{"stig":{"title":"MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide","version":"1","release":"1"},"checks":[{"vulnId":"V-279331","ruleId":"SV-279331r1179501_rule","severity":"low","ruleTitle":"MongoDB must limit the total number of concurrent connections to the database.","description":"Database management includes the ability to control the number of users and user sessions utilizing a DBMS. Unlimited concurrent connections to the DBMS could allow a successful denial-of-service (DoS) attack by exhausting connection resources; and a system can also fail or be degraded by an overload of legitimate users. Limiting the number of concurrent sessions per user is helpful in reducing these risks.\n\nThis requirement addresses concurrent session control for the total number of sessions across all accounts.\n\n(Sessions may also be referred to as connections or logons, which for the purposes of this requirement are synonyms.)","checkContent":"Mongo can limit the total number of connections.\n\nVerify the MongoDB configuration file (default location: /etc/mongod.conf) contains the following:\n\nnet:\n maxIncomingConnections: %int% \n\nIf this parameter is not present, or the OS is not used to limit connections, this is a finding.","fixText":"MongoDB can limit the total number of connections served by the mongod process by setting the following in the MongoDB configuration file (default location: /etc/mongod.conf):\n\nnet:\n maxIncomingConnections: %int% \n\nRefer to the following documentation: \nhttps://www.mongodb.com/docs/manual/reference/configuration-options/\n\nProducts outside of MongoDB can be used to monitor database sessions and limit the maximum number of connections that can be made. \n\nAlternatively, most Unix-like operating systems, including Linux and macOS, provide ways to limit and control the usage of system resources such as threads, files, and network connections on a per-process and per-user basis. \n\nThese ulimits prevent single users from using too many system resources. \n\nThe following is the MongoDB documentation regarding these user limits: https://www.mongodb.com/docs/manual/reference/ulimit/.","ccis":["CCI-000054"]},{"vulnId":"V-279332","ruleId":"SV-279332r1179502_rule","severity":"high","ruleTitle":"MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.","description":"Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization.\n\nA comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed. \n\nExamples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in noncentralized account stores, such as multiple servers. Account management functions can also include assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example, using email or text messaging to notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephone notification to report atypical system account usage.\n\nThe DBMS must be configured to automatically use organization-level account management functions, and these functions must immediately enforce the organization's current account policy. \n\nAutomation may comprise differing technologies, which when placed together, contain an overall mechanism supporting an organization's automated account management requirements.","checkContent":"Verify that the MongoDB configuration file (default location /etc/mongod.conf) contains the following:\n\nsecurity:\n authorization: \"enabled\"\n\nIf using OIDC for human users:\n\nVerify the MongoDB configuration file (default location: /etc/mongod.conf) contains the following:\n\nsetParameter:\n authenticationMechanisms: \"MONGODB-OIDC\"\n oidcIdentityProviders: [ {\n issuer: \"\",\n audience: \"<>\",\n matchPattern: \"<>\",\n JWKSPollSecs: \"<>\"\n } ]\n\nIf this parameter is not present, this is a finding.\n\nRefer to Security OIDC/OAuth 2.0 configuration documentation for additional details: \nhttps://www.mongodb.com/docs/manual/core/oidc/security-oidc/","fixText":"Edit the MongoDB configuration file (default location /etc/mongod.conf) to include the following:\n\nsecurity:\n authorization: \"enabled\"\n\nThis will enable SCRAM-SHA-256 authentication (default).\n\nInstruction on configuring the default authentication is provided here: \nhttps://www.mongodb.com/docs/v8.0/tutorial/enable-authentication/\n\nThe high-level steps described by the above will require the following:\n\n1. Start MongoDB without access control.\n2. Connect to the instance.\n3. Create the user administrator.\n4. Restart the MongoDB instance with access control.\n5. Connect and authenticate as the user administrator.\n6. Create additional users as needed for the deployment.\n \nFor OIDC, edit the MongoDB configuration file (default location /etc/mongod.conf) to include the following:\n\nsetParameter:\n authenticationMechanisms: \"MONGODB-OIDC\"\n oidcIdentityProviders: [ {\n issuer: \"\",\n audience: \"<>\",\n matchPattern: \"<>\",\n JWKSPollSecs: \"<>\"\n } ]\n\nConfiguration information for OIDC for MongoDB can be found here: https://www.mongodb.com/docs/manual/core/oidc/workforce/configure-oidc/#std-label-configure-oidc.\n\nConfiguration information for OAuth 2.0 for MongoDB can be found here: https://www.mongodb.com/docs/manual/core/oidc/workload/configure-mongodb-workload/#std-label-configure-mongodb-workload.","ccis":["CCI-000015"]},{"vulnId":"V-279333","ruleId":"SV-279333r1179443_rule","severity":"high","ruleTitle":"MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.","description":"Authentication with a DOD-approved PKI certificate does not necessarily imply authorization to access the DBMS. To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems, including databases, must be properly configured to implement access control policies. \n\nSuccessful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. \n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. \n\nThis requirement is applicable to access control enforcement applications, a category that includes database management systems. If the DBMS does not follow applicable policy when approving access, it may be in conflict with networks or other applications in the information system. This may result in users either gaining or being denied access inappropriately and in conflict with applicable policy.","checkContent":"The MongoDB administrator must ensure that additional application access control is enforced.\n\nReview the system documentation to determine the required levels of protection for MongoDB server securables by type of login. \n\nReview the permissions actually in place on the server.\n\nRun the command to view roles and privileges in a particular :\n\nuse \ndb.getRoles(\n {\n rolesInfo: 1,\n showPrivileges: true,\n showBuiltinRoles: true\n }\n)\n\nIf the permissions do not match the documented requirements, this is a finding.","fixText":"Use the following statements to add and remove permissions on MongoDB server securables, bringing them in line with the documented requirements:\n\ncreateRole(), \nupdateRole(), \ndropRole(), \ngrantRolesToUser()\n\nMongoDB commands for role management can be found here:\nhttps://www.mongodb.com/docs/v8.0/reference/method/js-role-management/","ccis":["CCI-000213"]},{"vulnId":"V-279334","ruleId":"SV-279334r1179504_rule","severity":"medium","ruleTitle":"MongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the DBMS (e.g., process, module). Certain specific application functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDOD has defined the list of events for which the DBMS will provide an audit record generation capability as the following: \n\n(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n(ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities, or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and\n\n(iii) All account creation, modification, disabling, and termination actions.\n\nOrganizations may define additional events requiring continuous or ad hoc auditing.\n\nSatisfies: SRG-APP-000080-DB-000063, SRG-APP-000089-DB-000064, SRG-APP-000090-DB-000065, SRG-APP-000091-DB-000066, SRG-APP-000091-DB-000325, SRG-APP-000092-DB-000208, SRG-APP-000095-DB-000039, SRG-APP-000096-DB-000040, SRG-APP-000097-DB-000041, SRG-APP-000098-DB-000042, SRG-APP-000099-DB-000043, SRG-APP-000100-DB-000201, SRG-APP-000101-DB-000044, SRG-APP-000381-DB-000361, SRG-APP-000492-DB-000332, SRG-APP-000492-DB-000333, SRG-APP-000494-DB-000344, SRG-APP-000494-DB-000345, SRG-APP-000495-DB-000326, SRG-APP-000495-DB-000327, SRG-APP-000495-DB-000328, SRG-APP-000495-DB-000329, SRG-APP-000496-DB-000334, SRG-APP-000496-DB-000335, SRG-APP-000498-DB-000346, SRG-APP-000498-DB-000347, SRG-APP-000499-DB-000330, SRG-APP-000499-DB-000331, SRG-APP-000501-DB-000336, SRG-APP-000501-DB-000337, SRG-APP-000502-DB-000348, SRG-APP-000502-DB-000349, SRG-APP-000503-DB-000350, SRG-APP-000503-DB-000351, SRG-APP-000504-DB-000354, SRG-APP-000504-DB-000355, SRG-APP-000505-DB-000352, SRG-APP-000506-DB-000353, SRG-APP-000507-DB-000356, SRG-APP-000507-DB-000357, SRG-APP-000508-DB-000358, SRG-APP-000745-DB-000120, SRG-APP-000795-DB-000130","checkContent":"Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named \"auditLog:\". \n \nExamples shown below:\n \nauditLog:\n destination: file\n format: BSON\n path: /auditLog.bson\n filter: '{ atype: { $in: [ \"createCollection\", \"dropCollection\" ] } }'\n \n-OR-\n\nauditLog:\n destination: syslog\n \nIf an \"auditLog:\" key is not present, this is a finding.\n \nIf the \"auditLog:\" key is present, ensure the subkey of \"destination:\" is set to either \"file\" or \"syslog\". If not, this is a finding.\n \nIf the \"auditLog:\" key is present and contains a subkey of \"filter:\", ensure the filter is valid. If the filter is invalid, this is a finding. \n \nThe site auditing policy must be reviewed to determine if the \"filter:\" being applied meets the site auditing requirements. If not, this is a finding.\n \nCheck the MongoDB configuration file (default location: /etc/mongod.conf) for the following entry:\n\nsetParameter: \n auditAuthorizationSuccess: true\n\nIf this setParameter entry does not have \"auditAuthorizationSuccess: true\", this is a finding.","fixText":"Edit the MongoDB configuration file (default location /etc/mongod.conf) and add a configured \"auditLog\" setting:\n \nauditLog:\n destination: file\n format: BSON\n path: /auditLog.bson\n \n-OR-\n\nauditLog:\n destination: syslog\n \nAdd the following entry to the MongoDB configuration file:\n \nsetParameter: \n auditAuthorizationSuccess: true\n \nRestart the MongoDB service from the OS.\n \n$ sudo systemctl restart mongod\n \nSetting of auditAuthorizationSuccess enables auditing of authorization success for the authCheck action. The parameter value must be true to audit read and write operations. However, when auditAuthorizationSuccess is false, auditing has less performance impact because the audit system only logs authorization failures.\n \nIf the \"auditLog\" setting was present and contained a \"filter:\" parameter, ensure the \"filter:\" expression does not prevent the auditing of events that should be audited. The filter can be modified accordingly to ensure it complies. Alternatively, remove the \"filter:\" parameter to enable auditing for all events.\n \nRefer to the MongoDB documentation for details of audit operations and event configuration:\n\nhttps://www.mongodb.com/docs/v8.0/core/auditing/ \n\nhttps://www.mongodb.com/docs/v8.0/tutorial/configure-audit-filters/","ccis":["CCI-000166","CCI-000169","CCI-000171","CCI-000172","CCI-001464","CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-001487","CCI-000135","CCI-003938","CCI-003821","CCI-003831"]},{"vulnId":"V-279336","ruleId":"SV-279336r1179505_rule","severity":"medium","ruleTitle":"The audit information produced by MongoDB must be protected from unauthorized access, modification, and deletion.","description":"If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which depend upon system architecture and design.\n\nSome commonly employed methods include ensuring log files enjoy the proper file system permissions using file system protections; restricting access; and backing up log data to ensure log data is retained.\n\nApplications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order to make access decisions regarding the deletion of audit data.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nDeletion of database audit data could mask the theft of, or the unauthorized modification of, sensitive data stored in the database.\n\nSatisfies: SRG-APP-000120-DB-000061, SRG-APP-000118-DB-000059, SRG-APP-000119-DB-000060","checkContent":"MongoDB must not permit access to its audit logs by unprivileged users. The official installation packages restrict which operating system users and groups may read or modify files. The audit log destination is not configured or created at installation time and must be manually done with appropriate ownership and permissions applied with the MongoDB user and MongoDB group.\n\nCheck the MongoDB configuration file (default location /etc/mongod.conf) for a key named \"auditLog:\" with \"destination\" set to \"file\". \n\nExample shown below:\n\nauditLog:\n destination: file\n format: BSON\n path: /auditLog.bson\n\nIf \"auditLog\" does not exist this is a finding.\n\nIf the auditLog.destination is \"file\" in the MongoDB configuration file (default location /etc/mongod.conf) then the following will check ownership and permissions of the MongoDB auditLog directory:\n\nVerify User ownership, Group ownership, and permissions on the \"\":\n\n$ stat \n\nIf the User owner is not \"mongod\", this is a finding.\n\nIf the Group owner is not \"mongod\", this is a finding.\n\nIf the directory is more permissive than \"600\", this is a finding.\n\nTo find the auditLog directory name, view and search for the entry in the MongoDB configuration file (default location /etc/mongod.conf) for auditLog.destination. If this parameter's value is \"file\", then use the directory portion of the auditLog.path setting as the MongoDB auditLog directory location.\n\nExample:\n\nauditLog:\n destination: file\n format: BSON\n path: /var/log/mongodb/audit/auditLog.bson\n\nGiven the example above, to find the auditLog directory ownership and permissions, run the following command:\n\n> stat /var/log/mongodb/audit\n\nThe output will look similar to the following:\n\n File: '/var/log/mongodb/audit'\n Size: 48 Blocks: 0 IO Block: 4096 directory\nDevice: 808h/2056d Inode: 245178 Links: 2\nAccess: (0600/drw-------) Uid: ( 997/ mongod) Gid: ( 996/ mongod)\nContext: unconfined_u:object_r:mongod_log_t:s0\nAccess: 2020-03-16 12:51:16.816000000 -0400\nModify: 2020-03-16 12:50:48.722000000 -0400\nChange: 2020-03-16 12:50:48.722000000 -0400\n Birth: -","fixText":"It is recommended to use the official installation packages provided by MongoDB. In the event the software was installed manually and permissions need to be restricted, consider a clean reinstallation. \n\nTo correct a finding where auditLog.destination is set to \"file\", run these commands: \n\n$ chown mongod \n$ chgrp mongod \n$ chmod 600 \n\nThe path for the MongoDB auditLog directory will vary according to local circumstances. The auditLog directory will be found in the MongoDB configuration file, whose default location is /etc/mongod.conf.\n\nTo find the auditLog directory name, view and search for the entry in the MongoDB configuration file for the auditLog.path:\n\nExample:\n\nauditLog:\n destination: file\n format: BSON\n path: /var/log/mongodb/audit/auditLog.bson\n\nGiven the example above, the \"MongoDB auditLog directory\" is \"/var/log/mongodb/audit\".","ccis":["CCI-000164","CCI-000162","CCI-000163"]},{"vulnId":"V-279337","ruleId":"SV-279337r1179178_rule","severity":"medium","ruleTitle":"MongoDB must protect its audit features from unauthorized access, modification, and removal.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nApplications providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the deletion of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nSatisfies: SRG-APP-000123-DB-000204, SRG-APP-000121-DB-000202, SRG-APP-000122-DB-000203","checkContent":"To ensure audit configurations are protected from unauthorized access, modification, and removal, the default installation of MongoDB restricts permission on the configuration file. \n\nVerify User ownership, Group ownership, and permissions on the :\n\nNote: Default name and location is: /etc/mongod.conf. The name and location for the MongoDB configuration file will vary according to local circumstances.