recommendations will not increase the final benchmark score.

6|P a g e

ProfileDefinitions

The following configuration profiles are defined by this Benchmark:

• Level 1 - MongoDB on Linux

ItemsinthisprofileapplytoMongoDBrunningonLinuxandintendto:

o be practical and prudent; o provide a clear security benefit; and o not inhibit the utility of the technology beyond acceptable means.

• Level 2 - MongoDB on Linux

Thisprofileextendsthe“Level1-MongoDBonLinux”profile.ItemsinthisprofileapplytoMongoDBrunningonLinuxandexhibitoneormoreofthefollowingcharacteristics:

o are intended for environments or use cases where security is paramount o acts as defense in depth measure o may negatively inhibit the utility or performance of the technology.

7|P a g e

Acknowledgements

Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide: Author Vinesh Redkar Security Consultant Contributor Chris Bielinski Philippe Langlois, Center for Internet Security Pralhad Chaskar Editor Karen Scarfone Tim Harrison CISSP, ICP, Center for Internet Security

8|P a g e

Recommendations1InstallationandPatching

ThissectionprovidesguidanceonensuringthattheMongoDBsoftwareisuptodatetoeliminateeasilyavoidablevulnerabilities.

1.1EnsuretheappropriateMongoDBsoftwareversion/patchesareinstalled(Scored)

ProfileApplicability:

• Level1-MongoDBonLinux

Description:

TheMongoDBinstallationversion,alongwiththepatchlevel,shouldbethemostrecentthatiscompatiblewiththeorganization'soperationalneeds.

Rationale:

UsingthemostrecentMongoDBsoftwareversionalongwithallapplicablepatcheshelpslimitthepossibilitiesforvulnerabilitiesinthesoftware.Theinstallationversionand/orpatchesappliedshouldbeselectedaccordingtotheneedsoftheorganization.Atminimum,thesoftwareversionshouldbesupported.

Note:AsofOctober2016,onlyMongoDBversions3.0and3.2arestillsupported.

9|P a g e

Audit:

RunthefollowingcommandfromwithintheMongoDBshelltodetermineiftheMongoDBsoftwareversioncomplieswithyourorganization’soperationalneeds:

> db.version()

Remediation:

UpgradetothelatestversionoftheMongoDBsoftware:

1. Backup the data set. 2. Download the binaries for the latest MongoDB revision from the MongoDB Download

Page and store the binaries in a temporary location. The binaries download as compressed files that extract to the directory structure used by the MongoDB installation.

3. Shutdown the MongoDB instance. 4. Replace the existing MongoDB binaries with the downloaded binaries. 5. Restart the MongoDB instance.

DefaultValue:

Patchesarenotinstalledbydefault.

References:

1. http://docs.mongodb.org/manual/tutorial/upgrade-revision/ 2. https://docs.mongodb.com/manual/release-notes/ 3. https://www.mongodb.com/download-center#community 4. https://www.mongodb.com/support-policy

CISControls:

4–ContinuousVulnerabilityAssessmentandRemediation

10|P a g e

2Authentication

ThissectioncontainsrecommendationsforrequiringauthenticationbeforeallowingaccesstotheMongoDBdatabase.

2.1EnsurethatauthenticationisenabledforMongoDBdatabases(Scored)

Description:

Thissettingensuresthatallclients,users,and/orserversarerequiredtoauthenticatepriortobeinggrantedaccesstotheMongoDBdatabase.

Rationale:

Failuretoauthenticateclients,users,and/orserverscanenableunauthorizedaccesstotheMongoDBdatabaseandcanpreventtracingactionsbacktotheirsources.

Audit:

Runthefollowingcommandtoverifywhetherauthenticationisenabled(AuthvaluesettoTrue)ontheMongoDBserver.

cat /etc/mongod.conf | grep “Auth=”

11|P a g e

Remediation:

TheauthenticationmechanismshouldbeimplementedbeforeanyoneaccessestheMongoDBServer.

Toenabletheauthenticationmechanism:

• Start the MongoDB instance without authentication.

mongod --port 27017 --dbpath /data/db1]

• Create the system user administrator, ensuring that its password meets organizationally-defined password complexity requirements.

use admin db.createUser( { user: "siteUserAdmin", pwd: "password", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )

• Restart the MongoDB instance with authentication enabled.

mongod --auth --config /etc/mongod.conf

DefaultValue:

Notconfigured

References:

1. https://www.mongodb.com/blog/post/improved-password-based-authentication-mongodb-30-scram-explained-part-1

2. https://www.owasp.org/index.php/Authentication_Cheat_Sheet

CISControls:

16–AccountMonitoringandControl

12|P a g e

2.2EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored)

Description:

MongoDBshouldnotbesettobypassauthenticationviathelocalhostexception.Thelocalhostexceptionallowsyoutoenableauthorizationbeforecreatingthefirstuserinthesystem.

Note:ThisrecommendationonlyapplieswhentherearenouserscreatedintheMongoDBinstance.

