Embed Size (px)
Citation preview
CISMongoDB3.4Benchmark
v1.0.0-06-28-2017
1|P a g e
TheCISSecurityBenchmarksdivisionprovidesconsensus-orientedinformationsecurityproducts,services,tools,metrics,suggestions,andrecommendations(the“SBProducts”)asapublicservicetoInternetusersworldwide.DownloadingorusingSBProductsinanywaysignifiesandconfirmsyouracceptanceofandyourbindingagreementtotheseCISSecurityBenchmarksTermsofUse.
CISSECURITYBENCHMARKSTERMSOFUSE
BOTHCISSECURITYBENCHMARKSDIVISIONMEMBERSANDNON-MEMBERSMAY:• Download,install,anduseeachoftheSBProductsonasinglecomputer,and/or• PrintoneormorecopiesofanySBProductthatisina.txt,.pdf,.doc,.mcw,or.rtfformat,butonlyifeachsuchcopyisprintedin
itsentiretyandiskeptintact,includingwithoutlimitationthetextoftheseCISSecurityBenchmarksTermsofUse.
UNDERTHEFOLLOWINGTERMSANDCONDITIONS:• SBProductsProvidedAsIs.CISisprovidingtheSBProducts“asis”and“asavailable”without:(1)anyrepresentations,
warranties,orcovenantsofanykindwhatsoever(includingtheabsenceofanywarrantyregarding:(a)theeffectorlackofeffectofanySBProductontheoperationorthesecurityofanynetwork,system,software,hardware,oranycomponentofanyofthem,and(b)theaccuracy,utility,reliability,timeliness,orcompletenessofanySBProduct);or(2)theresponsibilitytomakeornotifyyouofanycorrections,updates,upgrades,orfixes.
• IntellectualPropertyandRightsReserved.YouarenotacquiringanytitleorownershiprightsinortoanySBProduct,andfulltitleandallownershiprightstotheSBProductsremaintheexclusivepropertyofCIS.AllrightstotheSBProductsnotexpresslygrantedintheseTermsofUseareherebyreserved.
• Restrictions.Youacknowledgeandagreethatyoumaynot:(1)decompile,dis-assemble,alter,reverseengineer,orotherwiseattempttoderivethesourcecodeforanysoftwareSBProductthatisnotalreadyintheformofsourcecode;(2)distribute,redistribute,sell,rent,lease,sublicenseorotherwisetransferorexploitanyrightstoanySBProductinanywayorforanypurpose;(3)postanySBProductonanywebsite,bulletinboard,ftpserver,newsgroup,orothersimilarmechanismordevice;(4)removefromoraltertheseCISSecurityBenchmarksTermsofUseonanySBProduct;(5)removeoralteranyproprietarynoticesonanySBProduct;(6)useanySBProductoranycomponentofanSBProductwithanyderivativeworksbaseddirectlyonanSBProductoranycomponentofanSBProduct;(7)useanySBProductoranycomponentofanSBProductwithotherproductsorapplicationsthataredirectlyandspecificallydependentonsuchSBProductoranycomponentforanypartoftheirfunctionality;(8)representorclaimaparticularlevelofcomplianceorconsistencywithanySBProduct;or(9)facilitateorotherwiseaidotherindividualsorentitiesinviolatingtheseCISSecurityBenchmarksTermsofUse.
• YourResponsibilitytoEvaluateRisks.Youacknowledgeandagreethat:(1)nonetwork,system,device,hardware,software,orcomponentcanbemadefullysecure;(2)youhavethesoleresponsibilitytoevaluatetherisksandbenefitsoftheSBProductstoyourparticularcircumstancesandrequirements;and(3)CISisnotassuminganyoftheliabilitiesassociatedwithyouruseofanyoralloftheSBProducts.
• CISLiability.YouacknowledgeandagreethatneitherCISnoranyofitsemployees,officers,directors,agentsorotherserviceprovidershasorwillhaveanyliabilitytoyouwhatsoever(whetherbasedincontract,tort,strictliabilityorotherwise)foranydirect,indirect,incidental,consequential,orspecialdamagesthatariseoutoforareconnectedinanywaywithyouruseofanySBProduct.
• Indemnification.Youagreetoindemnify,defend,andholdCISandallofCIS'semployees,officers,directors,agentsandotherserviceprovidersharmlessfromandagainstanyliabilities,costsandexpensesincurredbyanyoftheminconnectionwithyourviolationoftheseCISSecurityBenchmarksTermsofUse.
• Jurisdiction.Youacknowledgeandagreethat:(1)theseCISSecurityBenchmarksTermsofUsewillbegovernedbyandconstruedinaccordancewiththelawsoftheStateofMaryland;(2)anyactionatlaworinequityarisingoutoforrelatingtotheseCISSecurityBenchmarksTermsofUseshallbefiledonlyinthecourtslocatedintheStateofMaryland;and(3)youherebyconsentandsubmittothepersonaljurisdictionofsuchcourtsforthepurposesoflitigatinganysuchaction.
• U.S.ExportControlandSanctionslaws.RegardingyouruseoftheSBProductswithanynon-U.S.entityorcountry,youacknowledgethatitisyourresponsibilitytounderstandandabidebyallU.S.sanctionsandexportcontrollawsassetfromtimetotimebytheU.S.BureauofIndustryandSecurity(BIS)andtheU.S.OfficeofForeignAssetsControl(OFAC).
SPECIALRULESFORCISMEMBERORGANIZATIONS:CISreservestherighttocreatespecialrulesfor:(1)CISMembers;and(2)Non-MemberorganizationsandindividualswithwhichCIShasawrittencontractualrelationship.CISherebygrantstoeachCISMemberOrganizationingoodstandingtherighttodistributetheSBProductswithinsuchMember'sownorganization,whetherbymanualorelectronicmeans.EachsuchMemberOrganizationacknowledgesandagreesthattheforegoinggrantsinthisparagrapharesubjecttothetermsofsuchMember'smembershiparrangementwithCISandmay,therefore,bemodifiedorterminatedbyCISatanytime.