\n\nUsing the default name and location the command would be:\n\n$ stat /etc/mongod.conf\n\nIf the User owner is not \"mongod\", this is a finding.\n\nIf the Group owner is not \"mongod\", this is a finding.\n\nIf the filename is more permissive than \"600\", this is a finding.\n\nNote that the audit destination cannot be modified at runtime.","fixText":"Run these commands: \n\n\"chown mongod \" \n\"chgrp mongod \" \n\"chmod 600 \"\n\nNote: The name and location for the MongoDB configuration file will vary according to local circumstances. The default name and location is /etc/mongod.conf.\n\nUsing the default name and location the commands would be:\n\n$ chown mongod /etc/mongod.conf \n$ chgrp mongod /etc/mongod.conf \n$ chmod 600 /etc/mongod.conf","ccis":["CCI-001495","CCI-001493","CCI-001494"]},{"vulnId":"V-279338","ruleId":"SV-279338r1179445_rule","severity":"medium","ruleTitle":"MongoDB must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to MongoDB.","description":"If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.","checkContent":"Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files occurs.\n\nVerify the list of files, directories, and database application objects (procedures, functions, and triggers) being monitored is complete.\n\nThere are many possible options to monitor the database. The most common are making use of a monitoring tool or running a script periodically.\n\nIf a monitoring tool is actively being used to monitor the database and there is proof of the tool being active, this is not a finding.\n\nWhere monitoring is implemented by running a Bash shell script (either scheduled or on demand), the script should check the current SHA-256 checksum of the MongoDB files with the original SHA-256 checksum after installation and configuration.\n\nCreate and run the following shell script \"check_mongodb_256sha_hashes.sh\" from its containing Linux directory as a system administrator.\n\n$ ./check_mongodb_256sha_hashes.sh\n\nIf the output is not the following, this is a finding:\n\n\"No changes detected in the monitored files.\"\n\nThe shell script file \"check_mongodb_2456sha_hashes.sh\" is as follows:\n\n# filename: check_mongodb_256sha_hashes.sh\n#!/bin/bash\n\n# Function to compute SHA-256 hash of the specified file\nfile_hash() {\n sha256sum \"$1\" | awk '{print $1}'\n}\n\n# Function to check the list of files for any changes based on their SHA-256 hashes\ncheck_files() {\n local changed=0\n declare -A stored_hashes\n\n # Try to load last known hashes\n if [ -f file_hashes.txt ]; then\n while IFS=: read -r file hash; do\n stored_hashes[\"$file\"]=$hash\n done < file_hashes.txt\n fi\n\n # Check each file's hash against stored hashes\n for file in \"$@\"; do\n if [ -f \"$file\" ]; then\n current_hash=$(file_hash \"$file\")\n if [[ \"${stored_hashes[$file]}\" != \"$current_hash\" ]]; then\n if [[ -n \"${stored_hashes[$file]}\" ]]; then\n echo \"Change detected in $file\"\n else\n echo \"New file added or first time hashing: $file\"\n fi\n changed=1\n stored_hashes[\"$file\"]=$current_hash\n fi\n else\n echo \"Warning: $file does not exist.\"\n fi\n done\n\n # Save the updated hashes\n > file_hashes.txt\n for file in \"${!stored_hashes[@]}\"; do\n echo \"$file:${stored_hashes[$file]}\" >> file_hashes.txt\n done\n\n if [ \"$changed\" -eq 0 ]; then\n echo \"No changes detected in the monitored files.\"\n fi\n}\n\n# List of files to monitor\nfiles_to_check=(\n \"/etc/mongod.conf\"\n \"/usr/bin/mongod\"\n \"/usr/bin/mongos\"\n \"/usr/bin/mongosh\"\n \"/usr/bin/mongocryptd\"\n \"/usr/bin/mongodecrypt\"\n \"/usr/bin/mongodump\"\n \"/usr/bin/mongoexport\"\n \"/usr/bin/mongofiles\"\n \"/usr/bin/mongoimport\"\n \"/usr/bin/mongokerberos\"\n \"/usr/bin/mongoldap\"\n \"/usr/bin/mongorestore\"\n \"/usr/bin/mongostat\"\n \"/usr/bin/mongotop\"\n)\n\n# Invoke check_files function with the list of files\ncheck_files \"${files_to_check[@]}\"","fixText":"Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement. Examples of such products are Puppet, Chef, or Ansible.\n\nAlternately, users can write scripts to inspect the database software libraries, related applications, and configuration files to detect changes and to take appropriate actions or notifications if changes are detected. Use file hashes or checksums for comparisons, as file dates may be manipulated by malicious users.\n\nFor example, if the running of the monitoring shell script \"check_mongodb_256sha_hashes.sh\" shown in the \"Check\" returned the following:\n\n$ ./check_mongodb_256sha_hashes.sh\n\"Change detected in /etc/mongod.conf\"\n\nFor each file in which a change has been detected, investigate the possible causes of the change for that file.\n\nIn this case, inspect the \"/etc/mongod.conf\" file for changes in its content.","ccis":["CCI-001499"]},{"vulnId":"V-279339","ruleId":"SV-279339r1179184_rule","severity":"high","ruleTitle":"MongoDB software installation account must be restricted to authorized users.","description":"When dealing with change control issues, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system. \n\nIf the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nDBA and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a great impact on database security and operation. It is especially important to grant privileged access to only those persons who are qualified and authorized to use them.","checkContent":"To ensure log, network, security, and other audit configurations are not modifiable by unauthorized operating system users, the default installation of MongoDB restricts permission on the configuration file. \n\nVerify User ownership, Group ownership, and permissions on the \"\":\n\n(default name and location is /etc/mongod.conf)\n\nUsing the default name and location the command would be:\n\n$ stat /etc/mongod.conf\n\nIf the User owner is not \"mongod\", this is a finding.\n\nIf the Group owner is not \"mongod\", this is a finding.\n\nIf the filename is more permissive than \"600\", this is a finding.\n\nNote that the audit destination cannot be modified at runtime.","fixText":"It is recommended to use the official installation packages provided by MongoDB. In the event the software was installed manually, and permissions need to be restricted, consider a clean reinstallation. \n\nAlternatively, run the following commands to properly set permissions on the configuration file: \n\n$ chown mongod \n$ chgrp mongod \n$ chmod 600 <\n\nThe name and location for the MongoDB configuration file will vary according to local circumstances. The default name and location is /etc/mongod.conf.\n\nUsing the default name and location the commands would be:\n\n$ chown mongod /etc/mongod.conf \n$ chgrp mongod /etc/mongod.conf \n$ chmod 600 /etc/mongod.conf","ccis":["CCI-001499"]},{"vulnId":"V-279340","ruleId":"SV-279340r1179187_rule","severity":"medium","ruleTitle":"MongoDB database software, including configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.","description":"When dealing with change control issues, it should be noted that any changes to the hardware, software, and/or firmware components of the information system and/or application can potentially have significant effects on the overall security of the system.\n\nMultiple applications can provide a cumulative negative effect. A vulnerability and subsequent exploit to one application can lead to an exploit of other applications sharing the same security context. For example, an exploit to a web server process that leads to unauthorized administrative access to host system directories can most likely lead to a compromise of all applications hosted by the same system. Database software not installed using dedicated directories both threatens, and is threatened by, other hosted applications. Access controls defined for one application may by default provide access to the other application's database objects or directories. Any method that provides any level of separation of security context assists in the protection between applications.","checkContent":"By default MongoDB, runs using \"mongod\" user account (both user and group) and uses the following default directories:\n\nMongoDB created directories (default):\n\n/var/lib/mongo (the data directory)\n+-- diagnostic.data\n+-- _tmp\n+-- journal\n\n/var/log/mongodb (the mongod process log directory)\n+-- audit (the auditLog directory)\n\nStandard directories:\n\n/bin (the executable directory)\n/etc (the configuration file directory)\n\nCheck if any non-MongoDB application, non-MongoDB data, or non-MongoDB directories exists under any of the MongoDB-created directories or subdirectories.\n\nIf any non-MongoDB application, non-MongoDB data, or non-MongoDB directories exists under the MongoDB-created directories, this is a finding.","fixText":"The official installation packages from MongoDB segregate MongoDB executable software from MongoDB data directories by default.\n\nFor any non-MongoDB application found, reinstall that application to use directories that are not under the MongoDB created directories.\n\nFor any non-MongoDB application that stores data under the MongoDB-created directories, reinstall the application and configure the application to use non-MongoDB-created directories to store its data.\n\nFor any non-MongoDB data found under the MongoDB-created directories that cannot be associated with a MongoDB application, either move or delete that data from the MongoDB-created directories.","ccis":["CCI-001499"]},{"vulnId":"V-279341","ruleId":"SV-279341r1179506_rule","severity":"medium","ruleTitle":"MongoDB database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to MongoDB, etc.) must be owned by database/DBMS principals authorized for ownership.","description":"Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who uses the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals.\n\nConversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed.","checkContent":"For each database in MongoDB, run the following commands:\n\nuse \ndb.getUsers()\n\nExample output: \n\n{\n _id: 'admin.user1',\n userId: UUID('b78e490a-4661-491f-8197-c3251934e785'),\n user: 'user1',\n db: 'admin',\n roles: [\n { role: 'readWrite', db: 'myDatabase' },\n { role: 'dbOwner', db: 'myDatabase' },\n { role: 'dbOwner', db: 'anotherDatabase' }\n ]\n\nHere, the user named \"user1\" in the \"admin\" database has a role of \"dbOwner\" for the database (db:) \"myDatabase\" and the database (db:) \"anotherDatabase\".\n\nFor users where the role of \"dbOwner\" is found, verify with the organization or site-specific documentation whether the user is authorized for the \"dbOwner\" role on the database resources listed.\n\nIf the user account has the role of \"dbOwner\" but is not authorized for the role for any database listed in their output, this is a finding.","fixText":"For each user identified as having a \"dbOwner\" role on a database they are not authorized for, revoke the \"dbOwner\" role from that user on that database by running the following commands:\n\nuse \ndb.revokeRolesFromUser() command\n\nhttps://www.mongodb.com/docs/v8.0/reference/command/revokeRolesFromUser/\n\nExample to revoke \"dbOwner\" role from \"user1\" on the \"anotherDatabase\" in the \"admin\" database:\n\nuse admin\ndb.revokeRolesFromUser(\n \"user1\",\n [\n { role: \"dbOwner\", db: \"anotherDatabase\" }\n ]\n)","ccis":["CCI-001499"]},{"vulnId":"V-279342","ruleId":"SV-279342r1179447_rule","severity":"medium","ruleTitle":"The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to MongoDB, etc.) must be restricted to authorized users.","description":"If MongoDB were to allow any user to make changes to database structure or logic, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nAccordingly, only qualified and authorized individuals shall be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.\n\nUnmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.","checkContent":"For each database in MongoDB, run the following command to obtain the roles:\n\nuse \ndb.getRoles(\n {\n rolesInfo: 1,\n showPrivileges:true,\n showBuiltinRoles: true\n }\n)\n\nRun the following command to the roles assigned to users:\n\nuse admin\ndb.system.users.find()\n\nAnalyze the output and if any roles or users have unauthorized access, this is a finding. This will vary on an application basis.","fixText":"Use the following commands to remove unauthorized access to a MongoDB database:\n \ndb.revokePrivilegesFromRole()\ndb.revokeRolesFromUser()\n\nMongoDB commands for role management can be found here:\n\nhttps://www.mongodb.com/docs/v8.0/reference/method/js-role-management/","ccis":["CCI-001499"]},{"vulnId":"V-279344","ruleId":"SV-279344r1179199_rule","severity":"medium","ruleTitle":"Unused database components, MongoDB software, and database objects must be removed.","description":"Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).\n\nIt is detrimental for software products to provide, or install by default, functionality exceeding requirements or mission objectives.\n\nDBMSs must adhere to the principles of least functionality by providing only essential capabilities.\n\nSatisfies: SRG-APP-000141-DB-000091, SRG-APP-000141-DB-000092","checkContent":"MongoDB operations permit arbitrary JavaScript expressions to be run directly on the server.\n\nIf the following parameter is not present or not set as show below in the MongoDB configuration file (default location: /etc/mongod.conf), this is a finding.\n\nsecurity:\n javascriptEnabled: false","fixText":"Disable the \"javascriptEnabled\" option.\n\nEdit the MongoDB configuration file (default location: /etc/mongod.conf) to include the following:\n\nsecurity:\n javascriptEnabled: false","ccis":["CCI-000381"]},{"vulnId":"V-279346","ruleId":"SV-279346r1179449_rule","severity":"medium","ruleTitle":"MongoDB must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols/services on information systems.\n\nApplications are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. \n\nTo support the requirements and principles of least functionality, the application must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.\n\nDatabase Management Systems using ports, protocols, and services deemed unsafe are open to attack through those ports, protocols, and services. This can allow unauthorized access to the database and through the database to other components of the information system.","checkContent":"Check the MongoDB configuration file (default location /etc/mongod.conf) to verify the following entry:\n\nnet:\n port: 27017\n\nIf the port listed is not authorized, this is a finding.\n\nVerify only TLS 1.2+ is being used. If the following entry is not in the configuration file, this is a finding.\n\nnet:\n tls:\n mode: requireTLS\n disabledProtocols: TLS1_0,TLS1_1\n\nVerify the binding of IP addresses does not include \"0.0.0.0\" or \":0\":\n\nnet:\n bindIp: 127.0.0.1,\n\nIf the bindIp contains \"0.0.0.0\" or \"::0\", this is a finding.","fixText":"Check the MongoDB configuration file (default location /etc/mongod.conf):\n\nEnsure the following section exists and set the port in the to an allowed port:\n\nnet:\n port: 27017\n\nEnsure that TLS 1.2+ is being used by adding the following entry into the configuration file.\n\nnet:\n tls:\n mode: requireTLS\n disabledProtocols: TLS1_0,TLS1_1\n\nEnsure the following section exists in the configuration file and that it does not contain wildcard binding (occurrences of \"0.0.0.0\" or \"::0\" or equivalents).\n\nnet:\n bindIp: 127.0.0.1,","ccis":["CCI-000382"]},{"vulnId":"V-279347","ruleId":"SV-279347r1179208_rule","severity":"medium","ruleTitle":"MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses, except the following:\n\n(i) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n(ii) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals using shared accounts, for detailed accountability of individual activity.","checkContent":"For each database in the system, run the following command:\n\n> use \n> db.getUsers()\n\nVerify each user identified is a member of an appropriate organization that can access the database.