Rationale:

DisablingthisexceptionwillpreventunauthorizedlocalaccesstotheMongoDBdatabase.Itwillalsoensuretraceabilityofeachdatabaseactivitytoaspecificuser.

Audit:

Toverifythelocalhostexceptionisdisabled,runthefollowingcommandtoensurethatenableLocalhostAuthBypassissetto0(false):

cat /etc/mongod.conf |grep "enableLocalhostAuthBypass"

Remediation:

SinceenableLocalhostAuthBypassisnotavailableusingthesetParameterdatabasecommand,usethesetParameteroptionintheconfigurationfiletosetittofalse.

setParameter: enableLocalhostAuthBypass: false

DefaultValue:

Notconfigured

References:

1. http://docs.mongodb.org/manual/core/authentication/#localhost-exception

13|P a g e

Notes:

The--setParameteroptiononthecommandlinemayalsobeusedtoconfigurethis;however,havingitintheconfigfilemayprovidegreaterconfidencethatthissettingisconfiguredcorrectlyineveryinstance.

CISControls:

14|P a g e

2.3Ensureauthenticationisenabledintheshardedcluster(Scored)

Description:

Authenticationisenabledinashardedclusterwhenkeyfilesarecreatedandconfiguredforallcomponents.Thisensuresthateveryclientthataccessestheclustermustprovidecredentials,toincludeMongoDBinstancesthataccesseachotherwithinthecluster.

Rationale:

EnforcingakeyonashardedclusterpreventsunauthorizedaccesstotheMongoDBdatabaseandprovidestraceabilityofdatabaseactivitiestoaspecificuserorcomponent.

Audit:

Runthefollowingcommandtoverifythatthekeyfileparameterisconfigured:

cat /etc/mongod.conf | grep “keyFile=”

Remediation:

Toenableauthenticationintheshardedcluster,performthefollowingsteps:

• Generate a key file. • On each component in the shared cluster, enable authentication by doing one of the

following: o In the configuration file /etc/mongod.conf, set the keyFile option to the key

file’s path and then start the component with this command:

keyFile = /srv/mongodb/keyfile

• When starting the component, set --keyFile option, which is an option for both mongos instances and mongod instances. Set the --keyFile to the key file’s path.

15|P a g e

DefaultValue:

Notconfigured

References:

1. http://docs.mongodb.org/v2.2/administration/sharded-clusters/

CISControls:

16|P a g e

2.4Ensureanindustrystandardauthenticationmechanismisused(Scored)

Description:

UsingoneormoreindustrystandardauthenticationmechanismshelpsorganizationsenforcetheiraccountandpasswordpoliciesfortheirMongoDBusers.

Rationale:

Withoutanindustrystandardauthenticationmechanisminplace,accountandpasswordmanagementismoretedious,andauthenticationmaynotalignwiththeorganization'spolicies.

Audit:

ToverifytheauthenticationmechanisminuseforMongoDB,runthefollowingcommands:

cat /etc/mongod.conf | grep “clusterAuthMode:” cat /etc/mongod.conf | grep “mode:” cat /etc/mongod.conf | grep “authorization:" cat /etc/mongod.conf | grep “authenticationMechanisms:”

Remediation:

Inordertoimplementanindustrystandardauthenticationmechanism,usethecorrespondingsamplefromthelistbelowasamodelforspecifyingtheauthenticationmechanismsintheMongoDBconfigurationfile.

x.509CertificatesforClientAuthentication:

security: clusterAuthMode: x509 net: ssl: mode: requireSSL PEMKeyFile: <path to TLS/SSL certificate and key PEM file> CAFile: <path to root CA PEM file>

SeethereferencesectionforalinktoadetailedprocedureforgeneratingthePEMKeyFileandCAFile.

17|P a g e

MongoDBwithKerberosAuthenticationonLinux:

security: authorization: enabled setParameter: authenticationMechanisms: GSSAPI storage: dbPath: /opt/mongodb/data

SeethereferencesectionforalinktoadetailedprocedureforestablishingtheKerberosserviceprincipalandkeytabfile.

References:

1. https://docs.mongodb.com/v3.2/tutorial/configure-x509-client-authentication/ 2. https://docs.mongodb.com/v3.2/tutorial/control-access-to-mongodb-with-kerberos-

authentication/ 3. https://docs.mongodb.com/v3.2/core/kerberos/#kerberos-service-principal 4. https://docs.mongodb.com/v3.2/core/kerberos/#keytab-files

Notes:

ConfiguringtheX.509certificateanddeployingKerberosisbeyondthescopeofthedocument.

CISControls:

18|P a g e

3AccessControl

ThissectioncontainsrecommendationsforrestrictingaccesstoMongoDBsystems.