2|P a g e
TableofContentsOverview......................................................................................................................................................................4
IntendedAudience..............................................................................................................................................4
ConsensusGuidance...........................................................................................................................................4
TypographicalConventions............................................................................................................................5
ScoringInformation............................................................................................................................................5
ProfileDefinitions................................................................................................................................................6
Acknowledgements.............................................................................................................................................7
Recommendations....................................................................................................................................................8
1InstallationandPatching..............................................................................................................................8
1.1EnsuretheappropriateMongoDBsoftwareversion/patchesareinstalled(Scored)..........................................................................................................................................................8
2Authentication................................................................................................................................................10
2.1EnsurethatauthenticationisenabledforMongoDBdatabases(Scored)..............10
2.2EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored).......................................................................................................................................................12
2.3Ensureauthenticationisenabledintheshardedcluster(Scored)............................14
2.4Ensureanindustrystandardauthenticationmechanismisused(Scored)...........16
3AccessControl................................................................................................................................................18
3.1Ensurethatrole-basedaccesscontrolisenabledandconfiguredappropriately(Scored).......................................................................................................................................................18
3.2EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored).................................................................................................................................20
3.3EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored).......................................................................................................................................................22
3.4EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored)............................................................................................................24
3.5ReviewUser-DefinedRoles(Scored)......................................................................................26
3.6ReviewSuperuser/AdminRoles(Scored)............................................................................28
4DataEncryption.............................................................................................................................................30
4.1EnsureTLSorSSLprotectsallnetworkcommunications(Scored)..........................30
3|P a g e
4.2EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored).....32
5Auditing.............................................................................................................................................................34
5.1Ensurethatsystemactivityisaudited(Scored)................................................................34
5.2Ensurethatauditfiltersareconfiguredproperly(Scored)..........................................36
5.3Ensurethatloggingcapturesasmuchinformationaspossible(NotScored)......38
5.4Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored)....40
6OperatingSystemHardening...................................................................................................................42
6.1MongodbDatabaseRunningwithLeastPrivileges(Scored).......................................42
6.2EnsurethatMongoDBusesanon-defaultport(Scored)...............................................43
6.3EnsurethatoperatingsystemresourcelimitsaresetforMongoDB(NotScored).........................................................................................................................................................................44
6.4Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored)..............46
7FilePermissions.............................................................................................................................................47
7.1Ensurethatkeyfilepermissionsaresetcorrectly(Scored).........................................47
7.2Ensurethatdatabasefilepermissionsaresetcorrectly(Scored).............................49
Appendix:SummaryTable................................................................................................................................51
Appendix:ChangeHistory.................................................................................................................................53
4|P a g e
OverviewThisdocument,CISMongoDB3.4Benchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforMongoDBversion3.4.ThisguidewastestedagainstMongoDB3.4runningonUbuntuLinux14.04,butappliestootherLinuxdistributionsaswell,andWindowsServer2012.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
IntendedAudience
Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateMongoDB.
ConsensusGuidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.
5|P a g e
TypographicalConventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
ScoringInformation
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
6|P a g e
ProfileDefinitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1
ItemsinthisprofileapplytoMongoDBrunningonLinuxorWindowsandintendto:
o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2
Thisprofileextendsthe“Level1”profile.ItemsinthisprofileapplytoMongoDBrunningonLinuxorWindowsandexhibitoneormoreofthefollowingcharacteristics:
o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.
7|P a g e
Acknowledgements
Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:
AuthorVineshRedkar,SecurityConsultantContributorChrisBielinski,SpiderLabsResearch,TrustwavePhilippeLanglois,CenterforInternetSecurityPralhadChaskarEditorKarenScarfoneTimHarrisonCISSP,ICP,CenterforInternetSecurity
8|P a g e
Recommendations1InstallationandPatching
ThissectionprovidesguidanceonensuringthattheMongoDBsoftwareisuptodatetoeliminateeasilyavoidablevulnerabilities.
1.1EnsuretheappropriateMongoDBsoftwareversion/patchesareinstalled(Scored)
ProfileApplicability:
• Level1
Description:
TheMongoDBinstallationversion,alongwiththepatchlevel,shouldbethemostrecentthatiscompatiblewiththeorganization'soperationalneeds.
Rationale:
UsingthemostrecentMongoDBsoftwareversionalongwithallapplicablepatcheshelpslimitthepossibilitiesforvulnerabilitiesinthesoftware.Theinstallationversionand/orpatchesappliedshouldbeselectedaccordingtotheneedsoftheorganization.Atminimum,thesoftwareversionshouldbesupported.
NotethatasofJune2017,onlyMongoDBversions3.0/3.2/3.4arestillsupported.
Audit:
OnUbuntu:
RunthefollowingcommandfromwithintheMongoDBshelltodetermineiftheMongoDBsoftwareversioncomplieswithyourorganization’soperationalneeds:
> db.version()
OnWindows:
NavigatetoInstallationdirectoryofMongoDBonserverandrunbelowcommand
mongod.exe --version
9|P a g e
Remediation:
UpgradetothelatestversionoftheMongoDBsoftware:
1. Backupthedataset.2. DownloadthebinariesforthelatestMongoDBrevisionfromtheMongoDB
DownloadPageandstorethebinariesinatemporarylocation.ThebinariesdownloadascompressedfilesthatextracttothedirectorystructureusedbytheMongoDBinstallation.
3. ShutdowntheMongoDBinstance.4. ReplacetheexistingMongoDBbinarieswiththedownloadedbinaries.5. RestarttheMongoDBinstance.
DefaultValue:
Patchesarenotinstalledbydefault.
References:
1. http://docs.mongodb.org/manual/tutorial/upgrade-revision/ 2. https://docs.mongodb.com/manual/release-notes/3. https://www.mongodb.com/download-center#community4. https://www.mongodb.com/support-policy
CISControls:
4–ContinuousVulnerabilityAssessmentandRemediation
10|P a g e
2Authentication
ThissectioncontainsrecommendationsforrequiringauthenticationbeforeallowingaccesstotheMongoDBdatabase.