\n\nAlternatively, if LDAP/AD is being used for authentication/authorization, the mongoldap tool can be used to verify user account access.\n\nIf a user is found not be a member of an appropriate organization that can access the database, this is a finding.\n\nVerify the MongoDB configuration file (default location /etc/mongod.conf) contains the following:\n\nsecurity:\n authorization: \"enabled\"\n \nIf this parameter is not present, this is a finding.","fixText":"For any user that is not a member of an appropriate organization and that has access to a database in the system, run the following command:\n\n// Change to the appropriate database\n> use \n> db.dropUser(\"\", {w: \"majority\", wtimeout: 5000})\n\nThe MongoDB configuration file (default location /etc/mongod.conf) must contain the following:\n\nsecurity: \n authorization: \"enabled\"\n\nIf not, edit the MongoDB configuration file. Add the parameters and stop/start (restart) any mongod or mongos process using this MongoDB configuration file.","ccis":["CCI-000764"]},{"vulnId":"V-279349","ruleId":"SV-279349r1179508_rule","severity":"high","ruleTitle":"MongoDB must, for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.","description":"The DOD standard for authentication is DOD-approved PKI certificates.\n\nAuthentication based on user ID and password may be used only when it is not possible to employ a PKI certificate, and requires authorizing official (AO) approval.\n\nIn such cases, database passwords stored in clear text, using reversible encryption or using unsalted hashes, would be vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes when stored internally or externally to the DBMS.","checkContent":"MongoDB supports the Salted Challenge Response Authentication Mechanism (SCRAM) as the default authentication mechanism for MongoDB.\n\nRun the following script for database in the MongoDB system:\n\n/// Connect to admin database\ndb = db.getSiblingDB('admin');\n\n// Get all users without SCRAM-SHA-256\nconst allUsers = db.system.users.find().toArray();\nconst usersToUpgrade = allUsers.filter(user => \n !user.credentials || !user.credentials[\"SCRAM-SHA-256\"]\n);\n\nprint(`Found ${usersToUpgrade.length} users without SCRAM-SHA-256 authentication`);\n\nif (usersToUpgrade.length === 0) {\n print(\"All users already using SCRAM-SHA-256. No action needed.\");\n quit();\n}\n\n// Display users that need upgrading\nprint(\"\\nUsers needing upgrade to SCRAM-SHA-256:\");\nusersToUpgrade.forEach(user => {\n print(`- User: ${user.user}, Database: ${user.db}`);\n});\n\nIf any user found in a database using password authentication does not have \"Using SCRAM-SHA-256: YES\", this is a finding.","fixText":"For each user that does not have SCRAM-SHA-256, run the following command:\n\nuse admin\ndb.runCommand({'updateUser':'',pwd: passwordPrompt() , mechanisms:['SCRAM-SHA-256']})","ccis":["CCI-004062"]},{"vulnId":"V-279350","ruleId":"SV-279350r1179454_rule","severity":"high","ruleTitle":"If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords.","description":"The DOD standard for authentication is DOD-approved PKI certificates.\n\nAuthentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate, and requires authorizing official (AO) approval.\n\nIn such cases, passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.\n\nDBMS passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database.\n\nSatisfies: SRG-APP-000172-DB-000075, SRG-APP-000175-DB-000067","checkContent":"In the MongoDB database configuration file (default location /etc/mongod.conf), verify the following parameters in the \"net.tls\" (network TLS) section of the file:\n\nnet:\n tls:\n mode: requireTLS\n certificateKeyFile: /etc/ssl/server.pem\n CAFile: /etc/ssl/ca.crt\n allowInvalidCertificates: false\n allowConnectionsWithoutCertificates: false\n\nIf the \"net.tls\" parameter is not present, this is a finding.\n\nIf the \"net.tls.certificateKeyFile\" parameter is not present, this is a finding.\n\nIf the \"net.tls.CAFile\" parameter is not present, this is a finding.\n\nIf the \"net.tls.allowInvalidCertificates\" parameter is found and set to \"true\", this is a finding.\n\nIf the \"net.tls.allowConnectionsWithoutCertificates\" parameter is found and set to \"true\", this is a finding.","fixText":"In the MongoDB database configuration file (default location /etc/mongod.conf), ensure the following parameters are present in the \"net.tls\" (network TLS) section of the file and are configured correctly for the site and server:\n\nnet:\n tls:\n mode: requireTLS\n certificateKeyFile: /etc/ssl/server.pem\n CAFile: /etc/ssl/ca.crt\n allowInvalidCertificates: false\n allowConnectionsWithoutCertificates: false\n\nRestart the MongoDB service from the OS.\n\n$ sudo systemctl restart mongod\n\nMore information for configuring TLS/SSL for MongoDB can be found here:\nhttps://www.mongodb.com/docs/manual/tutorial/configure-ssl/","ccis":["CCI-000197","CCI-000185"]},{"vulnId":"V-279351","ruleId":"SV-279351r1179509_rule","severity":"high","ruleTitle":"MongoDB must enforce authorized access to all PKI private keys stored/used by the DBMS.","description":"The DOD standard for authentication is DOD-approved PKI certificates. PKI certificate-based authentication is performed by requiring the certificate holder to cryptographically prove possession of the corresponding private key.\n\nIf the private key is stolen, an attacker can use the private key(s) to impersonate the certificate holder. In cases where the DBMS-stored private keys are used to authenticate the DBMS to the system's clients, loss of the corresponding private keys would allow an attacker to successfully perform undetected man in the middle attacks against the DBMS system and its clients.\n\nBoth the holder of a digital certificate and the issuing authority must take careful measures to protect the corresponding private key. Private keys should always be generated and protected in FIPS 140-2 or 140-3 validated cryptographic modules.\n\nAll access to the private key(s) of the DBMS must be restricted to authorized and authenticated users. If unauthorized users have access to one or more of the DBMS's private keys, an attacker could gain access to the key(s) and use them to impersonate the database on the network or otherwise perform unauthorized actions.","checkContent":"In the MongoDB database configuration file (default location /etc/mongod.conf), review the following parameters:\n\nnet:\n tls:\n mode: requireTLS\n certificateKeyFile: /etc/ssl/mongodb.pem\n CAFile: /etc/ssl/mongodbca.pem\n\nVerify ownership, group ownership, and permissions for the MongoDB config file (default /etc/mongod.conf), the certificateKeyFile (default /etc/ssl/mongodb.pem), and the CAFile (default /etc/ssl/mongodbca.pem).\n\nFor each file, run following command and review its output:\n\nls -al \n\nExample output:\n-rw------- 1 mongod mongod 566 Apr 26 20:20 \n\nIf the user owner is not \"mongod\", this is a finding.\n\nIf the group owner is not \"mongod\", this is a finding.\n\nIf the file is more permissive than \"600\", this is a finding.","fixText":"Run these commands:\n\nchown mongod:mongodb /etc/ssl/mongodb.pem\nchmod 600 /etc/ssl/mongodb.pem\nchown mongod:mongod /etc/ssl/mongodbca.pem\nchmod 600 /etc/ssl/mongodbca.pem","ccis":["CCI-000186"]},{"vulnId":"V-279352","ruleId":"SV-279352r1179459_rule","severity":"medium","ruleTitle":"MongoDB must map the PKI-authenticated identity to an associated user account.","description":"The DOD standard for authentication is DOD-approved PKI certificates. Once a PKI certificate has been validated, it must be mapped to a DBMS user account for the authenticated identity to be meaningful to the DBMS and useful for authorization decisions.","checkContent":"Note: This is not applicable if using LDAP for authentication.\n\nEach unique x.509 client certificate corresponds to a single MongoDB user; meaning a single client certificate cannot authenticate more than one MongoDB user.\n\nLog in to MongoDB and run the following command:\n\n> db.runCommand( {connectionStatus: 1} );\n\nExample output:\n\n> db.runCommand({connectionStatus:1}).authInfo\n{\n \"authenticatedUsers\" : [\n {\n \"user\" : \"CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry\",\n \"db\" : \"mydb1\"\n }\n ],\n \"authenticatedUserRoles\" : [\n {\n \"role\" : \"dbOwner\",\n \"db\" : \"mydb1\"\n }\n ]\n}\n\nIf the authenticated MongoDB user displayed does not have a user value equal to the x.509 certificate subject name, this is a finding.","fixText":"Add x.509 certificate subject as an authorized user.\n\nTo authenticate with a client certificate, first add the value of the subject from the client certificate as a MongoDB user.\n\nEach unique x.509 client certificate corresponds to a single MongoDB user; meaning a single client certificate cannot authenticate more than one MongoDB user.\n\nNote: The RDNs in the subject string must be compatible with the RFC2253 standard.\n\nRetrieve the RFC2253 formatted subject from the client certificate with the following command:\n\n$ openssl x509 -in -inform PEM -subject -nameopt RFC2253\n\nThe command returns the subject string as well as certificate:\n\nsubject= CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry\n-----BEGIN CERTIFICATE-----\n# ...\n-----END CERTIFICATE-----\n\nAdd the RFC2253 compliant value of the subject as a user. Omit spaces as needed.\n\nFor example, in the mongo shell, to add the user with both the \"readWrite\" role in the test database and the \"userAdminAnyDatabase\" role, which is defined only in the admin database:\n\n> db.getSiblingDB(\"$external\").runCommand(\n {\n createUser: \"CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry\",\n roles: [\n { role: 'readWrite', db: 'test' },\n { role: 'userAdminAnyDatabase', db: 'admin' }\n ],\n writeConcern: { w: \"majority\" , wtimeout: 5000 }\n }\n)\n\nIn the above example, to add the user with the \"readWrite\" role in the test database, the role specification document specified \"test\" in the \"db\" field.\n\nTo add \"userAdminAnyDatabase\" role for the user, the above example specified \"admin\" in the \"db\" field.\n\nNote: Some roles are defined only in the admin database, including clusterAdmin, readAnyDatabase, readWriteAnyDatabase, dbAdminAnyDatabase, and userAdminAnyDatabase. \n\nTo add a user with these roles, specify \"admin\" in the \"db\" field. Refer to Manage Users and Roles for details on adding a user with roles.\n\nTo remove a user that is not authorized, run the following command:\n\n> use $external\n> db.dropUser(\"\")","ccis":["CCI-000187"]},{"vulnId":"V-279353","ruleId":"SV-279353r1179226_rule","severity":"high","ruleTitle":"MongoDB must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.","description":"The DOD standard for authentication is DOD-approved PKI certificates.\n\nNormally, with PKI authentication, the interaction with the user for authentication will be handled by a software component separate from the DBMS, such as ActivIdentity ActivClient. However, in cases where the DBMS controls the interaction, this requirement applies.\n\nTo prevent the compromise of authentication information such as passwords and PINs during the authentication process, the feedback from the system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism. \n\nObfuscation of user-provided authentication secrets when typed into the system is a method used in addressing this risk. \n\nDisplaying asterisks when a user types in a password or a smart card PIN is an example of obscuring feedback of authentication secrets.\n\nThis calls for review of applications, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.\n\nSatisfies: SRG-APP-000178-DB-000083, SRG-APP-000514-DB-000381, SRG-APP-000514-DB-000382, SRG-APP-000514-DB-000383","checkContent":"Restrict the environment to tools which meet this requirement.\n\nFor the MongoDB command-line tools mongo shell \"mongosh\", \"mongodump\", \"mongorestore\", \"mongoimport\", \"mongoexport\", which cannot be configured not to obfuscate a plain-text password, and any other essential tool with the same limitation, verify the system documentation explains the need for the tool, who uses it, any relevant mitigations and that authorizing official (AO) approval has been obtained.\n\nIf it is not documented, this is a finding. \n\nRequest evidence that all users of these MongoDB command-line tools are trained in the use of the \"-p\" or \"--password\" option plain-text password option and how to keep the password protected from unauthorized viewing/capture and that they adhere to this practice.\n\nIf evidence of training does not exist, this is a finding.","fixText":"For the mongo shell \"mongosh\", \"mongodump\", \"mongorestore\", \"mongoimport\", \"mongoexport\", which can accept a plain-text password, and any other essential tool with the same limitation:\n\n- Document the need for it, who uses it, and any relevant mitigations, and obtain AO approval.\n\n- Train all users of the tool in the nature of using the plain-text password option and in how to keep the password protected from unauthorized viewing/capture and document they have been trained.\n\nTo view the acceptable command line flags, execute the commands with --help for the various parameters that can be used.\n\nFor example:\nmongosh --help\n\nExample output:\nmongosh\n Authentication Options:\n\n -u, --username [arg] Username for authentication\n -p, --password [arg] Password for authentication","ccis":["CCI-000206","CCI-002450"]},{"vulnId":"V-279354","ruleId":"SV-279354r1179510_rule","severity":"high","ruleTitle":"MongoDB must use NIST FIPS 140-2/140-3 validated cryptographic modules for cryptographic operations.","description":"Use of weak or not validated cryptographic algorithms undermines the purposes of using encryption and digital signatures to protect data. Weak algorithms can be easily broken and not validated cryptographic modules may not implement algorithms correctly. Unapproved cryptographic modules or algorithms should not be relied on for authentication, confidentiality, or integrity. Weak cryptography could allow an attacker to gain access to and modify data stored in the database as well as the administration settings of the DBMS.\n\nApplications (including DBMSs) using cryptography are required to use approved NIST FIPS 140-2/140-3 validated cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. \n\nNSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules.\n\nThe standard for validating cryptographic modules will transition to the NIST FIPS 140-3 publication.\n\nFIPS 140-2 modules can remain active for up to five years after validation or until September 21, 2026, when the FIPS 140-2 validations will be moved to the historical list. Even on the historical list, CMVP supports the purchase and use of these modules for existing systems. While federal agencies decide when they move to FIPS 140-3 only modules, purchasers are reminded that for several years there may be a limited selection of FIPS 140-3 modules from which to choose. CMVP recommends purchasers consider all modules that appear on the Validated Modules Search Page:\nhttps://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules\n\nMore information on the FIPS 140-3 transition can be found here: \nhttps://csrc.nist.gov/Projects/fips-140-3-transition-effort/","checkContent":"Verify that FIPSMode: true is configured in the mongod.conf file (default location /etc/mongod.conf) as shown below:\n\nnet:\n tls:\n FIPSMode: true\n\nIf net.tls.FIPSMode is not present or not configured as shown above in the MongoDB configuration file, this is a finding.\n\nAlternatively, run the following command from the MongoDB shell:\n\n> db.getSiblingDB(\"admin\").runCommand({getCmdLineOpts: 1}).parsed.net.tls.FIPSMode\n\nIf the server is running with FIPS mode, this command will return \"true\". Any other output or no output is a finding.\n\nVerify FIPS has been enabled at the OS level. Refer to the OS-specific documentation on how to verify.","fixText":"Enable FIPS mode for MongoDB Enterprise.