3.1Ensurethatrole-basedaccesscontrolisenabledandconfiguredappropriately(Scored)

Description:

Role-basedaccesscontrol(RBAC)isamethodofregulatingaccesstoresourcesbasedontherolesofindividualuserswithinanenterprise.Auserisgrantedoneormorerolesthatdeterminetheuser’saccesstodatabaseresourcesandoperations.Outsideofroleassignments,theuserhasnoaccesstothesystem.MongoDBcanuseRBACtogovernaccesstoMongoDBsystems.MongoDBdoesnotenableauthorizationbydefault.

Rationale:

Whenproperlyimplemented,RBACenablesuserstocarryoutawiderangeofauthorizedtasksbydynamicallyregulatingtheiractionsaccordingtoflexiblefunctions.Thisallowsanorganizationtocontrolemployees’accesstoalldatabasetablesthroughRBAC.

Audit:

ConnecttoMongoDBwiththeappropriateprivilegesandrunthefollowingcommand:

mongo --port 27017 -u <siteUserAdmin> -p <password> --authenticationDatabase <database name>

Identifyusers'rolesandprivileges:

> db.getUser() > db.getRole()

Verifythattheappropriateroleorroleshavebeenconfiguredforeachuser.

19|P a g e

Remediation:

1. Establish roles for MongoDB. 2. Assign the appropriate privileges to each role. 3. Assign the appropriate users to each role. 4. Remove any individual privileges assigned to users that are now addressed by the roles. 5. See the reference below for more Information.

References:

1. http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/

CISControls:

14.4–ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.

20|P a g e

3.2EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored)

Description:

EnsuringthatMongoDBrunsinatrustednetworkenvironmentinvolveslimitingthenetworkinterfacesonwhichMongoDBinstanceslistenforincomingconnections.AnyuntrustednetworkconnectionsshouldbedroppedbyMongoDB.

Rationale:

Thisconfigurationblocksconnectionsfromuntrustednetworks,leavingonlysystemsonauthorizedandtrustednetworksabletoattempttoconnecttotheMongoDB.Ifnotconfigured,thismayleadtounauthorizedconnectionsfromuntrustednetworkstoMongoDB.

Audit:

1. Verify that network exposure is limited, review the settings in the MongoDB configuration file:

cat /etc/mongod.conf |grep –A12 “net” | grep “bindIp"

2. Verify the relevant network settings on the Linux system itself:

iptables –L

Remediation:

ConfiguretheMongoDBconfigurationfiletolimititsexposuretoonlythenetworkinterfacesonwhichMongoDBinstancesshouldlistenforincomingconnections.

DefaultValue:

Notconfigured

21|P a g e

References:

1. http://docs.mongodb.org/manual/tutorial/configure-linux-iptables-firewall/ 2. http://docs.mongodb.org/manual/tutorial/configure-windows-netsh-firewall/

CISControls:

9.1–LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.

22|P a g e

3.3EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored)

Description:

TheMongoDBserviceshouldnotberunusingaprivilegedaccountsuchas'root'becausethisunnecessarilyexposestheoperatingsystemtohighrisk.

Rationale:

Usinganon-privileged,dedicatedserviceaccountrestrictsthedatabasefromaccessingthecriticalareasoftheoperatingsystemwhicharenotrequiredbytheMongoDB.Thiswillalsomitigatethepotentialforunauthorizedaccessviaacompromised,privilegedaccountontheoperatingsystem.

Audit:

Runthefollowingcommandtogetlistingofallmongoinstances,thePIDnumber,andthePIDowner.

ps -ef | grep -E "mongos|mongod"

Remediation:

1. Create a dedicated user for performing MongoDB database activity. 2. Set the Database data files, the keyfile, and the SSL private key files to only be readable

by the mongod/mongos user. 3. Set the log files to only be writable by the mongod/mongos user and readable only by

DefaultValue:

Notconfigured

23|P a g e

References:

1. http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/

CISControls:

5.1–MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.

24|P a g e

3.4EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored)

Description:

Reviewingallrolesperiodicallyandeliminatingunneededrolesaswellasunneededprivilegesfromnecessaryroleshelpsminimizetheprivilegesthateachuserhas.

Rationale:

Althoughrole-basedaccesscontrol(RBAC)hasmanyadvantagesforregulatingaccesstoresources,overtimesomerolesmaynolongerbeneeded,andsomerolesmaygrantprivilegesthatarenolongerneeded.

Audit:

Performthefollowingcommandtoviewallrolesonthedatabaseonwhichthecommandruns,includingbothbuilt-inanduser-definedroles,aswellastheprivilegesgrantedbyeachrole.Ensurethatonlynecessaryrolesarelistedandonlythenecessaryprivilegesarelistedforeachrole.

db.runCommand( { rolesInfo: 1, showPrivileges: true, showBuiltinRoles: true } )

Remediation:

Torevokespecifiedprivilegesfromtheuser-definedroleonthedatabasewherethecommandisrun.TherevokePrivilegesFromRolecommandhasthefollowingsyntax:

{ revokePrivilegesFromRole: "<role>", privileges: [ { resource: { <resource> }, actions: [ “<action>", ... ] }, ... ], }

25|P a g e

References:

1. https://docs.mongodb.com/v3.2/reference/method/db.revokePrivilegesFromRole/ 2. https://docs.mongodb.com/v3.2/reference/command/revokePrivilegesFromRole/#dbcmd.r

evokePrivilegesFromRole

Notes:

YoumusthavethedropRoleactiononadatabasetodroparolefromthatdatabase.