2.1EnsurethatauthenticationisenabledforMongoDBdatabases(Scored)
ProfileApplicability:
• Level1
Description:
Thissettingensuresthatallclients,users,and/orserversarerequiredtoauthenticatepriortobeinggrantedaccesstotheMongoDBdatabase.
Rationale:
Failuretoauthenticateclients,users,and/orserverscanenableunauthorizedaccesstotheMongoDBdatabaseandcanpreventtracingactionsbacktotheirsources.
Audit:
Runthefollowingcommandtoverifywhetherauthenticationisenabled(AuthvaluesettoTrue)ontheMongoDBserver.
OnUbuntu:
cat /etc/mongod.conf | grep “Auth=”
OnWindows:
type mongod.conf | findstr “Auth=”
Remediation:
TheauthenticationmechanismshouldbeimplementedbeforeanyoneaccessestheMongoDBServer.
Toenabletheauthenticationmechanism:
• StarttheMongoDBinstancewithoutauthentication.
mongod --port 27017 --dbpath /data/db1
11|P a g e
Or
mongod.exe --port 27017 --dbpath db1
• Createthesystemuseradministrator,ensuringthatitspasswordmeetsorganizationally-definedpasswordcomplexityrequirements.
use admin db.createUser( { user: "siteUserAdmin", pwd: "password", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )
• RestarttheMongoDBinstancewithauthenticationenabled.
mongod --auth --config /etc/mongod.conf
Or
mongod.exe --auth --config mongod.conf
DefaultValue:
Notconfigured
References:
1. https://www.mongodb.com/blog/post/improved-password-based-authentication-mongodb-30-scram-explained-part-1
2. https://www.owasp.org/index.php/Authentication_Cheat_Sheet
CISControls:
16–AccountMonitoringandControl
12|P a g e
2.2EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored)
ProfileApplicability:
• Level1
Description:
MongoDBshouldnotbesettobypassauthenticationviathelocalhostexception.Thelocalhostexceptionallowsyoutoenableauthorizationbeforecreatingthefirstuserinthesystem.
Note:ThisrecommendationonlyapplieswhentherearenouserscreatedintheMongoDBinstance.
Rationale:
DisablingthisexceptionwillpreventunauthorizedlocalaccesstotheMongoDBdatabase.Itwillalsoensuretraceabilityofeachdatabaseactivitytoaspecificuser.
Audit:
Toverifythelocalhostexceptionisdisabled,runthefollowingcommandtoensurethatenableLocalhostAuthBypassissettofalse:
OnUbuntu:
cat /etc/mongod.conf |grep "enableLocalhostAuthBypass"
OnWindows:
type mongod.conf | findstr "enableLocalhostAuthBypass"
Remediation:
SinceenableLocalhostAuthBypassisnotavailableusingthesetParameterdatabasecommand,usethesetParameteroptionintheconfigurationfiletosetittofalse.
setParameter: enableLocalhostAuthBypass: false
DefaultValue:
Notconfigured
13|P a g e
References:
1. http://docs.mongodb.org/manual/core/authentication/#localhost-exception
Notes:
The--setParameteroptiononthecommandlinemayalsobeusedtoconfigurethis;however,havingitintheconfigfilemayprovidegreaterconfidencethatthissettingisconfiguredcorrectlyineveryinstance.
CISControls:
16–AccountMonitoringandControl
14|P a g e
2.3Ensureauthenticationisenabledintheshardedcluster(Scored)
ProfileApplicability:
• Level1
Description:
Authenticationisenabledinashardedclusterwhenkeyfilesarecreatedandconfiguredforallcomponents.Thisensuresthateveryclientthataccessestheclustermustprovidecredentials,toincludeMongoDBinstancesthataccesseachotherwithinthecluster.
Rationale:
EnforcingakeyonashardedclusterpreventsunauthorizedaccesstotheMongoDBdatabaseandprovidestraceabilityofdatabaseactivitiestoaspecificuserorcomponent.
Audit:
Runthefollowingcommandtoverifythatthekeyfileparameterisconfigured:
OnUbuntu:
cat /etc/mongod.conf | grep “keyFile=”
OnWindows:
type mongod.conf | findstr “keyFile”
Remediation:
Toenableauthenticationintheshardedcluster,performthefollowingsteps:
• GenerateAKeyFile• Oneachcomponentinthesharedcluster,enableauthenticationbydoingoneofthe
following:o Intheconfigurationfile/etc/mongod.conf,setthekeyFileoptiontothekey
file’spathandthenstartthecomponentwiththiscommand:
keyFile = /srv/mongodb/keyfile
• Whenstartingthecomponent,set--keyFileoption,whichisanoptionforbothmongosinstancesandmongodinstances.Setthe--keyFiletothekeyfile’spath.
DefaultValue:
Notconfigured
15|P a g e
References:
1. http://docs.mongodb.org/v2.2/administration/sharded-clusters/
CISControls:
16–AccountMonitoringandControl
16|P a g e
2.4Ensureanindustrystandardauthenticationmechanismisused(Scored)
ProfileApplicability:
• Level2
Description:
UsingoneormoreindustrystandardauthenticationmechanismshelpsorganizationsenforcetheiraccountandpasswordpoliciesfortheirMongoDBusers.
Rationale:
Withoutanindustrystandardauthenticationmechanisminplace,accountandpasswordmanagementismoretedious,andauthenticationmaynotalignwiththeorganization'spolicies.
Audit:
ToverifytheauthenticationmechanisminuseforMongoDB,runthefollowingcommands:
OnUbuntu:
cat /etc/mongod.conf | grep “clusterAuthMode:” cat /etc/mongod.conf | grep “mode:” cat /etc/mongod.conf | grep “authorization:" cat /etc/mongod.conf | grep “authenticationMechanisms:”
OnWindows:
type mongod.conf | findstr “clusterAuthMode:” type mongod.conf | findstr “mode:” type mongod.conf | findstr “authorization:" type mongod.conf | findstr “authenticationMechanisms:”
17|P a g e
Remediation:
Inordertoimplementanindustrystandardauthenticationmechanism,usethecorrespondingsamplefromthelistbelowasamodelforspecifyingtheauthenticationmechanismsintheMongoDBconfigurationfile.
x.509CertificatesforClientAuthentication:
security: clusterAuthMode: x509 net: ssl: mode: requireSSL PEMKeyFile: <path to TLS/SSL certificate and key PEM file> CAFile: <path to root CA PEM file>
SeethereferencesectionforalinktoadetailedprocedureforgeneratingthePEMKeyFileandCAFile.