\n\nEdit the MongoDB database configuration file (default location /etc/mongod.conf) to contain the following parameter setting:\n\nnet:\n tls:\n FIPSMode: true\n\nRestart the MongoDB service from the OS.\n\n$ sudo systemctl restart mongod\n\nFor the operating system finding, refer to the appropriate operating system documentation for the procedure to install, configure, and test FIPS mode.","ccis":["CCI-000803"]},{"vulnId":"V-279355","ruleId":"SV-279355r1179463_rule","severity":"medium","ruleTitle":"MongoDB must separate user functionality (including user interface services) from database management functionality.","description":"Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. \n\nThe separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods, as appropriate. \n\nAn example of this type of separation is observed in web administrative interfaces that use separate authentication methods for users of any other information system resources. \n\nThis may include isolating the administrative interface on a different domain and with additional access controls.\n\nIf administrative functionality or information regarding DBMS management is presented on an interface available for users, information on DBMS settings may be inadvertently made available to the user.\n\nSatisfies: SRG-APP-000180-DB-000115\n\nSatisfies: SRG-APP-000211-DB-000122, SRG-APP-000180-DB-000115","checkContent":"MongoDB grants access to data and commands through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system. User-defined roles can also be created.\n\nCheck a user's role to verify correct privileges for the function.\n\nPrerequisite: To view a user's roles, users must have the \"viewUser\" privilege.\n\nConnect to MongoDB.\n\nFor each database in the system, identify the user's roles for the database:\n\nuse \ndb.getUser(\"[username]\")\n\nThe server will return a document with the user's roles.\n\nView a role's privileges.\n\nPrerequisite: To view a user's roles, users must have the \"viewUser\" privilege. \n\nFor each database, identify the privileges granted by a role:\n\nuse \ndb.getRole( \"read\", { showPrivileges: true } )\n\nThe server will return a document with the \"privileges\" and \"inheritedPrivileges\" arrays. The \"privileges returned\" document lists the privileges directly specified by the role and excludes those privileges inherited from other roles. The \"inheritedPrivileges\" returned document lists all privileges granted by this role, both directly specified and inherited. If the role does not inherit from other roles, the two fields are the same.\n\nIf a user has a role with inappropriate privileges, this is a finding.","fixText":"Administrators using MongoDB should document the appropriate privileges for various roles appropriate to the application.\n\nPrerequisite: To view a user's roles, users must have the \"viewUser\" privilege.\n\nConnect to MongoDB.\n\nFor each database, identify the user's roles for the database. \n\nuse \ndb.getUser(\"[username]\")\n\nThe server will return a document with the user's roles.\n\nTo revoke a user's role from a database, use the db.revokeRolesFromUser() method.\n\nTo grant a role to a user, use the db.grantRolesToUser() method.","ccis":["CCI-001082","CCI-000804"]},{"vulnId":"V-279358","ruleId":"SV-279358r1179465_rule","severity":"medium","ruleTitle":"MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.","description":"One class of man-in-the-middle or session hijacking attack involves the adversary guessing at valid session identifiers based on patterns in identifiers already known.\n\nThe preferred technique for thwarting guesses at Session IDs is the generation of unique session identifiers using a FIPS 140-2/140-3-approved random number generator.\n\nHowever, it is recognized that available DBMS products do not all implement the preferred technique yet may have other protections against session hijacking. Therefore, other techniques are acceptable, provided they are demonstrated to be effective.","checkContent":"Check the MongoDB configuration file (default location /etc/mongod.conf).\n\nThe following option must be present ( \"net.tls.mode\") and set to \"requireTLS\":\n\nnet:\n tls:\n mode: requireTLS\n\nIf this is not found in the MongoDB configuration file, this is a finding.","fixText":"Edit the MongoDB configuration file to ensure the \"net.tls.mode\" option is included and set to the value \"requireTLS\" as shown below:\n\nnet:\n tls:\n mode: requireTLS\n\nRestart the MongoDB service from the OS.\n\n$ sudo systemctl restart mongod\n\nFurther documentation is available at:\nhttps://www.mongodb.com/docs/v8.0/tutorial/configure-ssl/","ccis":["CCI-001188"]},{"vulnId":"V-279361","ruleId":"SV-279361r1179250_rule","severity":"high","ruleTitle":"MongoDB must protect the confidentiality and integrity of all information at rest.","description":"This control is intended to address the confidentiality and integrity of information at rest in nonmobile devices and covers user information and system information. Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive, tape drive) within an organizational information system. Applications and application users generate information throughout the course of their application use. \n\nUser data generated, as well as application-specific configuration data, needs to be protected. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate. \n\nIf the confidentiality and integrity of application data is not protected, the data will be open to compromise and unauthorized modification.","checkContent":"To provide integrity and confidentiality for data at rest, MongoDB must be configured to use the Encrypted Storage Engine.\n\nRun the following command to verify whether or not the Encrypted Storage Engine is enabled:\n\n> db.serverStatus().encryptionAtRest.encryptionEnabled\n\nAny output other than \"true\" is a finding.\n\nValidate whether the Encrypted Storage Engine is running with an AEAD block cipher, which provides integrity, by running the following command:\n\n> db.serverStatus().encryptionAtRest.encryptionCipherMode\n\nAny response other than \"AES256-GCM\" is a finding.\n\nValidate the system is configured to use KMIP to obtain a master encryption key, rather than storing the master key on the local filesystem.\n\nRun: \n\n> db.serverStatus().encryptionAtRest.encryptionKeyId\n\nIf the response is \"local\" or no response, this is a finding.","fixText":"Enable the Encrypted Storage Engine with KMIP as the key storage mechanism and AES256-GCM as the encryption mode.\n\nConsult MongoDB documentation for encryption setup instruction here:\nhttps://www.mongodb.com/docs/v8.0/tutorial/configure-encryption/","ccis":["CCI-001199"]},{"vulnId":"V-279363","ruleId":"SV-279363r1179256_rule","severity":"medium","ruleTitle":"Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.","description":"Applications, including database management systems (DBMSs), must prevent unauthorized and unintended information transfer via shared system resources. \n\nData used for the development and testing of applications often involves copying data from production. It is important that specific procedures exist for this process, to include the conditions under which such transfer may take place, where the copies may reside, and the rules for ensuring sensitive data are not exposed.\n\nCopies of sensitive data must not be misplaced or left in a temporary location without the proper controls.","checkContent":"Review the procedures for the refreshing of development/test data from production.\n\nReview any scripts or code that exists for the movement of production data to development/test systems, or to any other location or for any other purpose.\n\nVerify that copies of production data are not left in unprotected locations. \n\nIf the code that exists for data movement does not comply with the organization-defined data transfer policy and/or fails to remove any copies of production data from unprotected locations, this is a finding.","fixText":"Modify any code used for moving data from production to development/test systems to comply with the organization-defined data transfer policy, and to ensure copies of production data are not left in unsecured locations.","ccis":["CCI-001090"]},{"vulnId":"V-279364","ruleId":"SV-279364r1179259_rule","severity":"medium","ruleTitle":"Access to database files must be limited to relevant processes and to authorized, administrative users.","description":"Applications, including database management systems (DBMSs), must prevent unauthorized and unintended information transfer via shared system resources. Permitting only DBMS processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation.\n\nSatisfies: SRG-APP-000243-DB-000374, SRG-APP-000243-DB-000373","checkContent":"By default, the MongoDB official installation packages restrict user and group ownership and read/write permissions on the underlying data files and critical configuration files from other operating system users.\n\nIn addition, process and memory isolation is used by default. System administrators should also consider if whole database encryption would be an effective control on an application basis.\n\nRun the following commands to verify proper permissions for the following database files or directories:\n\n$ stat /etc/mongod.conf\n\nIf the owner and group are not both \"mongod\", this is a finding.\n\nIf the file permissions are more permissive than \"600\", this is a finding.\n\n$ stat /var/lib/mongo\n\nIf the owner and group are not both \"mongod\", this is a finding.\n\nIf the file permissions are more permissive than \"755\", this is a finding.\n\n$ ls -l /var/lib/mongo\n\nIf the owner and group of any file or sub-directory is not \"mongod\", this is a finding.\n\nIf the permission of any file in the main directory (/var/lib/mongo) or sub-directory of (/var/lib/mongo) is more permissive than \"600\", this is a finding.\n\nIf the permission of any sub-directory of (/var/lib/mongo) is more permissive than \"700\", this is a finding.","fixText":"Correct the permission to the files and/or directories that are in violation.\n\nMongoDB Configuration file (default location /etc/mongod.conf): \n\n$ chown mongod:mongod /etc/mongod.conf\n$ chmod 600 /etc/mongod.conf\n\nMongoDB datafiles and directories (default location /var/lib/mongo): \n\n$ chown -R mongod:mongod /var/lib/mongo\n$ chmod 755 /var/lib/mongo\n\n$ find /var/lib/mongo/* -type f | xargs chmod 600\n$ find /var/lib/mongo/* -type d | xargs chmod 700","ccis":["CCI-001090"]},{"vulnId":"V-279365","ruleId":"SV-279365r1179467_rule","severity":"medium","ruleTitle":"MongoDB must check the validity of all data inputs except those specifically identified by the organization.","description":"Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.\n\nWith respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nEven when no such hijacking takes place, invalid input that gets recorded in the database, whether accidental or malicious, reduces the reliability and usability of the system. Available protections include data types, referential constraints, uniqueness constraints, range checking, and application-specific logic. Application-specific logic can be implemented within the database in stored procedures and triggers, where appropriate.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus, traditional SQL injection attacks are not a problem. However, MongoDB operations permit arbitrary JavaScript expressions to be run directly on the server. \n\nTo check, run the following command from the MongoDB shell: \n\n> db.col.find({ $where: \"return true;\"} ) \n\nIf the response does not return an error, this is a finding.\n\nIf javascript has been correctly disabled, the correct error would indicate that the javascript global engine has been disabled. For example:\n\nMongoServerError: no globalScriptEngine in $where parsing}","fixText":"Disable the javascriptEnabled option in the MongoDB configuration file (default location /etc/mongod.conf) to include the following:\n\nsecurity:\n javascriptEnabled: false\n\nIf document validation is needed, it must be configured according to the documentation page at: \nhttps://www.mongodb.com/docs/v8.0/core/schema-validation/","ccis":["CCI-001310"]},{"vulnId":"V-279366","ruleId":"SV-279366r1179512_rule","severity":"medium","ruleTitle":"MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it.","description":"With respect to database management systems, one class of threat is known as SQL Injection, or more generally, code injection. It takes advantage of the dynamic execution capabilities of various programming languages, including dialects of SQL. In such cases, the attacker deduces the manner in which SQL statements are being processed, either from inside knowledge or by observing system behavior in response to invalid inputs. When the attacker identifies scenarios where SQL queries are being assembled by application code, which may be within the database or separate from it, and executed dynamically, the attacker is then able to craft input strings that subvert the intent of the query. Potentially, the attacker can gain unauthorized access to data, including security settings, and severely corrupt or destroy the database.\n\nThe principal protection against code injection is not to use dynamic execution except where it provides necessary functionality that cannot be used otherwise. Use strongly typed data items rather than general-purpose strings as input parameters to task-specific, pre-compiled stored procedures and functions (and triggers).\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.\n\nSatisfies: SRG-APP-000251-DB-000391, SRG-APP-000251-DB-000392","checkContent":"MongoDB operations permit arbitrary JavaScript expressions to be run directly on the server.\n\nIf the following parameter is not present or not set as show below in the MongoDB configuration file (default location /etc/mongod.conf), this is a finding. \n\nsecurity:\n javascriptEnabled: false","fixText":"Disable the \"javascriptEnabled\" option.\n\nEdit the MongoDB configuration file (default location /etc/mongod.conf) to include the following:\n\nsecurity:\n javascriptEnabled: false","ccis":["CCI-001310"]},{"vulnId":"V-279367","ruleId":"SV-279367r1179513_rule","severity":"medium","ruleTitle":"MongoDB must provide nonprivileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.","description":"Any database management systems (DBMSs) or associated application providing too much information in error messages on the screen or printout risks compromising the data and security of the system. The structure and content of error messages need to be carefully considered by the organization and development team.\n\nDatabases can inadvertently provide a wealth of information to an attacker through improperly handled error messages. In addition to sensitive business or personal information, database errors can provide host names, IP addresses, user names, and other system information not required for troubleshooting but very useful to someone targeting the system.\n\nCarefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, Social Security numbers, and credit card numbers.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"Check custom application code to verify error messages do not contain information beyond what is needed for troubleshooting the issue.\n\nIf custom application error messages contain PII data, sensitive business data, or information useful for identifying the host system or database structure, this is a finding.\n\nFor example, when attempting to log in using the MongoDB shell with incorrect client credentials, the user will receive a generic error message that the authentication failed regardless of whether the user exists.\n\nIf a user is attempting to perform an operation using the MongoDB shell for which they do not have privileges, MongoDB will return a generic error message that the operation is not authorized.\n\nTo prevent too much information being displayed in the MongoDB logfiles, run the following command:\n\n> db.getSiblingDB(\"admin\").runCommand({getCmdLineOpts: 1}).parsed.security.redactClientLogData\n\nIf the command does not return true, this is a finding.","fixText":"Configure custom application code so as not to divulge sensitive information or information useful for system identification in custom application error messages.