CISControls:

26|P a g e

3.5ReviewUser-DefinedRoles(Scored)

Description:

Reviewingallrolesperiodicallyandremovingallusersfromthoseroleswhodonotneedtobelongtothemhelpsminimizetheprivilegesthateachuserhas.

Rationale:

Althoughrole-basedaccesscontrol(RBAC)hasmanyadvantagesforregulatingaccesstoresources,overtimesomeusersmaybeassignedtorolesthatarenolongernecessary,suchasauserchangingjobswithintheorganization.Userswhohaveexcessiveprivilegesposeunnecessaryrisktotheorganization.

Audit:

Checkeachroleforeachdatabaseusingoneofthefollowingcommands.

Tospecifyarolefromthecurrentdatabase,specifytherolebyitsname:

db.runCommand( { rolesInfo: "<rolename>" } )

Tospecifyarolefromanotherdatabase,specifytherolebyadocumentthatspecifiestheroleanddatabase:

db.runCommand( { rolesInfo: { role: "<rolename>", db: "<database>" } } )

Remediation:

Toremoveauserfromoneormorerolesonthecurrentdatabase,usethefollowingcommand:

use <dbName> db.revokeRolesFromUser( "<username>", [ <roles> ])

References:

1. https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/ 2. https://docs.mongodb.com/manual/reference/command/rolesInfo/ 3. https://docs.mongodb.com/manual/reference/privilege-actions/#authr.revokeRole

27|P a g e

Notes:

Logged-inusermusthavetherevokeRoleactiononadatabasetorevokearoleonthatdatabase.Also,roleInfoworksforbothuser-definedrolesandbuilt-inroles.

CISControls:

16.1–PerformRegularAccountReviewsReviewallsystemaccountsanddisableanyaccountthatcannotbeassociatedwithabusinessprocessandowner.

28|P a g e

3.6ReviewSuperuser/AdminRoles(Scored)

Description:

Rolesprovideseveraladvantagesthatmakeiteasiertomanageprivilegesinadatabasesystem.Securityadministratorscancontrolaccesstotheirdatabasesinawaythatmirrorsthestructureoftheirorganizations(theycancreaterolesinthedatabasethatmapdirectlytothejobfunctionsintheirorganizations).Theassignmentofprivilegesissimplified.Insteadofgrantingthesamesetofprivilegestoeachindividualuserinaparticularjobfunction,theadministratorcangrantthissetofprivilegestoarolerepresentingthatjobfunctionandthengrantthatroletoeachuserinthatjobfunction.

Rationale:

ReviewingtheSuperuser/Adminroleswithinadatabasehelpsminimizethepossibilityofprivilegedunwantedaccess.

Audit:

Superuserrolesprovidetheabilitytoassignanyuseranyprivilegeonanydatabase,whichmeansthatuserswithoneoftheserolescanassignthemselvesanyprivilegeonanydatabase:

db.runCommand( { rolesInfo: "dbOwner" } ) db.runCommand( { rolesInfo: "userAdmin" } ) db.runCommand( { rolesInfo: "userAdminAnyDatabase" } )

RootroleprovidesaccesstotheoperationsandalltheresourcesofthereadWriteAnyDatabase,dbAdminAnyDatabase,userAdminAnyDatabase,clusterAdminroles,restorecombined.

db.runCommand( { rolesInfo: "readWriteAnyDatabase" } ) db.runCommand( { rolesInfo: "dbAdminAnyDatabase" } ) db.runCommand( { rolesInfo: "userAdminAnyDatabase" } ) db.runCommand( { rolesInfo: "clusterAdmin" } )

ClusterAdministrationRolesareusedforadministeringthewholesystemratherthanjustasingledatabase.

db.runCommand( { rolesInfo: "hostManager" } )

29|P a g e

Remediation:

Toremoveauserfromoneormorerolesonthecurrentdatabase.

use <dbName> db.revokeRolesFromUser( "<username>", [ <roles> ])

References:

1. https://docs.mongodb.com/v3.0/reference/built-in-roles/#built-in-roles 2. https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/

CISControls:

16.1–PerformRegularAccountReviewsReviewallsystemaccountsanddisableanyaccountthatcannotbeassociatedwithabusinessprocessandowner.

30|P a g e

4DataEncryption

Thissectioncontainsrecommendationsforsecuringdataatrest(stored)anddatainmotion(transiting)forMongoDB.

4.1EnsureTLSorSSLprotectsallnetworkcommunications(Scored)

Description:

UseTLSorSSLtoprotectallincomingandoutgoingconnections.ThisshouldincludeusingTLSorSSLtoencryptcommunicationbetweenmongodandmongoscomponentsofaMongoDBclientaswellasbetweenallapplicationsandMongoDB.