MongoDBwithKerberosAuthenticationonLinux:
security: authorization: enabled setParameter: authenticationMechanisms: GSSAPI storage: dbPath: /opt/mongodb/data
SeethereferencesectionforalinktoadetailedprocedureforestablishingtheKerberosserviceprincipalandkeytabfile.
References:
1. https://docs.mongodb.com/v3.2/tutorial/configure-x509-client-authentication/2. https://docs.mongodb.com/v3.2/tutorial/control-access-to-mongodb-with-kerberos-
authentication/3. https://docs.mongodb.com/v3.2/core/kerberos/#kerberos-service-principal4. https://docs.mongodb.com/v3.2/core/kerberos/#keytab-files
Notes:
ConfiguringtheX.509certificateanddeployingKerberosisbeyondthescopeofthedocument.
CISControls:
16–AccountMonitoringandControl
18|P a g e
3AccessControl
ThissectioncontainsrecommendationsforrestrictingaccesstoMongoDBsystems.
3.1Ensurethatrole-basedaccesscontrolisenabledandconfiguredappropriately(Scored)
ProfileApplicability:
• Level1
Description:
Role-basedaccesscontrol(RBAC)isamethodofregulatingaccesstoresourcesbasedontherolesofindividualuserswithinanenterprise.Auserisgrantedoneormorerolesthatdeterminetheuser’saccesstodatabaseresourcesandoperations.Outsideofroleassignments,theuserhasnoaccesstothesystem.MongoDBcanuseRBACtogovernaccesstoMongoDBsystems.MongoDBdoesnotenableauthorizationbydefault.
Rationale:
Whenproperlyimplemented,RBACenablesuserstocarryoutawiderangeofauthorizedtasksbydynamicallyregulatingtheiractionsaccordingtoflexiblefunctions.Thisallowsanorganizationtocontrolemployees’accesstoalldatabasetablesthroughRBAC.
Audit:
ConnecttoMongoDBwiththeappropriateprivilegesandrunthefollowingcommand:
mongo --port 27017 -u <siteUserAdmin> -p <password> --authenticationDatabase <database name>
Identifyusers'rolesandprivileges:
> db.getUser() > db.getRole()
Verifythattheappropriateroleorroleshavebeenconfiguredforeachuser.
19|P a g e
Remediation:
1. EstablishrolesforMongoDB.2. Assigntheappropriateprivilegestoeachrole.3. Assigntheappropriateuserstoeachrole.4. Removeanyindividualprivilegesassignedtousersthatarenowaddressedbythe
roles.5. SeethereferencebelowformoreInformation.
References:
1. http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/
CISControls:
14.4–ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
20|P a g e
3.2EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored)
ProfileApplicability:
• Level1
Description:
EnsuringthatMongoDBrunsinatrustednetworkenvironmentinvolveslimitingthenetworkinterfacesonwhichMongoDBinstanceslistenforincomingconnections.AnyuntrustednetworkconnectionsshouldbedroppedbyMongoDB.
Rationale:
Thisconfigurationblocksconnectionsfromuntrustednetworks,leavingonlysystemsonauthorizedandtrustednetworksabletoattempttoconnecttotheMongoDB.Ifnotconfigured,thismayleadtounauthorizedconnectionsfromuntrustednetworkstoMongoDB.
Audit:
OnUbuntu:
1. Verifythatnetworkexposureislimited,reviewthesettingsintheMongoDBconfigurationfile:
cat /etc/mongod.conf |grep –A12 “net” | grep “bindIp"
2. VerifytherelevantnetworksettingsontheLinuxsystemitself:
iptables –L
OnWindows:
type mongod.conf | findstr “bindIp"
Remediation:
ConfiguretheMongoDBconfigurationfiletolimititsexposuretoonlythenetworkinterfacesonwhichMongoDBinstancesshouldlistenforincomingconnections.
DefaultValue:
Notconfigured
21|P a g e
References:
1. http://docs.mongodb.org/manual/tutorial/configure-linux-iptables-firewall/2. http://docs.mongodb.org/manual/tutorial/configure-windows-netsh-firewall/
CISControls:
9.1–LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
22|P a g e
3.3EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored)
ProfileApplicability:
• Level1
Description:
TheMongoDBserviceshouldnotberunusingaprivilegedaccountsuchas'root'becausethisunnecessarilyexposestheoperatingsystemtohighrisk.
Rationale:
Usinganon-privileged,dedicatedserviceaccountrestrictsthedatabasefromaccessingthecriticalareasoftheoperatingsystemwhicharenotrequiredbytheMongoDB.Thiswillalsomitigatethepotentialforunauthorizedaccessviaacompromised,privilegedaccountontheoperatingsystem.
Audit:
Runthefollowingcommandtogetlistingofallmongoinstances,thePIDnumber,andthePIDowner.
ps -ef | grep -E "mongos|mongod"
Remediation:
1. CreateadedicateduserforperformingMongoDBdatabaseactivity.2. SettheDatabasedatafiles,thekeyfile,andtheSSLprivatekeyfilestoonlybe
readablebythemongod/mongosuser.3. Setthelogfilestoonlybewritablebythemongod/mongosuserandreadableonly
byroot.
23|P a g e
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/
CISControls:
5.1–MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
24|P a g e
3.4EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored)
ProfileApplicability:
• Level2
Description:
Reviewingallrolesperiodicallyandeliminatingunneededrolesaswellasunneededprivilegesfromnecessaryroleshelpsminimizetheprivilegesthateachuserhas.