\n\nTo configure MongoDB to redact client information from its log file, edit the MongoDB configuration file (default location /etc/mongod.conf). \n\nAdd the following option to the security section:\n\nsecurity:\n redactClientLogData: true \n\nRestart the MongoDB server from the operating system:\n\n$ sudo systemctl restart mongod","ccis":["CCI-001312"]},{"vulnId":"V-279368","ruleId":"SV-279368r1179271_rule","severity":"medium","ruleTitle":"MongoDB must reveal detailed error messages only to the information system security officer (ISSO), information system security manager (ISSM), system administrator (SA) and database administrator (DBA).","description":"If the database management system (DBMS) provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. \n\nSome default DBMS error messages can contain information that could aid an attacker in, among other things, identifying the database type, host address, or state of the database. Custom errors may contain sensitive customer information. \n\nIt is important that detailed error messages be visible only to those who are authorized to view them; that general users receive only generalized acknowledgment that errors have occurred; and that these generalized messages appear only when relevant to the user's task. For example, a message along the lines of, \"An error has occurred. Unable to save your changes. If this problem persists, please contact your help desk\" would be relevant. A message such as \"Warning: your transaction generated a large number of page splits\" would likely not be relevant. \n\nAdministrative users authorized to review detailed error messages typically are the ISSO, ISSM, SA, and DBA. Other individuals or roles may be specified according to organization-specific needs, with appropriate approval.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the DBA is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"A mongod or mongos running with \"security.redactClientLogData:true\" redacts any message accompanying a given log event before logging.\n\nThis prevents the mongod or mongos from writing potentially sensitive data stored on the database to the diagnostic log. Metadata such as error or operation codes, line numbers, and source file names are still visible in the logs. \n\nTo prevent too much information being displayed in the MongoDB logfiles, run the following command:\n> db.getSiblingDB(\"admin\").runCommand({getCmdLineOpts: 1}).parsed.security.redactClientLogData\n\nIf the command does not return true, this is a finding.\n\nThe MongoDB command \"getLog\" will return data from the log file, which requires the \"getLog\" action type on the cluster resource.\n\nEnsure that application users are not authorized to execute this command.\n\nTo validate this run the following command on the name of the application user to view actions its permitted to perform on the cluster resource:\n\n> db.runCommand({usersInfo: \"\", showPrivileges: 1}).users[0].inheritedPrivileges.filter(privilege => privilege.resource.cluster)\n\nIf \"getLog\" appears in the list of actions, this is a finding.","fixText":"Edit the MongoDB configuration file (default location /etc/mongod.conf) and add the following parameter \"redactClientLogData\" in the security section of that file. Example:\n\nsecurity:\n redactClientLogData: true\n\nRestart the MongoDB service from the OS.\n\n$ sudo systemctl restart mongod\n\nIdentify and remove all unnecessary roles and privileges from application users.","ccis":["CCI-001314"]},{"vulnId":"V-279371","ruleId":"SV-279371r1179515_rule","severity":"medium","ruleTitle":"MongoDB must associate organization-defined types of security labels having organization-defined security label values with information in storage.","description":"Without the association of security labels to information, there is no basis for the database management systems (DBMS) to make security-related access-control decisions.\n\nSecurity labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. \n\nThese labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. \n\nOne example includes marking data as classified or CUI. These security labels may be assigned manually or during data processing, but, either way, it is imperative these assignments are maintained while the data is in storage. If the security labels are lost when the data is stored, there is the risk of a data compromise.\n\nThe mechanism used to support security labeling may be a feature of the DBMS product, a third-party product, or custom application code.\n\nSatisfies: SRG-APP-000311-DB-000308, SRG-APP-000313-DB-000309, SRG-APP-000314-DB-000310","checkContent":"If security labeling is not required, this is not a finding.\n\nIf security labeling is required then there must be organizational or site-specific documentation on what the security labeling policy is and guidance on how and where to apply it.\n\nReview the organizational or site-specific security labeling documentation to understand how documents in specific MongoDB collection(s) must be marked. This marking process should be applied as data is entered into the database.\n\nUpon review of the security labeling documents, the following checks will be required.\n\n1. Check if the role \"SLTagViewer\" exists. If this role does not exist, this is a finding.\n\nNote: The role name \"SLTagViewer\" is a user-defined (custom) role and is organizational or site-specific. The role name of \"SLTagViewer\" is used here as an example.\n\nRun the following commands:\n\n> use admin\n> db.getRole( \"SLTagViewer\", { showPrivileges: true } )\n\nIf the result returned is \"null\", this is a finding.\n \n2. Check that data is appropriately marked in the specific MongoDB collection(s) that require security labeling. This check will be specific to the security labeling policy and guidance.\n\nLog in to MongoDB with a user that has a Security Label Tag Viewer role (\"SLTagViewer\", a role that has been created, which has access to read/view database/collections that require security labels). Review the data in the MongoDB collections requiring security labels to ensure the data is appropriately marked according to the security labeling documentation. For example, if documents in a MongoDB collection need to be marked as \"TS\", \"S\", \"C\", or \"U\" (or combination of) at the root level of the document and at each field level of the document, then the security labeling policy and guidance would indicate a document might look like the following and this would not be a finding (\"sl\" is the security label):\n\n{\n \"_id\": 1,\n \"sl\": [[\"TS\"], [\"S\"]],\n \"field1\" : { \"sl\" : [ [\"S\"] ], \"data\" : \"field1 value\" },\n \"field2\" : { \"sl\" : [ [\"TS\"] ], \"data\" : \"field2 value\" },\n \"field3\" : { \"sl\" : [ [\"S\"] ], \"data\" : \"field3 value\" }\n}\n\nThe following document would be a finding because at the field level, field2 is missing its security label of \"sl\":\n\n{\n \"_id\": 1,\n \"sl\": [[\"TS\"], [\"S\"]],\n \"field1\" : { \"sl\" : [ [\"S\"] ], \"data\" : \"field1 value\" },\n \"field2\" : { \"data\" : \"field2 value\" },\n \"field3\" : { \"sl\" : [ [\"S\"] ], \"data\" : \"field3 value\" }\n}\n\n3. Check that queries against the data in those collections use an appropriately constructed MongoDB $redact operation as part of the query pipeline to verify only the data appropriate for the query (that meets the security label requirements) is returned.\n\nVerify any query that targets the databases/collections that have security labeling have the appropriate MongoDB $redact operation applied; this is done through trusted middleware. This trusted middleware configuration is purpose-built (custom) code and integrations and is organizational or site-specific. Information on the basics of this can be found here:\nhttps://www.mongodb.com/docs/v8.0/reference/operator/aggregation/redact/ \n\nAny queries that target a MongoDB database/collection that has security labels, and that pass through the trusted middleware and do not have an appropriately constructed $redact operator that is part of the query aggregation pipeline, is a finding.\n\nThe following is an example of the $redact operator for the example document:\n\n> db.security_collection.aggregate(\n[{ \n $redact:\n { $cond: [{ $anyElementTrue:\n { $map: { input: \"$sl\",\n as: \"setNeeded\",\n in: { $setIsSubset: \n [\"$$setNeeded\", [\"S\"]] }\n }\n }\n },\n \"$$DESCEND\", \"$$PRUNE\"]\n }\n}\n]\n)","fixText":"To implement security labeling, ensure the following:\n\n1. Organizational or site-specific documentation and guidance is available or developed.\n\n2. Ensure security labels are applied to MongoDB collection(s) requiring them in accordance with the organization or site-specific documentation.\n\n3. Create a Security Label Tag Viewer role (\"SLTagViewer\") with \"find\" privileges on the specific database and collection that requires security labeling.\n\nIn the example below, there are three databases and collections in those databases where security labels are required:\n\n> use admin\n> db.createRole(\n {\n role: \"SLTagViewer\",\n privileges: [\n { resource: { db: \"db1\", collection: \"coll1\" }, actions: [ \"find\" ] },\n { resource: { db: \"db1\", collection: \"coll2\" }, actions: [ \"find\" ] },\n { resource: { db: \"db1\", collection: \"coll3\" }, actions: [ \"find\" ] },\n { resource: { db: \"db2\", collection: \"coll1\" }, actions: [ \"find\" ] },\n { resource: { db: \"db2\", collection: \"coll5\" }, actions: [ \"find\" ] },\n { resource: { db: \"db2\", collection: \"coll9\" }, actions: [ \"find\" ] },\n { resource: { db: \"db3\", collection: \"coll81\" }, actions: [ \"find\" ] }\n ],\n roles: [ ]\n },\n { w: \"majority\" , wtimeout: 5000 }\n) \n\n4. Ensure any query that targets the databases/collections that have security labeling have the appropriate MongoDB $redact operation applied.\n\nThe $redact operator is applied through trusted middleware. This trusted middleware configuration is purpose-built (custom) code and integrations and is organizational or site specific. Information on the basics of how this is constructed can be found here: \nhttps://www.mongodb.com/docs/v8.0/reference/operator/aggregation/redact/","ccis":["CCI-002262","CCI-002263","CCI-002264"]},{"vulnId":"V-279372","ruleId":"SV-279372r1179475_rule","severity":"medium","ruleTitle":"MongoDB must enforce Discretionary Access Control (DAC) policies, as defined by the data owner, over defined subjects and objects.","description":"DAC is based on the idea that individual users are \"owners\" of objects and therefore, have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled table permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. \n\nA subject that is constrained in its operation by Mandatory Access Control (MAC) policies is still able to operate under the less rigorous constraints of this requirement. Thus, while MAC imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. \n\nThe policy is bound by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of DAC.","checkContent":"Review the MongoDB configuration file (default location /etc/mongod.conf).\n\nIf the file does not contain the following entry, this is a finding:\n\nsecurity:\n authorization: enabled","fixText":"Enable authentication for MongoDB by following the instructions here: \nhttps://www.mongodb.com/docs/v8.0/tutorial/enable-authentication/\n\nCreate an administrative user in MongoDB:\n\nuse admin\ndb.createUser(\n {\n user: < username >,\n pwd: < passwordPrompt() >, // or cleartext password\n roles: [\n { role: \"userAdminAnyDatabase\", db: \"admin\" },\n { role: \"readWriteAnyDatabase\", db: \"admin\" }\n ]\n }\n)\n\nEnable authorization by adding the following entry to the MongoDB configuration file:\n\nsecurity:\n authorization: enabled\n\nRestart the MongoDB service from the OS.\n\n$ sudo systemctl restart mongod\n\nThe \"UserAdmin\" user created above can use the \"createUser\" and \"createRole\" MongoDB commands to add the required users and roles per organizational or site-specific documentation.\n\nhttps://www.mongodb.com/docs/v8.0/reference/command/createUser/\n\nhttps://www.mongodb.com/docs/v8.0/reference/command/createRole/","ccis":["CCI-002165"]},{"vulnId":"V-279373","ruleId":"SV-279373r1179516_rule","severity":"medium","ruleTitle":"MongoDB must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.","description":"Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. \n\nSystem documentation should include a definition of the functionality considered privileged.\n\nDepending on circumstances, privileged functions can include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.\n\nA privileged function in the database management systems (DBMS)/database context is any operation that modifies the structure of the database, its built-in logic, or its security settings. This would include all Data Definition Language (DDL) statements and all security-related statements. In an SQL environment, it encompasses, but is not necessarily limited to: \n\nCREATE\nALTER\nDROP\nGRANT\nREVOKE\nDENY\n\nThere may also be Data Manipulation Language (DML) statements that, subject to context, should be regarded as privileged. Possible examples include:\n\nTRUNCATE TABLE;\nDELETE, or\nDELETE affecting more than n rows, for some n, or\nDELETE without a WHERE clause;\n\nUPDATE or\nUPDATE affecting more than n rows, for some n, or\nUPDATE without a WHERE clause;\n\nany SELECT, INSERT, UPDATE, or DELETE to an application-defined security table executed by other than a security principal.\n\nDepending on the capabilities of the DBMS and the design of the database and associated applications, the prevention of unauthorized use of privileged functions may be achieved by means of DBMS security features, database triggers, other mechanisms, or a combination of these.","checkContent":"A organizational or site-specific document should exist and be reviewed to determine what built-in MongoDB roles and associated privileges may be considered authorized and what users are administrative users.\n\nFor each database, run the following commands in MongoDB as an administrative user to determine what users and roles they are assigned:\n\n> use \n> db.getUsers()\n\nFor any nonadministrative user in a database, check if any roles are not compliant with the site-specific documentation for users.\n\nIf any nonadministrative user in a database has a noncompliant role, this is a finding.","fixText":"Ensure users are assigned only to authorized roles.\n\nTo revoke a role from a user in a database, run the following commands: \n\n> use \n> db.revokeRolesFromUser( \"\", [ ], { } )\n\nReference:\nhttps://www.mongodb.com/docs/v8.0/reference/method/db.revokeRolesFromUser/","ccis":["CCI-002235"]},{"vulnId":"V-279375","ruleId":"SV-279375r1179292_rule","severity":"medium","ruleTitle":"MongoDB must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.","description":"To ensure sufficient storage capacity for the audit logs, the DBMS must be able to allocate audit record storage capacity. Although another requirement (SRG-APP-000515-DB-000318) mandates that audit data be off-loaded to a centralized log management system, it remains necessary to provide space on the database server to serve as a buffer against outages and capacity limits of the off-loading mechanism.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of the DBMS and is closely associated with the DBA and system administrator roles. The DBA or system administrator will usually coordinate the allocation of physical drive space with the application owner/installer and the application will prompt the installer to provide the capacity information, the physical location of the disk, or both.\n\nIn determining the capacity requirements, consider such factors as: total number of users; expected number of concurrent users during busy periods; number and type of events being monitored; types and amounts of data being captured; the frequency/speed with which audit records are off-loaded to the central log management system; and any limitations that exist on the DBMS's ability to reuse the space formerly occupied by off-loaded records.","checkContent":"Investigate whether there have been any incidents where the DBMS ran out of audit log space since the last time the space was allocated or other corrective measures were taken.