MostMongoDBdistributionsincludesupportforSSLorTLS.

Rationale:

ThispreventssniffingofcleartexttrafficbetweenMongoDBcomponentsorperformingaman-in-the-middleattackforMongoDB.

Audit:

ToverifythattheserverrequiresSSLorTLSuse(net.ssl.modevaluesettorequireSSL),runoneofthefollowingcommands:

cat /etc/mongos.conf | grep –A20 ‘net’ | grep –A10 ‘ssl’ | grep ‘mode’

Remediation:

ConfigureMongoDBserverstorequiretheuseofSSLorTLStoencryptallMongoDBnetworkcommunications.

ToimplementSSLorTLStoencryptallMongoDBnetworkcommunication,performthefollowingsteps:

31|P a g e

Formongod(“PrimarydaemonprocessfortheMongoDBsystem”)

Intheconfigurationfile/etc/mongod.conf,setthePEMKeyFileoptiontothecertificatefile’spathandthenstartthecomponentwiththiscommand:

ssl: mode: requireSSL PEMKeyFile: /etc/ssl/mongodb.pem CAFile: /etc/ssl/ca.pem

Andrestartmonogdbinstancewithmongod --config /etc/mongod.conf

mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem

DefaultValue:

Notconfigured

References:

1. http://docs.mongodb.org/manual/tutorial/configure-ssl/

Notes:

Value Description

disabled TheserverdoesnotuseTLS/SSL.

allowSSL ConnectionsbetweenserversdonotuseTLS/SSL.Forincomingconnections,theserveracceptsbothTLS/SSLandnon-TLS/non-SSL.

preferSSL ConnectionsbetweenserversuseTLS/SSL.Forincomingconnections,theserveracceptsbothTLS/SSLandnon-TLS/non-SSL.

requireSSL TheserverusesandacceptsonlyTLS/SSLencryptedconnections.

CISControls:

14.2–EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

32|P a g e

4.2EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored)

Description:

TheFederalInformationProcessingStandard(FIPS)isacomputersecuritystandardusedtocertifysoftwaremodulesandlibrariesthatencryptanddecryptdatasecurely.YoucanconfigureMongoDBtorunwithaFIPS140-2certifiedlibraryforOpenSSL.

Rationale:

FIPSisindustrystandardthatdictateshowdatashouldbeencryptedinrestandduringtransmission.

Audit:

ToverifythattheserverusesFIPSMode(net.ssl.FIPSModevaluesettotrue),runfollowingcommands:

mongos --config /etc/mongos.conf

net: ssl: FIPSMode: true

ToverifyFIPSmodeisrunning,checktheserverlogfileforamessagethatFIPSisactive:

FIPS 140-2 mode activated

33|P a g e

Remediation:

ConfiguringFIPSmode,ensurethatyourcertificateisFIPScompliant.RunmongodormongosinstanceinFIPSmode.

Makechangestoconfigurationfile,toconfigureyourmongodormongosinstancetouseFIPSmode,shutdowntheinstanceandupdatetheconfigurationfilewiththefollowingsetting:

net: ssl: FIPSMode: true

Startmongodormongosinstancewithaconfigurationfile.

mongod --config /etc/mongod.conf

DefaultValue:

Notconfigured

References:

1. https://docs.mongodb.com/v3.2/tutorial/configure-fips/

CISControls:

14.2–EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.

14.5–EncryptatRestSensitiveInformationSensitiveinformationstoredonsystemsshallbeencryptedatrestandrequireasecondaryauthenticationmechanism,notintegratedintotheoperatingsystem,inordertoaccesstheinformation.

34|P a g e

5Auditing

ThissectioncontainsrecommendationsrelatedtoconfiguringauditlogginginMongoDB.

5.1Ensurethatsystemactivityisaudited(Scored)

Description:

Trackaccessandchangestodatabaseconfigurationsanddata.MongoDBEnterpriseincludesasystemauditingfacilitythatcanrecordsystemevents(e.g.useroperations,connectionevents)onaMongoDBinstance.Theseauditrecordspermitforensicanalysisandallowadministratorstoverifypropercontrols.

Rationale:

Systemlevellogscanbehandywhiletroubleshootinganoperationalproblemorhandlingasecurityincident.

Audit:

ToverifythatsystemactivityisbeingauditedforMongoDB,runthefollowingcommandtoconfirmtheauditLog.destinationvalueissetcorrectly:

cat /etc/mongod.conf |grep –A4 "auditLog" | grep "destination"

Remediation:

SetthevalueofauditLog.destinationtotheappropriatevaluefromthefollowingoptions:

syslog

Toenableauditingandprintauditeventstosyslog

mongod --dbpath data/db --auditDestination syslog

console

Toenableauditingandprintauditeventstostandardoutput(i.e.,stdout)

mongod --dbpath data/db --auditDestination console

35|P a g e

JsonFile

ToenableauditingandprintauditeventstoafileinJSONformat.PrintingauditeventstofileinJSONformatdegradesserverperformancemorethanprintingtoafileinBSONformat.

mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json

BsonFile

ToenableauditingandprintauditeventstoafileinBSONbinaryformat

mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson

DefaultValue:

Notconfigured

References:

1. http://docs.mongodb.org/manual/tutorial/configure-auditing/

CISControls:

6.2–EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.