Rationale:
Althoughrole-basedaccesscontrol(RBAC)hasmanyadvantagesforregulatingaccesstoresources,overtimesomerolesmaynolongerbeneeded,andsomerolesmaygrantprivilegesthatarenolongerneeded.
Audit:
Performthefollowingcommandtoviewallrolesonthedatabaseonwhichthecommandruns,includingbothbuilt-inanduser-definedroles,aswellastheprivilegesgrantedbyeachrole.Ensurethatonlynecessaryrolesarelistedandonlythenecessaryprivilegesarelistedforeachrole.
db.runCommand( { rolesInfo: 1, showPrivileges: true, showBuiltinRoles: true } )
Remediation:
Torevokespecifiedprivilegesfromtheuser-definedroleonthedatabasewherethecommandisrun.TherevokePrivilegesFromRolecommandhasthefollowingsyntax:
{ revokePrivilegesFromRole: "<role>", privileges: [ { resource: { <resource> }, actions: [ "<action>", ... ]}, ... ], }
25|P a g e
References:
1. https://docs.mongodb.com/v3.2/reference/method/db.revokePrivilegesFromRole/2. https://docs.mongodb.com/v3.2/reference/command/revokePrivilegesFromRole/#dbcmd.r
evokePrivilegesFromRole
Notes:
YoumusthavethedropRoleactiononadatabasetodroparolefromthatdatabase.
CISControls:
14.4–ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
26|P a g e
3.5ReviewUser-DefinedRoles(Scored)
ProfileApplicability:
• Level2
Description:
Reviewingallrolesperiodicallyandremovingallusersfromthoseroleswhodonotneedtobelongtothemhelpsminimizetheprivilegesthateachuserhas.
Rationale:
Althoughrole-basedaccesscontrol(RBAC)hasmanyadvantagesforregulatingaccesstoresources,overtimesomeusersmaybeassignedtorolesthatarenolongernecessary,suchasauserchangingjobswithintheorganization.Userswhohaveexcessiveprivilegesposeunnecessaryrisktotheorganization.
Audit:
Checkeachroleforeachdatabaseusingoneofthefollowingcommands.
Tospecifyarolefromthecurrentdatabase,specifytherolebyitsname:
db.runCommand( { rolesInfo: "<rolename>" } )
Tospecifyarolefromanotherdatabase,specifytherolebyadocumentthatspecifiestheroleanddatabase:
db.runCommand( { rolesInfo: { role: "<rolename>", db: "<database>" } } )
Remediation:
Toremoveauserfromoneormorerolesonthecurrentdatabase,usethefollowingcommand:
use <dbName> db.revokeRolesFromUser( "<username>", [ <roles> ])
27|P a g e
References:
1. https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/2. https://docs.mongodb.com/manual/reference/command/rolesInfo/3. https://docs.mongodb.com/manual/reference/privilege-actions/#authr.revokeRole
Notes:
Logged-inusermusthavetherevokeRoleactiononadatabasetorevokearoleonthatdatabase.Also,roleInfoworksforbothuser-definedrolesandbuilt-inroles.
CISControls:
16.1–PerformRegularAccountReviewsReviewallsystemaccountsanddisableanyaccountthatcannotbeassociatedwithabusinessprocessandowner.
28|P a g e
3.6ReviewSuperuser/AdminRoles(Scored)
ProfileApplicability:
• Level2
Description:
Rolesprovideseveraladvantagesthatmakeiteasiertomanageprivilegesinadatabasesystem.Securityadministratorscancontrolaccesstotheirdatabasesinawaythatmirrorsthestructureoftheirorganizations(theycancreaterolesinthedatabasethatmapdirectlytothejobfunctionsintheirorganizations).Theassignmentofprivilegesissimplified.Insteadofgrantingthesamesetofprivilegestoeachindividualuserinaparticularjobfunction,theadministratorcangrantthissetofprivilegestoarolerepresentingthatjobfunctionandthengrantthatroletoeachuserinthatjobfunction.
Rationale:
ReviewingtheSuperuser/Adminroleswithinadatabasehelpsminimizethepossibilityofprivilegedunwantedaccess.
Audit:
Superuserrolesprovidetheabilitytoassignanyuseranyprivilegeonanydatabase,whichmeansthatuserswithoneoftheserolescanassignthemselvesanyprivilegeonanydatabase:
db.runCommand( { rolesInfo: "dbOwner" } ) db.runCommand( { rolesInfo: "userAdmin" } ) db.runCommand( { rolesInfo: "userAdminAnyDatabase" } )
RootroleprovidesaccesstotheoperationsandalltheresourcesofthereadWriteAnyDatabase,dbAdminAnyDatabase,userAdminAnyDatabase,clusterAdminroles,restorecombined.
db.runCommand( { rolesInfo: "readWriteAnyDatabase" } ) db.runCommand( { rolesInfo: "dbAdminAnyDatabase" } ) db.runCommand( { rolesInfo: "userAdminAnyDatabase" } ) db.runCommand( { rolesInfo: "clusterAdmin" } )
ClusterAdministrationRolesareusedforadministeringthewholesystemratherthanjustasingledatabase.
db.runCommand( { rolesInfo: "hostManager" } )
29|P a g e
Remediation:
Toremoveauserfromoneormorerolesonthecurrentdatabase.
use <dbName> db.revokeRolesFromUser( "<username>", [ <roles> ])
References:
1. https://docs.mongodb.com/v3.0/reference/built-in-roles/#built-in-roles2. https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/
CISControls:
5.1–MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
16.1–PerformRegularAccountReviewsReviewallsystemaccountsanddisableanyaccountthatcannotbeassociatedwithabusinessprocessandowner.
30|P a g e
4DataEncryption
Thissectioncontainsrecommendationsforsecuringdataatrest(stored)anddatainmotion(transiting)forMongoDB.
4.1EnsureTLSorSSLprotectsallnetworkcommunications(Scored)
ProfileApplicability:
• Level1
Description:
UseTLSorSSLtoprotectallincomingandoutgoingconnections.ThisshouldincludeusingTLSorSSLtoencryptcommunicationbetweenmongodandmongoscomponentsofaMongoDBclientaswellasbetweenallapplicationsandMongoDB.