\n\nIf there have been, this is a finding.","fixText":"To specify auditLog, or a centralized system log (which is recommended), configure these in the mongod.conf configuration file:\n\nauditLog:\n destination: syslog\n\nAllocate sufficient space to the storage volume hosting the file identified in the MongoDB configuration \"auditLog.path\" to support audit file peak demand.","ccis":["CCI-001849"]},{"vulnId":"V-279376","ruleId":"SV-279376r1179479_rule","severity":"medium","ruleTitle":"MongoDB must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity.","description":"Organizations are required to use a central log management system, so, under normal conditions, the audit space allocated to the database management system (DBMS) on its own server will not be an issue. However, space will still be required on the DBMS server for audit records in transit, and, under abnormal conditions, this could fill up. Since a requirement exists to halt processing upon audit failure, a service outage would result.\n\nIf support personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity expansion. \n\nThe appropriate support staff include, at a minimum, the information system security officer (ISSO) and the database administrator (DBA)/system administrator (SA).","checkContent":"Verify auditing is enabled in the mongodb configuration file (default location /etc/mongod.conf) and view the \"auditlog.path\" to identify the storage volume.\n\nVerify OS or other organization approved third-party monitoring software is installed.\n\nVerify the required alert in the monitoring software is set to send when storage volume holding the auditLog file utilization reaches 75 percent.\n\nIf appropriate support staff are not notified immediately upon storage volume utilization reaching 75 percent, this is a finding.","fixText":"View the mongodb configuration file (default location /etc/mongod.conf) and view the \"auditlog.path\" to identify the storage volume.\n\nInstall OS or other organization-approved third-party monitoring software.\n\nConfigure the required alert in the monitoring software to send an alert when storage volume holding the auditLog file utilization reaches 75 percent.","ccis":["CCI-001855"]},{"vulnId":"V-279380","ruleId":"SV-279380r1179481_rule","severity":"medium","ruleTitle":"MongoDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.","description":"Allowing regular users to install software without explicit privileges creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user.\n\nDatabase management system (DBMS) functionality and the nature and requirements of databases will vary, so while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages, such as from an approved software repository. The requirements for production servers will be more restrictive than those used for development and research.\n\nMongoDB must enforce software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization.\n\nIn the case of a DBMS, this requirement covers stored procedures, functions, triggers, views, etc.","checkContent":"If MongoDB supports only software development, experimentation and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding.\n\nMongoDB can control nonadministrative users' ability to create, alter, or replace logic modules by defining specific roles and permissions. While MongoDB does not directly support stored procedures, functions, triggers, and views in the way relational databases do, similar functionalities can be implemented using various features. \n\nAn organizational or site-specific document should exist and be reviewed to determine what built-in MongoDB roles and associated privileges may be considered authorized and what users are administrative users.\n\nFor each database, run the following commands in MongoDB as an administrative user to determine what users and roles they are assigned:\n\n> use \n> db.getUsers()\n\nFor any nonadministrative user in a database, check if any roles are not compliant with the site-specific documentation for users. If any user in any database is found to have a role that is not allowed, this is a finding.\n\nMongoDB allows users to store JavaScript functions on the server. Javascript should be disabled for all users.\n\nReview the Mongodb configuration file (default location /etc/mongod.conf) and ensure the following is set to disable JavaScript:\n\nsecurity:\n javascriptEnabled: false\n\nIf this is not set in the MongoDB configuration file, this is a finding.","fixText":"Revoke unapproved roles from nonadministrative users as per the site-specific document by executing db.revokeRolesFromUser for each user and database:\n\n> use \n> db.revokeRolesFromUser( \"\", [ ], { } )\n\nReference:\nhttps://www.mongodb.com/docs/v8.0/reference/method/db.revokeRolesFromUser/\n\nEdit the MongoDB configuration file (default location: /etc/mongod.conf) to include the following:\n\nsecurity:\n javascriptEnabled: false","ccis":["CCI-003980"]},{"vulnId":"V-279381","ruleId":"SV-279381r1179310_rule","severity":"medium","ruleTitle":"MongoDB must enforce access restrictions associated with changes to the configuration of MongoDB or database(s).","description":"Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system.\n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system.\n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.","checkContent":"To verify that authentication and role-based access controls (RBAC) are configured correctly and restrictions are being enforced, create a test user and a custom role, and then confirm expected operations:\n\nOnce authenticated as a database administrator, use db.createUser() to create an additional user.\n\nThe following operation adds a user \"myTester\" to the test database who has read-only access on the test database:\n\n> use test\n> db.createUser(\n {\n user: \"myTester\", pwd: < password > ,\n roles: [\n { role: \"read\", db: \"test\" }\n ]\n }\n )\n\nLog out and then back in as the \"test\" database user. Issue the following to attempt to write to the test database with a read-only privilege:\n\n> use test\n> db.testCollection.insertOne( { x: 1 } )\n\nThis operation will fail with an error similar to the following:\n\n\"MongoServerError\":\"not authorized on test to execute command\"{\n \"insert\":\"testCollection\",\n \"documents\":[\n {\n \"x\":1,\n \"_id\":\"ObjectId(\"6500b96d1114d3a3ba7dda39\")\"\n }\n ],\n \"ordered\":true,\n \"lsid\":{\n \"id\":\"UUID(\"6cb3b9af-1ddc-446c-b0e0-bc9bf22807fa\")\"\n },\n \"$db\":\"test\"\n}\n\nIf the operation does not fail, this is a finding.","fixText":"Locate a machine that can access the MongoDB Security Checklist here: https://www.mongodb.com/docs/v8.0/administration/security-checklist/\n\nReview the MongoDB Security Checklist.\n\nFollow the procedures to enable MongoDB access control here: https://www.mongodb.com/docs/v8.0/tutorial/enable-authentication/#enable-access-control","ccis":["CCI-001813"]},{"vulnId":"V-279382","ruleId":"SV-279382r1179313_rule","severity":"medium","ruleTitle":"MongoDB must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.","description":"Use of nonsecure network functions, ports, protocols, and services exposes the system to avoidable threats.","checkContent":"Review the network functions, ports, protocols, and services supported by the database management system (DBMS).\n\nIf any protocol is prohibited by the PPSM guidance and is enabled, this is a finding.","fixText":"Disable each prohibited network function, port, protocol, or service prohibited by the PPSM guidance.\n\nMore information for MongoDB port management can be found at the following link:\nhttps://www.mongodb.com/docs/manual/reference/default-mongodb-port/","ccis":["CCI-001762"]},{"vulnId":"V-279383","ruleId":"SV-279383r1179483_rule","severity":"medium","ruleTitle":"MongoDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.","description":"The DOD standard for authentication of an interactive user is the presentation of a common access card (CAC) or other physical token bearing a valid, current, DOD-issued Public Key Infrastructure (PKI) certificate, coupled with a Personal Identification Number (PIN) to be entered by the user at the beginning of each session and whenever reauthentication is required.\n\nWithout reauthentication, users may access resources or perform tasks for which they do not have authorization. \n\nWhen applications provide the capability to change security roles or escalate the functional capability of the application, it is critical the user reauthenticate.\n\nIn addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances:\n\n(i) When authenticators change; \n(ii) When roles change; \n(iii) When security categories of information systems change; \n(iv) When the execution of privileged functions occurs; \n(v) After a fixed period of time; or\n(vi) Periodically.\n\nWithin the DOD, the minimum circumstances requiring reauthentication are privilege escalation and role changes.","checkContent":"In MongoDB, a user can reauthenticate by explicitly logging out and then logging back in with the db.logout() and db.auth() commands, respectively. \n\nThe steps to accomplish this would typically depend on the environment and interface, for example, shell, driver, or MongoDB Atlas.\n\nLog out of the current session using the db.logout() command.\n\nRun the following command from the database the user has authenticated from (example below uses \"test\" as the authentication database):\n\n> use test\n> db.logout()\n\nExample output:\n\n{ ok: 1 }\n\nIf the above output is not displayed upon logout, this is a finding.\n\nLog back in, using the db.auth() command:\n\n> use test\n> db.auth({\n user: '',\n pwd: ''\n})\n\nExample output:\n\n { ok: 1 }\n\nIf the above output is not displayed upon login, this is a finding.","fixText":"Enable authentication for MongoDB by following the instructions here: https://www.mongodb.com/docs/v8.0/tutorial/enable-authentication/\n\nCreate an administrative user in MongoDB:\n\n> use admin\n> db.createUser(\n {\n user: \"UserAdmin\",\n pwd: passwordPrompt(), // or cleartext password\n roles: [\n { role: \"userAdminAnyDatabase\", db: \"admin\" },\n { role: \"readWriteAnyDatabase\", db: \"admin\" }\n ]\n }\n)\n\nEnable authorization by adding the following entry to the MongoDB configuration file:\n\nsecurity:\n authorization: enabled\n\nRestart the MongoDB service from the OS.\n\n$ sudo systemctl restart mongod\n\nThe \"UserAdmin\" user created above can use the \"createUser\" and \"createRole\" MongoDB commands to add the required users and roles per organizational or site-specific documentation.\n\nMore information can be found here:\n\nhttps://www.mongodb.com/docs/v8.0/reference/command/createUser/\n\nhttps://www.mongodb.com/docs/v8.0/reference/command/createRole/","ccis":["CCI-002038"]},{"vulnId":"V-279385","ruleId":"SV-279385r1179518_rule","severity":"high","ruleTitle":"MongoDB must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements.","description":"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nIt is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards.\n\nNSA-approved cryptography for classified networks is hardware based. This requirement addresses the compatibility of a database management system (DBMS) with the encryption devices.","checkContent":"If MongoDB is deployed in an unclassified environment, this is not a finding.\n\nRun the following command as an administrative user:\n\n> db.getSiblingDB(\"admin\").runCommand({getCmdLineOpts: 1}).parsed.net.tls.FIPSMode\n\nIf the output is not \"true\", this is a finding.","fixText":"Enable FIPS mode for MongoDB Enterprise.\n\nEdit the MongoDB database configuration file (default location /etc/mongod.conf) to contain the following parameter setting:\n\nnet:\n tls:\n FIPSMode: true\n\nStop/start (restart) the mongod or mongos instance using this configuration and run the following command to verify the output is \"true\":\n\n> db.getSiblingDB(\"admin\").runCommand({getCmdLineOpts: 1}).parsed.net.tls.FIPSMode\n\nThe output of this command must be \"true\".\n\nAlternatively, run the following command to search the mongod logfile for \"FIPS mode 140-2 activated\":\n\n$ grep \"FIPS 140-2 mode activated\" /var/log/mongodb/mongod.log\n\nThere should be a line similar to what is shown below:\n\n{\"t\":{\"$date\":\"2025-02-26T15:21:09.174+00:00\"},\"s\":\"I\", \"c\":\"NETWORK\", \"id\":23172, \"ctx\":\"main\",\"msg\":\"FIPS 140-2 mode activated\"}","ccis":["CCI-002450"]},{"vulnId":"V-279386","ruleId":"SV-279386r1192925_rule","severity":"medium","ruleTitle":"MongoDB must only accept end entity certificates issued by DOD PKI or DOD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.","description":"Only DOD-approved external PKIs have been evaluated to ensure they have security controls and identity vetting procedures in place, which are sufficient for DOD systems to rely on the identity asserted in the certificate. PKIs lacking sufficient security controls and identity vetting procedures risk being compromised and issuing certificates that enable adversaries to impersonate legitimate users. \n\nThe authoritative list of DOD-approved PKIs is published at https://www.cyber.mil/pki-pke. \n\nThis requirement focuses on communications protection for the database management system (DBMS) session rather than for the network packet.","checkContent":"To run MongoDB in TLS mode, obtain a valid certificate singed by a single CA.\n\nBefore starting the MongoDB database in TLS mode, verify the certificate used is issued by a valid DOD CA (openssl x509 -in -text | grep -i \"issuer\").\n\nThe certificates (pem files) used by MongoDB will be in the MongoDB configuration file net.tls section as shown below (default location /etc/mongod.conf).\n\nEach of these must be inspected, when present, to make sure they comply with a DOD Issuer for the certificate.\n\nnet:\n tls:\n CAFile: \n certificateKeyFile: \n clusterFile: \n clusterCAFile: \n CRLFile: \n\nWhen using MongoDB's native encryption at rest, the following must also be inspected in the security.kmip section of the MongoDB configuration file:\n\nsecurity:\n kmip:\n clientCertificateFile: \n serverCAFile: \n\nnet.tls.CAFile\nThe .pem file that contains the root certificate chain from the CA. Specify the file name of the .pem file using relative or absolute paths.\n\nnet.tls.certificateKeyFile\nThe .pem file that contains both the TLS certificate and key.\n\nnet.tls.clusterFile\nThe .pem file that contains the x.509 certificate-key file for membership authentication for the cluster or replica set.\n\nIf there is any issuer present in the certificates being used that is not a DOD approved certificate authority, this is a finding.\n\nnet.tls.clusterCAFile\nThe .pem file that contains the root certificate chain from the CA used to validate the certificate presented by a client establishing a connection. Specify the file name of the .pem file using relative or absolute paths. net.tls.clusterCAFile requires that net.tls.CAFile is set.\n\nnet.tls.CRLFile\nThe .pem file that contains the Certificate Revocation List. Specify the file name of the .pem file using relative or absolute paths.\n\nsecurity.kmip.clientCertificateFile\nPath to the .pem file used to authenticate MongoDB to the KMIP server. The specified .pem file must contain both the TLS/SSL certificate and key.\n\nsecurity.kmip.serverCAFile\nPath to CA File. Used for validating secure client connection to KMIP server.","fixText":"Remove any certificate referenced that was not issued by an approved DOD certificate authority. \n\nContact the organization's certificate issuer and request a new certificate that is issued by a valid DOD certificate authorities.","ccis":["CCI-002470"]},{"vulnId":"V-279387","ruleId":"SV-279387r1179328_rule","severity":"high","ruleTitle":"MongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.","description":"Database management system (DBMSs) handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to the DBMS or implemented via additional software or operating system/file system settings, as appropriate to the situation.