36|P a g e

5.2Ensurethatauditfiltersareconfiguredproperly(Scored)

Description:

MongoDBEnterprisesupportsauditingofvariousoperations.Whenenabled,theauditfacility,bydefault,recordsallauditableoperationsasdetailedinAuditEventActions,Details,andResults.Tospecifywhicheventstorecord,theauditfeatureincludesthe--auditFilteroption.ThischeckisonlyforEnterpriseeditions.

Rationale:

Alloperationscarriedoutonthedatabasearelogged.Thishelpsinbacktrackingandtracinganyincidentthatoccurs.

Audit:

ToverifythatauditfiltersareconfiguredonMongoDBaspertheorganization’srequirements,runthefollowingcommand:

cat /etc/mongod.conf |grep –A10 "auditLog" | grep "filter"

Remediation:

Settheauditfiltersbasedontheorganization’srequirements.

DefaultValue:

Notconfigured

References:

1. https://docs.mongodb.com/manual/reference/audit-message/ 2. https://docs.mongodb.com/manual/tutorial/configure-audit-filters/

37|P a g e

CISControls:

38|P a g e

5.3Ensurethatloggingcapturesasmuchinformationaspossible(NotScored)

Description:

TheSystemLog.quietoptionstopsloggingofinformationsuchas:

• connection events • authentication events • replication sync activities • evidence of some potentially impactful commands being run (eg: drop, dropIndexes,

validate)

Thisinformationshouldbeloggedwheneverpossible.ThischeckisonlyforEnterpriseeditions.

Rationale:

TheuseofSystemLog.quietmakestroubleshootingproblemsandinvestigatingpossiblesecurityincidentsmuchmoredifficult.

Audit:

ToverifythattheSystemLog.quietoptionisdisabled(valueofFalse),runthefollowingcommand:

cat /etc/mongod.conf |grep "SystemLog.quiet"

Remediation:

SetSystemLog.quiettoFalseinthe/etc/mongod.conffiletodisableit.

References:

1. https://docs.mongodb.com/manual/reference/configuration-options/#systemLog.quiet

39|P a g e

CISControls:

40|P a g e

5.4Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored)

Description:

Bydefault,newlogentrieswilloverwriteoldentriesafterarestartofthemongodorMongolsservice.EnablingthesystemLog.logAppendsettingcausesnewentriestobeappendedtotheendofthelogfileratherthanoverwritingtheexistingcontentofthelogwhenthemongosormongodinstancerestarts.

Rationale:

Allowingoldentriestobeoverwrittenbynewentriesinsteadofappendingnewentriestotheendofthelogmaydestroyoldlogdatathatisneededforavarietyofpurposes.

Audit:

Toverifythatnewlogentrieswillbeappendedtotheendofthelogfileafterarestart(systemLog.logAppendvaluesettotrue),runthefollowingcommand:

cat /etc/mongod.conf |grep "systemLog.logAppend"

Remediation:

Set systemLog.logAppendtotrueinthe/etc/mongod.conffile.

References:

1. https://docs.mongodb.com/manual/reference/configuration-options/#systemLog.logAppend

CISControls:

6.3–EnsureAuditLoggingSystemsAreNotSubjecttoLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.

41|P a g e

6OperatingSystemHardening

ThissectioncontainsrecommendationsrelatedtohardeningtheoperatingsystemrunningbelowMongoDB.

6.1MongodbDatabaseRunningwithLeastPrivileges(Scored)

Description:

Thissettingensuresthatmonogdservicerunasleastprivilegeuser.

Rationale:

Anyonewhohasbeenavictimofviruses,worms,andothermalicioussoftware(malware)willappreciatethesecurityprincipleof“leastprivilege.”Ifallprocessesranwiththesmallestsetofprivilegesneededtoperformtheuser'stasks,itwouldbemoredifficultformaliciousandannoyingsoftwaretoinfectamachineandpropagatetoothermachines.

Audit:

ConnectMongoDBService

mongod --port 27017 --dbpath /data/db1

Itwillhighlightiftheserviceisrunningasrootprivilegeornot.

Remediation:

CreateauserwhichisonlyusedforrunningMongodbanddirectlyrelatedprocesses.Thisusermustnothaveadministrativerightstothesystem.

Stepstocreateuser

useradd -m -d /home/mongodb -s /bin/bash -g mongodb -u 1234 mongodb

Andthensetownershiptomongodbuseronly

sudo chown -R mongodb:mongodb /data/db

42|P a g e

CISControls:

43|P a g e

6.2EnsurethatMongoDBusesanon-defaultport(Scored)

Description:

ChangingtheportusedbyMongoDBmakesitharderforattackerstofindthedatabaseandtargetit.