MostMongoDBdistributionsincludesupportforSSLorTLS.
Rationale:
ThispreventssniffingofcleartexttrafficbetweenMongoDBcomponentsorperformingaman-in-the-middleattackforMongoDB.
Audit:
ToverifythattheserverrequiresSSLorTLSuse(net.ssl.modevaluesettorequireSSL),runoneofthefollowingcommands:
OnUbuntu:
cat /etc/mongos.conf | grep –A20 ‘net’ | grep –A10 ‘ssl’ | grep ‘mode’
OnWindows:
type mongos.conf | findstr –A20 ‘net’ | findstr –A10 ‘ssl’ | findstr ‘mode’
Remediation:
ConfigureMongoDBserverstorequiretheuseofSSLorTLStoencryptallMongoDBnetworkcommunications.
ToimplementSSLorTLStoencryptallMongoDBnetworkcommunication,performthefollowingsteps:
Formongod(“PrimarydaemonprocessfortheMongoDBsystem”)
31|P a g e
Intheconfigurationfile/etc/mongod.conf,setthePEMKeyFileoptiontothecertificatefile’spathandthenstartthecomponentwiththiscommand:
ssl: mode: requireSSL PEMKeyFile: /etc/ssl/mongodb.pem CAFile: /etc/ssl/ca.pem
Andrestartmonogdbinstancewith
mongod --config /etc/mongod.conf
Or
mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/tutorial/configure-ssl/
Notes:
Value Description
disabled TheserverdoesnotuseTLS/SSL.
allowSSL ConnectionsbetweenserversdonotuseTLS/SSL.Forincomingconnections,theserveracceptsbothTLS/SSLandnon-TLS/non-SSL.
preferSSL ConnectionsbetweenserversuseTLS/SSL.Forincomingconnections,theserveracceptsbothTLS/SSLandnon-TLS/non-SSL.
requireSSL TheserverusesandacceptsonlyTLS/SSLencryptedconnections.
CISControls:
14.2–EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
32|P a g e
4.2EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored)
ProfileApplicability:
• Level1
Description:
TheFederalInformationProcessingStandard(FIPS)isacomputersecuritystandardusedtocertifysoftwaremodulesandlibrariesthatencryptanddecryptdatasecurely.YoucanconfigureMongoDBtorunwithaFIPS140-2certifiedlibraryforOpenSSL.
Rationale:
FIPSisindustrystandardthatdictateshowdatashouldbeencryptedinrestandduringtransmission.
Audit:
OnUbuntu:
ToverifythattheserverusesFIPSMode(net.ssl.FIPSModevaluesettotrue),runfollowingcommands:
mongos --config /etc/mongos.conf net: ssl: FIPSMode: true
or
ToverifyFIPSmodeisrunning,checktheserverlogfileforamessagethatFIPSisactive:
FIPS 140-2 mode activated
OnWindows:
CheckFIPSModeistrue
type mongod.conf | findstr “FIPSMode"
33|P a g e
Remediation:
ConfiguringFIPSmode,ensurethatyourcertificateisFIPScompliant.RunmongodormongosinstanceinFIPSmode.
Makechangestoconfigurationfile,toconfigureyourmongodormongosinstancetouseFIPSmode,shutdowntheinstanceandupdatetheconfigurationfilewiththefollowingsetting:
net: ssl: FIPSMode: true
Startmongodormongosinstancewithaconfigurationfile.
mongod --config /etc/mongod.conf
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/v3.2/tutorial/configure-fips/
CISControls:
14.2–EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
14.5–EncryptatRestSensitiveInformationSensitiveinformationstoredonsystemsshallbeencryptedatrestandrequireasecondaryauthenticationmechanism,notintegratedintotheoperatingsystem,inordertoaccesstheinformation.
34|P a g e
5Auditing
ThissectioncontainsrecommendationsrelatedtoconfiguringauditlogginginMongoDB.
5.1Ensurethatsystemactivityisaudited(Scored)
ProfileApplicability:
• Level1
Description:
Trackaccessandchangestodatabaseconfigurationsanddata.MongoDBEnterpriseincludesasystemauditingfacilitythatcanrecordsystemevents(e.g.useroperations,connectionevents)onaMongoDBinstance.Theseauditrecordspermitforensicanalysisandallowadministratorstoverifypropercontrols.
Rationale:
Systemlevellogscanbehandywhiletroubleshootinganoperationalproblemorhandlingasecurityincident.
Audit:
ToverifythatsystemactivityisbeingauditedforMongoDB,runthefollowingcommandtoconfirmtheauditLog.destinationvalueissetcorrectly:
OnUbuntu:
cat /etc/mongod.conf |grep –A4 "auditLog" | grep "destination"
OnWindows:
type mongod.conf | findstr –A4 "auditLog" | findstr "destination"
Remediation:
SetthevalueofauditLog.destinationtotheappropriatevaluefromthefollowingoptions:
syslog
Toenableauditingandprintauditeventstosyslog
mongod --dbpath data/db --auditDestination syslog
console
35|P a g e
Toenableauditingandprintauditeventstostandardoutput(i.e.,stdout)
mongod --dbpath data/db --auditDestination console
JsonFile
ToenableauditingandprintauditeventstoafileinJSONformat.PrintingauditeventstofileinJSONformatdegradesserverperformancemorethanprintingtoafileinBSONformat.
mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json
BsonFile
ToenableauditingandprintauditeventstoafileinBSONbinaryformat
mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/tutorial/configure-auditing/
CISControls:
6.2–EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
36|P a g e
5.2Ensurethatauditfiltersareconfiguredproperly(Scored)
ProfileApplicability:
• Level1
Description:
MongoDBEnterprisesupportsauditingofvariousoperations.Whenenabled,theauditfacility,bydefault,recordsallauditableoperationsasdetailedinAuditEventActions,Details,andResults.Tospecifywhicheventstorecord,theauditfeatureincludesthe--auditFilteroption.ThischeckisonlyforEnterpriseeditions.