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). \n\nThe decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides.\n\nSatisfies: SRG-APP-000428-DB-000386, SRG-APP-000429-DB-000387","checkContent":"Review the documentation or specification for the organization-defined information. \n\nIf any data is PII, classified, or per the organization must be encrypted at rest, verify the method of encryption is documented.\n\nIf no documented mechanism is being used to encrypt data-at-rest such as hardware encryption, volume encryption, filesystem encryption or the use of third-party products to enable encryption at rest, this is a finding.\n\nIf the documented method to encrypt MongoDB data-at-rest is the native MongoDB encryption-at-rest, verify the MongoDB configuration file (default location /etc/mongod.conf) contains the following options:\n\nsecurity:\n kmip:\n keyIdentifier: \n rotateMasterKey: \n serverName: \n port: \n clientCertificateFile: \n clientCertificatePassword: \n clientCertificateSelector: \n serverCAFile: \n connectRetries: \n connectTimeoutMS: \n activateKeys: \n keyStatePollingSeconds: \n\nIf these above options are not configured in the MongoDB security.kmip section in the MongoDB configuration file, this is a finding.","fixText":"Configure encryption-at-rest through hardware encryption, volume encryption, filesystem encryption, or third-party products if not using MongoDBs native encryption-at-rest.\n\nWhen using MongoDBs native encryption-at-rest, configure MongoDB to use the Encrypted Storage Engine and a KMIP appliance as documented here:\n\nhttps://www.mongodb.com/docs/v8.0/core/security-encryption-at-rest/\n\nhttps://www.mongodb.com/docs/v8.0/tutorial/configure-encryption/","ccis":["CCI-002475","CCI-002476"]},{"vulnId":"V-279389","ruleId":"SV-279389r1179334_rule","severity":"medium","ruleTitle":"MongoDB must maintain the confidentiality and integrity of information during preparation for transmission.","description":"Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, including, for example, during aggregation, at protocol transformation points, and during packing/unpacking. These unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.\n\nUse of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. \n\nWhen transmitting data, the DBMS, associated applications, and infrastructure must leverage transmission protection mechanisms.\n\nSatisfies: SRG-APP-000441-DB-000378, SRG-APP-000442-DB-000379","checkContent":"If the data owner does not have a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process, this is not a finding. \n\nIf such a requirement is present, inspect the MongoDB configuration file (default location: /etc/mongod.conf) for the following entries:\n\nnet:\n tls:\n mode: requireTLS\n certificateKeyFile: \n CAFile: \n allowInvalidCertificates: false\n allowConnectionsWithoutCertificates: false\n FIPSMode: true\n\nIf net.tls.mode is not set to \"requireTLS\", this is a finding.","fixText":"Stop the MongoDB instance if it is running. \n\nObtain a certificate from a valid DOD certificate authority to be used for encrypted data transmission. \n\nModify the MongoDB configuration file to include the following TLS configuration options:\n\nnet:\n tls:\n mode: requireTLS\n certificateKeyFile: \n CAFile: \n allowInvalidCertificates: false\n allowConnectionsWithoutCertificates: false\n FIPSMode: true\n\nSet \"net.tls.mode\" to the \"requireTLS\".\n is the fullpathnames to the certificates used for the option.\n\nStart/stop (restart) all mongod or mongos instances using the MongoDB configuration file (default location: /etc/mongod.conf).","ccis":["CCI-002420","CCI-002422"]},{"vulnId":"V-279390","ruleId":"SV-279390r1179486_rule","severity":"medium","ruleTitle":"When invalid inputs are received, MongoDB must behave in a predictable and documented manner that reflects organizational and system objectives.","description":"A common vulnerability is unplanned behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state.\n\nThe behavior will be derived from the organizational and system requirements and includes, but is not limited to, notification of the appropriate personnel, creating an audit record, and rejecting invalid input.\n\nThis calls for inspection of application source code, which will require collaboration with the application developers. It is recognized that in many cases, the database administrator (DBA) is organizationally separate from the application developers, and may have limited, if any, access to source code. Nevertheless, protections of this type are so important to the secure operation of databases that they must not be ignored. At a minimum, the DBA must attempt to obtain assurances from the development organization that this issue has been addressed, and must document what has been discovered.","checkContent":"When an application requires specific fields to be validated at the collection level, MongoDB's schema validation ensures that there are no unintended schema changes or improper data types for those fields.\n\nRefer to the application's guidelines and documentation. If there is no requirement for collection-level schema validation for specific fields, this is not a finding.\n\nIf the application's guidelines and documentation require collection-level schema validation for a specific collection on specific fields, follow these steps:\n\n1. As a user with the \"dbAdminAnyDatabase\" role, run the following commands for each database that contains collections used by the application:\n\n use \n db.getCollectionInfos()\n\nThis returns an array of documents containing information about all collections within \"\".\n\n2. For each specific collection (identified by the \"name:\" field in the output) used by the application that requires a schema validation, check the \"options\" sub-document for that collection.\n\n3. If the \"options\" sub-document for that specific collection does not contain a \"validator\" sub-document, this is a finding.\n\nBelow is an example output of a collection named \"testCollectionWithValidator\" (indicated by \"name\" field) with a \"validator\" in the \"options\" sub-document:\n[\n {\n name: 'testCollectionWithValidator',\n type: 'collection',\n options: {\n validator: {\n '$jsonSchema': {\n bsonType: 'object',\n required: [ 'username', 'password' ],\n properties: {\n username: {\n bsonType: 'string',\n minLength: 3,\n description: 'must be a string and is required with a minimum length of 3 characters'\n },\n password: {\n bsonType: 'string',\n minLength: 8,\n description: 'must be a string and is required with a minimum length of 8 characters'\n }\n }\n }\n },\n validationLevel: 'strict',\n validationAction: 'error'\n },\n info: {\n readOnly: false,\n uuid: UUID('cf0629c2-7355-4bf8-a44b-54b9f31e4845')\n },\n idIndex: { v: 2, key: { _id: 1 }, name: '_id_' }\n }\n]\n\nIf the \"options\" sub-document contains a \"validator\", verify it against the application guidelines and documentation. Verify the validator checks for the presence of all fields specified in the application guidelines and documentation needing a collection level validation and confirm that the correct data types and/or ranges are being validated. \n\nIf any fields specified in the application guidelines or documentation are missing from the validator, or if present and the fields do not have the correct data types and/or ranges, this is a finding.","fixText":"Document validation can be added at the time of creation of a new collection. \n\nAlso, existing collections can be modified with document validation rules. \n\nUse the \"validator\" option to create or update a collection with the desired validation rules. \n\nRefer to Schema Validation documentation for details:\nhttps://www.mongodb.com/docs/v8.0/core/schema-validation/","ccis":["CCI-002754"]},{"vulnId":"V-279391","ruleId":"SV-279391r1179488_rule","severity":"medium","ruleTitle":"When updates are applied to MongoDB software, any software components that have been replaced or made unnecessary must be removed.","description":"Previous versions of database management system (DBMS) components that are not removed from the information system after updates have been installed may be exploited by adversaries. \n\nSome DBMS installation tools may remove older versions of software automatically from the information system. In other cases, manual review and removal will be required. In planning installations and upgrades, organizations must include steps (automated, manual, or both) to identify and remove the outdated modules.\n\nA transition period may be necessary when both the old and the new software are required.","checkContent":"Run the following command and observe the output. This command will determine if MongoDB has been installed with a package manager (RedHat) and display what version is currently installed:\n\n> rpm -q mongodb-enterprise-server.x86_64\nmongodb-enterprise-server-8.0.8-1.el9.x86_64\n\nThe output of the command above indicates that MongoDB Enterprise Server has been installed with a package manager. \n\nIn the preceding output is an example showing that MongoDB Enterprise Server Version 8.0.8 is installed. The specific version will be dependent on the actual version installed. Upgrading MongoDB with the same package manager used for installation will overwrite or remove files as part of the upgrade process.\n\nIf MongoDB was installed with a Package Manager (YUM/RPM for RedHat) then this is not a finding.\n\nRun the following command and observe the output:\n\n> rpm -q mongodb-enterprise-server.x86_64\npackage mongodb-enterprise-server.x86_64 is not installed\n\nThe output of the command above indicates that MongoDB has not been installed via a package manager or may not have been installed at all.\n\nIf MongoDB has not been installed with a Package Manger (YUM/RPM for RedHat), this is a finding.","fixText":"It is recommended to use the official installation packages provided by MongoDB. In the event the software was installed manually and permissions need to be restricted, consider a clean reinstallation. \n\nReview this organizational or site-specific document to determine how and where MongoDB is to be installed on the system. Using this documentation, verify that MongoDB has been installed on the system prior to upgrading.\n\nTo verify the version of MongoDB Enterprise Server, run the following command in the directory where the MongoDB executable binary has been placed according to the organizational or site-specific documentation.\n\n> cd \n> ./mongod --version\n\nThe output will show the version and architecture of the MongoDB Server binary similar to the following:\n\ndb version v8.0.8\nBuild Info: {\n \"version\": \"8.0.8\",\n \"gitVersion\": \"7f52660c14217ed2c8d3240f823a2291a4fe6abd\",\n \"openSSLVersion\": \"OpenSSL 3.2.2 4 Jun 2024\",\n \"modules\": [\n \"enterprise\"\n ],\n \"allocator\": \"tcmalloc-google\",\n \"environment\": {\n \"distmod\": \"rhel93\",\n \"distarch\": \"x86_64\",\n \"target_arch\": \"x86_64\"\n }\n}\n\nVerify the version desired (what the upgraded version should be) matches what is shown in the output.\n\nIf the version is not what is expected, then remove the mongod binary from the system to prevent it from being used and consult the organizational or site-specific documents for further guidance.\n\nRun the following commands as an operating system administrator to remove the MongoDB Enterprise Server binary from the system:\n\n> cd \n> rm ./mongod","ccis":["CCI-002617"]},{"vulnId":"V-279392","ruleId":"SV-279392r1179521_rule","severity":"medium","ruleTitle":"Security-relevant software updates to MongoDB must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","description":"Security flaws with software applications, including database management systems, are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously. \n\nOrganization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). \n\nThis requirement will apply to software patch management solutions used to install patches across the enclave and to applications that are not part of that patch management solution. For example, many browsers provide the capability to install their own patch software. Patch criticality, as well as system criticality, will vary; therefore, the tactical situations regarding the patch management process will also vary. This means the time period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified time period from the availability of the update. The specific time period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","checkContent":"Review the organizational or site-specific software update policy and verify MongoDB has been updated consistent with the time frame specified by that policy.\n\nThe current patch release versions of MongoDB 8.0.x can be found here: https://www.mongodb.com/docs/manual/release-notes/8.0/.\n\nThis link will show the patch release versions with the date of release for all of MongoDB 8.0.x. \n\nIf MongoDB has not been updated to the necessary major and minor release in accordance with the policy, this is a finding.","fixText":"Institute and adhere to the policies and procedures to ensure MongoDB is updated to remain consistent with the organizational or site-specific software update policy and time frame.\n\nUpdate MongoDB to the necessary major and minor release in accordance with the organizational or site-specific policy.","ccis":["CCI-002605"]},{"vulnId":"V-279393","ruleId":"SV-279393r1179522_rule","severity":"high","ruleTitle":"MongoDB must be a version supported by the vendor.","description":"Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities.\n\nSystems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation.\n\nWhen maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.","checkContent":"Review the current version of MongoDB running on the system.\n\nRun the following command from the OS command line and review the \"db version\" listed in the output:\n\n$ mongod --version | grep \"db version\"\n\nCompare the version from the output to the supported version matrix here:\n\nhttps://www.mongodb.com/support-policy/lifecycles\n\nIf the version output in the above command has reached its \"End of Life Date\" shown in the matrix, this is a finding.","fixText":"Ensure a license agreement is still in effect and, if so, upgrade to a supported version of MongoDB.\n\nEach major release of MongoDB has upgrade instructions. Follow the upgrade path/procedures for the version and configuration (standalone, replica set, sharded) of MongoDB accordingly.