Rationale:

Standardportsareusedinautomatedattacksandbyattackerstoverifywhichapplicationsarerunningonaserver.

Audit:

ToverifytheportnumberusedbyMongoDB,executethefollowingcommandandensurethattheportnumberisnot27017:

cat /etc/mongod.conf |grep “port”

Remediation:

ChangetheportforMongoDBservertoanumberotherthan27017.

Impact:

HackersfrequentlyscanIPaddressesforcommonlyusedports,soit'snotuncommontouseadifferentportto"flyundertheradar".Thisisjusttoavoiddetection,otherthanthatthereisnoaddedsafetybyusingadifferentport.

References:

1. https://docs.mongodb.com/manual/reference/default-mongodb-port/

CISControls:

9 – LimitationandControlofNetworkPorts,Protocols,andServices

44|P a g e

6.3EnsurethatoperatingsystemresourcelimitsaresetforMongoDB(NotScored)

Description:

Operatingsystemsprovidewaystolimitandcontroltheusageofsystemresourcessuchasthreads,files,andnetworkconnectionsonaper-processandper-userbasis

Rationale:

Theseulimitspreventasingleuserfromconsumingtoomanysystemresources.

Audit:

ToverifytheresourcelimitssetforMongoDB,runthefollowingcommands.

ExtracttheprocessIDforMongoDB:

ps -ef|grep mongod

Viewthelimitsassociatedwiththatprocessnumber:

cat /proc/1322/limits

Remediation:

Everydeploymentmayhaveuniquerequirementsandsettings.RecommendedthresholdsandsettingsareparticularlyimportantforMongoDBdeployments:

• f (file size): unlimited • t (cpu time): unlimited • v (virtual memory): unlimited [1] • n (open files): 64000 • m (memory size): unlimited [1] [2] • u (processes/threads): 64000

Restartthemongodandmongosinstancesafterchangingtheulimitsettingstoensurethatthechangestakeeffect.

45|P a g e

DefaultValue:

Notconfigured

References:

1. https://docs.mongodb.com/manual/reference/ulimit/#recommended-ulimit-settings

46|P a g e

6.4Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored)

Description:

MongoDBsupportstheexecutionofJavaScriptcodeforcertainserver-sideoperations:mapReduce,group,and$where.Ifyoudonotusetheseoperations,server-sidescriptingshouldbedisabled.

Rationale:

Ifserver-sidescriptingisnotneededandisnotdisabled,thisintroducesunnecessaryriskthatanattackermaytakeadvantageofinsecurecoding.

Audit:

Ifserver-sidescriptingisnotrequired,verifythatitisdisabled(javascriptEnabledvalueoffalse)usingthefollowingcommand:

cat /etc/mongod.conf |grep –A10 "security" | grep "javascriptEnabled"

Remediation:

Ifserver-sidescriptingisnotrequired,disableitbyusingthe--noscriptingoptiononthecommandline.

DefaultValue:

Enabled

CISControls:

18.9–SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

47|P a g e

6.5EnsureThe'test'databaseisnotinstalled(NotScored)

Description:

ThedefaultMongoDBinstallationcomeswithanunuseddatabasecalled'test'.Itisrecommendedthatthetestdatabasebedropped.

Rationale:

Thetestdatabasecanbeaccessedbyallusersandcanbeusedtoconsumesystemresources.DroppingthetestdatabasewillreducetheattacksurfaceoftheMongoDBserver.

Audit:

Executethefollowingquerytodetermineifthetestdatabaseispresent:

show dbs

Remediation:

Executethefollowingcommandmongoshelltodropthetestdatabase:

use test

db.dropDatabase()

CISControls:

18.9–SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.

48|P a g e

7FilePermissions

Thissectionprovidesrecommendationsforsettingpermissionsforthekeyfileandthedatabasefile.

7.1Ensurethatkeyfilepermissionsaresetcorrectly(Scored)

Description:

Thekeyfileisusedforauthenticationintheshardedcluster.Implementingproperfilepermissionsonthekeyfilewillpreventunauthorizedaccesstoit.

Rationale:

ProtectingthekeyfilestrengthensauthenticationintheshardedclusterandpreventsunauthorizedaccesstotheMongoDBdatabase.

Audit:

ToverifythepermissionsfortheMongoDBkeyfile,runthefollowingcommand:

cat /etc/mongod.conf | grep “keyFile=”

Remediation:

SetthekeyFileownershiptomongodbuserandremoveotherpermissionsbyexecutingthesecommands:

chmod 600 /keyfile sudo chown mongodb:mongodb /keyfile

49|P a g e

DefaultValue:

Notconfigured

References:

1. https://docs.mongodb.com/v3.0/tutorial/enable-internal-authentication/

CISControls:

16.14–Encrypt/HashAllAuthenticationFilesandMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.