Rationale:
Alloperationscarriedoutonthedatabasearelogged.Thishelpsinbacktrackingandtracinganyincidentthatoccurs.
Audit:
ToverifythatauditfiltersareconfiguredonMongoDBaspertheorganization’srequirements,runthefollowingcommand:
OnUbuntu:
cat /etc/mongod.conf |grep –A10 "auditLog" | grep "filter"
OnWindows:
type mongod.conf | findstr –A10 "auditLog" | findstr "filter"
Remediation:
Settheauditfiltersbasedontheorganization’srequirements.
DefaultValue:
Notconfigured
37|P a g e
References:
1. https://docs.mongodb.com/manual/reference/audit-message/2. https://docs.mongodb.com/manual/tutorial/configure-audit-filters/
CISControls:
6.2– EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
38|P a g e
5.3Ensurethatloggingcapturesasmuchinformationaspossible(NotScored)
ProfileApplicability:
• Level2
Description:
TheSystemLog.quietoptionstopsloggingofinformationsuchas:
• connectionevents• authenticationevents• replicationsyncactivities• evidenceofsomepotentiallyimpactfulcommandsbeingrun(eg:drop,dropIndexes,
validate)
Thisinformationshouldbeloggedwheneverpossible.ThischeckisonlyforEnterpriseeditions.
Rationale:
TheuseofSystemLog.quietmakestroubleshootingproblemsandinvestigatingpossiblesecurityincidentsmuchmoredifficult.
Audit:
ToverifythattheSystemLog.quietoptionisdisabled(valueoffalse),runthefollowingcommand:
OnUbuntu:
cat /etc/mongod.conf |grep "SystemLog.quiet"
OnWindows:
type mongod.conf | findstr "SystemLog.quiet"
Remediation:
SetSystemLog.quiettofalseinthe/etc/mongod.conffiletodisableit.
39|P a g e
References:
1. https://docs.mongodb.com/manual/reference/configuration-options/#systemLog.quiet
CISControls:
6.2–EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
40|P a g e
5.4Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored)
ProfileApplicability:
• Level2
Description:
Bydefault,newlogentrieswilloverwriteoldentriesafterarestartofthemongodorMongolsservice.EnablingthesystemLog.logAppendsettingcausesnewentriestobeappendedtotheendofthelogfileratherthanoverwritingtheexistingcontentofthelogwhenthemongosormongodinstancerestarts.
Rationale:
Allowingoldentriestobeoverwrittenbynewentriesinsteadofappendingnewentriestotheendofthelogmaydestroyoldlogdatathatisneededforavarietyofpurposes.
Audit:
Toverifythatnewlogentrieswillbeappendedtotheendofthelogfileafterarestart(systemLog.logAppendvaluesettotrue),runthefollowingcommand:
OnUbuntu:
cat /etc/mongod.conf | grep "systemLog.logAppend"
OnWindows:
type mongod.conf | findstr "systemLog.logAppend"
Remediation:
Set systemLog.logAppendtotrueinthe/etc/mongod.conffile.
41|P a g e
References:
1. https://docs.mongodb.com/manual/reference/configuration-options/#systemLog.logAppend
CISControls:
6.3–EnsureAuditLoggingSystemsAreNotSubjecttoLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.
42|P a g e
6OperatingSystemHardening
ThissectioncontainsrecommendationsrelatedtohardeningtheoperatingsystemrunningbelowMongoDB.
6.1MongodbDatabaseRunningwithLeastPrivileges(Scored)
ProfileApplicability:
• Level1
Description:
Thissettingensuresthatmonogdservicerunasleastprivilegeuser.
Rationale:
Anyonewhohasbeenavictimofviruses,worms,andothermalicioussoftware(malware)willappreciatethesecurityprincipleof“leastprivilege.”Ifallprocessesranwiththesmallestsetofprivilegesneededtoperformtheuser'stasks,itwouldbemoredifficultformaliciousandannoyingsoftwaretoinfectamachineandpropagatetoothermachines.
Audit:
ConnectMongoDBService
mongod --port 27017 --dbpath /data/db1
Itwillhighlightiftheserviceisrunningasrootprivilegeornot.
Remediation:
CreateauserwhichisonlyusedforrunningMongodbanddirectlyrelatedprocesses.Thisusermustnothaveadministrativerightstothesystem.Stepstocreateuser
useradd -m -d /home/mongodb -s /bin/bash -g mongodb -u 1234 mongodb
Andthensetownershiptomongodbuseronly
sudo chown -R mongodb:mongodb /data/db
CISControls:
5.1–MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
43|P a g e
6.2EnsurethatMongoDBusesanon-defaultport(Scored)
ProfileApplicability:
• Level1
Description:
ChangingtheportusedbyMongoDBmakesitharderforattackerstofindthedatabaseandtargetit.
Rationale:
Standardportsareusedinautomatedattacksandbyattackerstoverifywhichapplicationsarerunningonaserver.
Audit:
ToverifytheportnumberusedbyMongoDB,executethefollowingcommandandensurethattheportnumberisnot27017:
OnUbuntu:
cat /etc/mongod.conf |grep “port”
OnWindows:
type mongod.conf | findstr “port”
Remediation:
ChangetheportforMongoDBservertoanumberotherthan27017.
Impact:
HackersfrequentlyscanIPaddressesforcommonlyusedports,soit'snotuncommontouseadifferentportto"flyundertheradar".Thisisjusttoavoiddetection,otherthanthatthereisnoaddedsafetybyusingadifferentport.
References:
1. https://docs.mongodb.com/manual/reference/default-mongodb-port/
CISControls:
9–LimitationandControlofNetworkPorts,Protocols,andServices
44|P a g e
6.3EnsurethatoperatingsystemresourcelimitsaresetforMongoDB(NotScored)
ProfileApplicability:
• Level2
Description:
Operatingsystemsprovidewaystolimitandcontroltheusageofsystemresourcessuchasthreads,files,andnetworkconnectionsonaper-processandper-userbasis
Rationale:
Theseulimitspreventasingleuserfromconsumingtoomanysystemresources.
Audit:
ToverifytheresourcelimitssetforMongoDB,runthefollowingcommands.
ExtracttheprocessIDforMongoDB:
ps -ef|grep mongod
Viewthelimitsassociatedwiththatprocessnumber:
cat /proc/1322/limits
Remediation:
Everydeploymentmayhaveuniquerequirementsandsettings.RecommendedthresholdsandsettingsareparticularlyimportantforMongoDBdeployments:
• f(filesize):unlimited• t(cputime):unlimited• v(virtualmemory):unlimited[1]• n(openfiles):64000• m(memorysize):unlimited[1][2]• u(processes/threads):64000
Restartthemongodandmongosinstancesafterchangingtheulimitsettingstoensurethatthechangestakeeffect.
45|P a g e
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/manual/reference/ulimit/#recommended-ulimit-settings
46|P a g e
6.4Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored)
ProfileApplicability:
• Level2
Description:
MongoDBsupportstheexecutionofJavaScriptcodeforcertainserver-sideoperations:mapReduce,group,and$where.Ifyoudonotusetheseoperations,server-sidescriptingshouldbedisabled.
Rationale:
Ifserver-sidescriptingisnotneededandisnotdisabled,thisintroducesunnecessaryriskthatanattackermaytakeadvantageofinsecurecoding.
Audit:
Ifserver-sidescriptingisnotrequired,verifythatitisdisabled(javascriptEnabledvalueoffalse)usingthefollowingcommand:
OnUbuntu:
cat /etc/mongod.conf | grep –A10 "security" | grep "javascriptEnabled"
OnWindows:
type mongod.conf | findstr –A10 "security" | findstr "javascriptEnabled"
Remediation:
Ifserver-sidescriptingisnotrequired,disableitbyusingthe--noscriptingoptiononthecommandline.
DefaultValue:
Enabled
CISControls:
18.9–SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
47|P a g e
7FilePermissions
Thissectionprovidesrecommendationsforsettingpermissionsforthekeyfileandthedatabasefile.
7.1Ensurethatkeyfilepermissionsaresetcorrectly(Scored)
ProfileApplicability:
• Level1
Description:
Thekeyfileisusedforauthenticationintheshardedcluster.Implementingproperfilepermissionsonthekeyfilewillpreventunauthorizedaccesstoit.
Rationale:
ProtectingthekeyfilestrengthensauthenticationintheshardedclusterandpreventsunauthorizedaccesstotheMongoDBdatabase.
Audit:
ToverifythepermissionsfortheMongoDBkeyfile,runthefollowingcommand:
cat /etc/mongod.conf | grep “keyFile:”
OnWindows:
type mongod.conf | findstr “keyFile:”
Remediation:
SetthekeyFileownershiptomongodbuserandremoveotherpermissionsbyexecutingthesecommands:
chmod 600 /keyfile sudo chown mongodb:mongodb /keyfile
48|P a g e
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/v3.0/tutorial/enable-internal-authentication/
CISControls:
16.14–Encrypt/HashAllAuthenticationFilesandMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
49|P a g e
7.2Ensurethatdatabasefilepermissionsaresetcorrectly(Scored)
ProfileApplicability:
• Level1
Description:
MongoDBdatabasefilesneedtobeprotectedusingfilepermissions.
Rationale:
Thiswillrestrictunauthorizedusersfromaccessingthedatabase.
Audit:
ToverifythatthepermissionsfortheMongoDBdatabasefileareconfiguredsecurely,runthefollowingcommands.
Findoutthedatabaselocationusingthefollowingcommand:
OnUbuntu:
cat /etc/mongod.conf |grep "dbpath"
OnWindows:
type mongod.conf | findstr "dbpath"
Usethedatabaselocationaspartofthefollowingcommandtoviewandverifythepermissionssetforthedatabasefile:
ls –l /var/lib/mongodb
Remediation:
Setownershipofthedatabasefiletomongodbuserandremoveotherpermissionsusingthefollowingcommands:
chmod 660 /var/lib/mongodb sudo chown mongodb:mongodb /var/lib/mongodb
50|P a g e
DefaultValue:
Notconfigured
CISControls:
14.4–ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
51|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 InstallationandPatching1.1 EnsuretheappropriateMongoDBsoftwareversion/patches
areinstalled(Scored) o o
2 Authentication2.1 EnsurethatauthenticationisenabledforMongoDBdatabases
(Scored) o o
2.2 EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored) o o
2.3 Ensureauthenticationisenabledintheshardedcluster(Scored) o o
2.4 Ensureanindustrystandardauthenticationmechanismisused(Scored) o o
3 AccessControl3.1 Ensurethatrole-basedaccesscontrolisenabledand
configuredappropriately(Scored) o o
3.2 EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored) o o
3.3 EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored) o o
3.4 EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored) o o
3.5 ReviewUser-DefinedRoles(Scored) o o3.6 ReviewSuperuser/AdminRoles(Scored) o o4 DataEncryption4.1 EnsureTLSorSSLprotectsallnetworkcommunications
(Scored) o o
4.2 EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored) o o
5 Auditing5.1 Ensurethatsystemactivityisaudited(Scored) o o5.2 Ensurethatauditfiltersareconfiguredproperly(Scored) o o5.3 Ensurethatloggingcapturesasmuchinformationaspossible
(NotScored) o o
5.4 Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored) o o
6 OperatingSystemHardening6.1 MongodbDatabaseRunningwithLeastPrivileges(Scored) o o
52|P a g e
6.2 EnsurethatMongoDBusesanon-defaultport(Scored) o o6.3 Ensurethatoperatingsystemresourcelimitsaresetfor
MongoDB(NotScored) o o
6.4 Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored) o o
7 FilePermissions7.1 Ensurethatkeyfilepermissionsaresetcorrectly(Scored) o o7.2 Ensurethatdatabasefilepermissionsaresetcorrectly
(Scored) o o
53|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
06-29-2017 1.0.0 InitialRelease