50|P a g e

7.2Ensurethatdatabasefilepermissionsaresetcorrectly(Scored)

Description:

MongoDBdatabasefilesneedtobeprotectedusingfilepermissions.

Rationale:

Thiswillrestrictunauthorizedusersfromaccessingthedatabase.

Audit:

ToverifythatthepermissionsfortheMongoDBdatabasefileareconfiguredsecurely,runthefollowingcommands.

Findoutthedatabaselocationusingthefollowingcommand:

cat /etc/mongod.conf |grep "dbpath"

Usethedatabaselocationaspartofthefollowingcommandtoviewandverifythepermissionssetforthedatabasefile:

ls –l /var/lib/mongodb

Remediation:

Setownershipofthedatabasefiletomongodbuserandremoveotherpermissionsusingthefollowingcommands:

chmod 600 /var/lib/mongodb sudo chown mongodb:mongodb /var/lib/mongodb

DefaultValue:

Notconfigured

CISControls:

51|P a g e

Appendix:SummaryTableControl Set

Correctly Yes No

1 Installation and Patching 1.1 Ensure the appropriate MongoDB software version/patches are

installed (Scored) o o

2 Authentication 2.1 Ensure that authentication is enabled for MongoDB databases

(Scored) o o

2.2 Ensure that MongoDB does not bypass authentication via the localhost exception (Scored) o o

2.3 Ensure authentication is enabled in the sharded cluster (Scored) o o 2.4 Ensure an industry standard authentication mechanism is used

(Scored) o o

3 Access Control 3.1 Ensure that role-based access control is enabled and configured

appropriately (Scored) o o

3.2 Ensure that MongoDB only listens for network connections on authorized interfaces (Scored) o o

3.3 Ensure that MongoDB is run using a non-privileged, dedicated service account (Scored) o o

3.4 Ensure that each role for each MongoDB database is needed and grants only the necessary privileges (Scored) o o

3.5 Review User-Defined Roles (Scored) o o 3.6 Review Superuser/Admin Roles (Scored) o o 4 Data Encryption 4.1 Ensure TLS or SSL protects all network communications

(Scored) o o

4.2 Ensure Federal Information Processing Standard (FIPS) is enabled (Scored) o o

5 Auditing 5.1 Ensure that system activity is audited (Scored) o o 5.2 Ensure that audit filters are configured properly (Scored) o o 5.3 Ensure that logging captures as much information as possible

(Not Scored) o o

5.4 Ensure that new entries are appended to the end of the log file (Not Scored) o o

6 Operating System Hardening 6.1 Mongodb Database Running with Least Privileges (Scored) o o 6.2 Ensure that MongoDB uses a non-default port (Scored) o o

52|P a g e

6.3 Ensure that operating system resource limits are set for MongoDB (Not Scored) o o

6.4 Ensure that server-side scripting is disabled if not needed (Not Scored) o o

6.5 Ensure The 'test' database is not installed (Not Scored) o o 7 File Permissions 7.1 Ensure that key file permissions are set correctly (Scored) o o 7.2 Ensure that database file permissions are set correctly (Scored) o o

53|P a g e

Appendix:ChangeHistoryDate Version Changes for this version 06-06-2017 1.0.0 Initial Release

CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB...

Documents

CIS Cisco Firewall Benchmark

CIS Cisco Firewall Benchmark v2.2.0

MongoDB/Cassandra - csuohio.educis.csuohio.edu/~sschung/cis612/Lecture_Notes_MongoDB_Cassandr… · MongoDB/Cassandra SUNNIE CHUNG CIS 612. MongoDB ... MongoDB’shigh availability

Comparing Couchbase Server 3.0.2 with MongoDB 3.0: Benchmark

CIS Solaris 10 Benchmark v5.0.0

CIS Oracle 11g Benchmark v1.1.0

CIS Checkpoint Benchmark v1.0

CIS Configuration Assessment Tool CIS-CAT · CIS Slackware Linux 10.2 Benchmark v1.1.0 CIS SUSE Linux Enterprise Server 9 Benchmark v1.0.0 ... NOTE: Those benchmarks denoted with

CIS Microsoft Office 2007 Benchmark v1.0.0

CIS Cisco Firewall Benchmark v2.0

CIS Cisco IOS Branch Benchmark v1.0.0

CIS Oracle Benchmark v2.01

CIS Apache Benchmark v2.1

Plugin-CIS Apache Tomcat Benchmark v1.0.0

CIS Cisco IOS Benchmark v3.0.1

CIS MongoDB Benchmark v1.0.0-CC...4 | Page Overview This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture for MongoDB

CIS Microsoft Windows Server 2003 Benchmark v3.1.0 - … · CIS Microsoft Windows Server 2003 Benchmark v3.1.0 - 12-03-2013

CIS Juniper JunOS Benchmark v1.0.1

CIS Solaris 11 Benchmark v1.0.0

CIS Win2003 DC Benchmark v2.0