\n\nIf the license agreement with MongoDB has lapsed, contact MongoDB to license the use of a supported version.","ccis":["CCI-003376"]},{"vulnId":"V-279394","ruleId":"SV-279394r1179490_rule","severity":"medium","ruleTitle":"MongoDB must off-load audit data to a separate log management facility; this shall be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity. \n\nThe Database management system (DBMS) may write audit records to database tables, to files in the file system, to other kinds of local repository, or directly to a centralized log management system. Whatever the method used, it must be compatible with off-loading the records to the centralized system.","checkContent":"MongoDB relies on the underlying operating system to allocate storage capacity for audit logs and as such, does not enforce arbitrary file size limits on audit logs. \n\nSystem administrators should confirm that the recommended centralized system logging has been enabled (e.g., syslog on Linux systems) in the /etc/mongod.conf configuration file. \n\nFor example, on a Linux-based system using syslog, which is mirrored to an off-server centralized location, confirm that the MongoDB configuration file (default location: /etc/mongod.conf) contains a properly configured auditLog such as follows:\n\nauditLog:\n destination: syslog\n\nIf the auditLog entry is missing, or the destination does not reflect the intended application location, this is a finding. \n\nInvestigate whether there have been any incidents where MongoDB ran out of audit log space since the last time the space was allocated or other corrective measures were taken.","fixText":"To specify auditLog, or a centralized system log (recommended), configure these in the mongod.conf configuration file:\n\nauditLog:\n destination: syslog\n\nRefer to documentation for additional configuration: \nhttps://www.mongodb.com/docs/v8.0/core/auditing/\n\nWhen deploying a Log Forwarding Tool, use a monitor for the audit log file and push records to a centralized log management system (e.g., Elasticsearch, Splunk, or a custom solution). \n\nAllocate sufficient space to the storage volume hosting the file identified in the MongoDB configuration \"auditLog.path\" to support audit file peak demand.","ccis":["CCI-001851"]},{"vulnId":"V-279395","ruleId":"SV-279395r1179492_rule","severity":"medium","ruleTitle":"MongoDB must be configured in accordance with the security configuration settings based on DOD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.","description":"Configuring MongoDB to implement organizationwide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements. \n\nIn addition to this SRG, sources of guidance on security and information assurance exist. These include NSA configuration guides, CTOs, DTMs, and IAVMs. The database management system (DBMS) must be configured in compliance with guidance from all such relevant sources.","checkContent":"Review the MongoDB documentation and configuration to determine if the DBMS is configured in accordance with DOD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.\n\nIf MongoDB is not configured in accordance with security configuration settings, this is a finding.","fixText":"Configure the DBMS in accordance with DOD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.\n\nIt is recommended that MongoDB Enterprise be installed and upgraded though the use of a package manager (YUM/RPM RedHat) where it meets the organizational or site-specific policy. \n\nReference:\nhttps://www.mongodb.com/docs/v8.0/tutorial/install-mongodb-enterprise-on-red-hat/","ccis":["CCI-000366"]},{"vulnId":"V-279398","ruleId":"SV-279398r1179494_rule","severity":"medium","ruleTitle":"MongoDB must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate recognized and approved by the organization.","description":"Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.","checkContent":"1. Identify that the MongoDB repository is installed and enabled by running the following command: \n\n$ yum repolist enabled | grep \"mongodb-enterprise-8.0\".\n \n2. Review the contents of the repository file (/etc/yum.repos.d/mongodb-enterprise-8.0.repo) and compare them to the standard configuration below:\n\n[mongodb-enterprise-8.0]\nname=MongoDB Enterprise Repository\nbaseurl=https://repo.mongodb.com/yum/redhat/9/mongodb-enterprise/8.0/$basearch/\ngpgcheck=1\nenabled=1\ngpgkey=https://pgp.mongodb.com/server-8.0.asc\n\n3. Examine the installed MongoDB components and their versions by running the following command: \n\n$ yum list installed mongodb-*\n \n4. The output will resemble the following, but with potentially different versions:\n\nInstalled Packages\n\nmongodb-database-tools.x86_64 100.12.2-1 @mongodb-enterprise-8.0\nmongodb-enterprise.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0\nmongodb-enterprise-cryptd.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0\nmongodb-enterprise-database.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0\nmongodb-enterprise-database-tools-extra.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0\nmongodb-enterprise-mongos.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0\nmongodb-enterprise-server.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0\nmongodb-enterprise-tools.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0\nmongodb-mongosh.x86_64 2.5.6-1.el8 @mongodb-enterprise-8.0\n\n5. Check for available updates for the installed MongoDB components by running the following command: \n$ sudo yum check-update --repo mongodb-enterprise-8.0\n\nThe output will list any components that need to be updated. \n\nIf the MongoDB repository is not enabled, its contents do not match the standard configuration, or if any components are not installed or are not the most current version available, this is a finding.","fixText":"Ensure the MongoDB repository is configured according to the official documentation.\n\nInstall any missing or outdated components by running the command: \n\n$ sudo yum update --repo mongodb-enterprise-8.0\n\nRestart the MongoDB service: \n\n$ sudo systemctl restart mongod\n\nThe YUM method is the preferred method because it provides automatic dependency management, built-in rollback support, and simplified security updates. These features reduce the risk of misconfiguration and ensure a more stable and secure environment that is easier to maintain and keep compliant.\n\nFor additional details, refer to the MongoDB documentation: \nhttps://www.mongodb.com/docs/v8.0/tutorial/install-mongodb-enterprise-on-red-hat/","ccis":["CCI-003992"]},{"vulnId":"V-279399","ruleId":"SV-279399r1179524_rule","severity":"medium","ruleTitle":"MongoDB must require users to be individually authenticated before granting access to the shared accounts or resources.","description":"Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators.","checkContent":"Check the MongoDB configuration file (default location /etc/mongod.conf) for a section named \"security\". \n \nIf this section does not contain the subkey of \"authorization\" with a value of \"enabled\" as shown below, this is a finding.\n\nsecurity:\n authorization: enabled","fixText":"Enable authorization for MongoDB Enterprise.\n\nRead the directions in the MongoDB documentation here: \nhttps://www.mongodb.com/docs/v8.0/tutorial/configure-scram-client-authentication/\n\nCreate the user administrator.\n\nEdit the MongoDB database configuration file (default location /etc/mongod.conf) to contain the following setting in the security section:\n\nsecurity:\n authorization: enabled\n\nStop/start (restart) the mongod or mongos instance using this configuration.\n\nLog on to MongoDB as an authorized user created by the user administrator and run the following command to verify the output is \"true\":\n\ndb.getSiblingDB(\"admin\").runCommand({getCmdLineOpts: 1}).parsed.security.authorization\n\nThe output of this command must be \"true\".","ccis":["CCI-004045"]},{"vulnId":"V-279409","ruleId":"SV-279409r1179526_rule","severity":"medium","ruleTitle":"MongoDB must, for public key-based authentication, implement a local cache of revocation data to support path discovery and validation.","description":"Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network.","checkContent":"Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named \"setParameter\". \n\nExamples shown below:\n \nsetParameter:\n ocspEnabled: true\n\nIf this key \"setParameter\" and the subkey \"ocspEnabled: true\" are not found, this is a finding.","fixText":"Edit the MongoDB configuration file (default location /etc/mongod.conf) and add \"setParameter\" and its subkey \"ocspEnabled\" as shown below. \n\nsetParameter:\n ocspEnabled: true\n\nRefer to: https://www.mongodb.com/docs/v8.0/core/security-transport-encryption/#ocsp--online-certificate-status-protocol-","ccis":["CCI-004068"]},{"vulnId":"V-279411","ruleId":"SV-279411r1179400_rule","severity":"medium","ruleTitle":"MongoDB must include only approved trust anchors in trust stores or certificate stores managed by the organization.","description":"Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.","checkContent":"Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named \"net.tls.CAFile\". \n\nExample shown below:\n \nnet:\n tls:\n mode: requireTLS\n certificateKeyFile: /etc/ssl/mongodb.pem\n CAFile: /etc/ssl/caToValidateClientCertificates.pem\n ocsp:\n enabled: true\n responderURL: \n\nIf this key is not found, this is a finding.","fixText":"Edit the MongoDB configuration file (default location /etc/mongod.conf) and add a key named \"net.tls.CAFile\" to configure the certificate trust. \n\nExample shown below:\n \nnet:\n tls:\n mode: requireTLS\n certificateKeyFile: /etc/ssl/mongodb.pem\n CAFile: /etc/ssl/caToValidateClientCertificates.pem\n ocsp:\n enabled: true\n responderURL: ","ccis":["CCI-004909"]},{"vulnId":"V-279412","ruleId":"SV-279412r1179403_rule","severity":"medium","ruleTitle":"MongoDB must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.","description":"A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.","checkContent":"Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named \"net.tls.CAFile\". \n\nExample shown below:\n \nnet:\n tls:\n mode: requireTLS\n certificateKeyFile: /etc/ssl/mongodb.pem\n CAFile: /etc/ssl/caToValidateClientCertificates.pem\n ocsp:\n enabled: true\n responderURL: \n\nRun the following command on the file indicated by this key:\n\nstat /etc/ssl/caToValidateClientCertificates.pem\n\nIf the output does not show file permissions of \"-rw-------\", this is a finding.","fixText":"Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named \"net.tls.CAFile\". \n\nExample shown below:\n \nnet:\n tls:\n mode: requireTLS\n certificateKeyFile: /etc/ssl/mongodb.pem\n CAFile: /etc/ssl/caToValidateClientCertificates.pem\n ocsp:\n enabled: true\n responderURL: \n\nRun the following commands on the file indicated by this key:\n\nchmod 600 /etc/ssl/caToValidateClientCertificates.pem","ccis":["CCI-004910"]},{"vulnId":"V-281700","ruleId":"SV-281700r1179499_rule","severity":"low","ruleTitle":"MongoDB must terminate a user session after organization-defined conditions or trigger events requiring session disconnect via a scheduled script.","description":"This addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. \n\nSession termination ends all processes associated with a user's logical session except those batch processes/jobs that are specifically created by the user (i.e., session owner) to continue after the session is terminated. \n\nConditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.\n\nThis capability is typically reserved for specific cases where the system owner, data owner, or organization requires additional assurance.","checkContent":"Review system documentation to obtain the organization's definition of circumstances requiring automatic session termination. \n\nIf the documentation explicitly states that such termination is not required or is prohibited, this is not a finding. \n\nEnsure a script is in place and scheduled that does the following (see fix content for example commands):\n1. Lists all user sessions. \n2. From the output, determines which user-initiated database sessions must be terminated. \n3. Terminates the identified sessions by user. \n\nIf a script does not exist or is not scheduled to run at least daily, this is a finding.","fixText":"Determine the situations when a user-initiated database session must be terminated.\n\nNote: The user running the commands shown below must have privileges with listSessions, killAnySession and impersonate action on the cluster.\n\nIn the MongoDB shell, as an authenticated user, run the following command to list all user sessions:\n\n> use config\n> db.system.sessions.aggregate( [ { $listSessions: { allUsers: true } }\n\nReference: https://docs.mongodb.com/v8.0/reference/operator/aggregation/listSessions/\n\nExample output:\n\n{ \"_id\" : { \"id\" : UUID(\"b3b50641-54c6-4d6d-a96e-a2239fadce3c\"), \"uid\" : BinData(0,\"Y5mrDaxi8gv8RmdTsQ+1j7fmkr7JUsabhNmXAheU0fg=\") }, \"lastUse\" : ISODate(\"2021-09-23T23:34:43.951Z\"), \"user\" : { \"name\" : \"jsmith@admin\" } }\n\nFrom the output, identify the names of users whose sessions should be terminated. Using the user for each session to be terminated, run the following command (still in MongoDB shell):\n\n> db.runCommand( { killAllSessionsByPattern: [ { users: [ { user: , db: }, ... ] }] } )\n\nExample to terminate user \"jsmith@admin\" sessions from example output:\n\n> db.runCommand( { killAllSessionsByPattern: [ { users: [ { user: \"jsmith\", db: \"admin\" } ] }]} )\n\nTo terminate all user sessions running on the database, run the following command (still in MongoDB shell):\n\n> db.runCommand( { killAllSessionsByPattern: [ ] } )\n\nReference: https://docs.mongodb.com/v8.0/reference/command/killAllSessionsByPattern/","ccis":["CCI-002361"]},{"vulnId":"V-282943","ruleId":"SV-282943r1179530_rule","severity":"medium","ruleTitle":"MongoDB must be configured to restrict the use of administrator access to authorized IP addresses.","description":"MongoDB will use Authentication Restrictions to enforce network-based separation of admin users from application users on the same port. \n\nWith Authentication Restrictions, the database can be configured to specify a list of IP addresses and CIDR ranges from which a user is allowed to connect to the server or from which the server can accept users. \n\nAuthentication Restrictions addresses the following: \n- Network-based Separation: Admin users are restricted to connecting only from designated admin networks/IPs, while application users are restricted to the application subnet. \n- Unauthorized Access Mitigation: Even if credentials are compromised, connections are blocked from unauthorized networks at the authentication level, leaving no chance for bypass.","checkContent":"To verify administrative access is logically separated and restricted to authorized management networks:\n\n1. Review the organization-defined administrative roles. These administrative roles include, but are not limited to: root, clusterAdmin, dbAdminAnyDatabase, userAdminAnyDatabase, dbAdmin, userAdmin, and dbOwner.\n\n2. Review all users within the admin database to identify those assigned any of the administrative roles defined above. \n\n3. For each identified administrative user, check for the presence of the authenticationRestrictions field. Verify that a clientSource is defined to restrict access to authorized management networks. \n\nExample script:\n\n// Define admin roles\nconst adminRoles = new Set([\"root\", \"clusterAdmin\", \"dbAdminAnyDatabase\", \"userAdminAnyDatabase\", \"dbAdmin\", \"userAdmin\", \"dbOwner\", \"\"]);\n\n// Check all users under 'admin' and filter for admin roles\nconst admins = db.getSiblingDB(\"admin\").system.users.find().toArray()\n .filter(u => u.roles.some(r => adminRoles.has(r.role)))\n .map(u => {\n const restr = u.authenticationRestrictions || [];\n const clientIPs = restr.flatMap(r => r.clientSource || []);\n const serverIPs = restr.flatMap(r => r.serverAddress || []);\n\n return {\n \"User\": u.user,\n \"DB\": u.db,\n \"Admin Roles\": u.roles.filter(r => adminRoles.has(r.role)).map(r => r.role).join(\", \"),\n \"Client IPs\": clientIPs.length ? clientIPs.join(\", \") : \"ANY (Unrestricted)\",\n \"Server Address\": serverIPs.length ? serverIPs.join(\", \") : \"ANY (Unrestricted)\"\n };\n });\n\nconsole.table(admins);\n\nIf an administrative user does not have an authenticationRestrictions field defined, or if the clientSource is not restricted to a valid, organization-defined management network, this is a finding. \n\nIf the local policy requires interface-specific isolation and the Server Address is not defined or is not restricted to the server's management interface IP, this is a finding.\n\nIn the absence of approved documentation, assume localhost (127.0.0.1) is the only approved address.\n\nExample output: (note that user0 is compliant while user1 is not) \n\n(index) User DB Admin Roles Client IPs Server Address\n0 'user0' 'admin' 'root' '127.0.0.1' '127.0.0.1'\n1 'user1' 'admin' 'root' 'ANY (Unrestricted)' 'ANY (Unrestricted)'","fixText":"For all administrative users that do not have network restrictions configured, use the following command:\n \nuse admin\ndb.updateUser( \"\", { authenticationRestrictions: [ { clientSource: [ \"\", serverAddress: [\"\"] } ] })\n\nRun the following command to set to local host:\n\nuse admin\ndb.updateUser(\"\", { authenticationRestrictions: [ { clientSource: [\"127.0.0.1\"], serverAddress: [\"127.0.0.1\"] } ] })\n\nMore information can be found here: \nhttps://www.mongodb.com/docs/manual/reference/command/createUser/#authentication-restrictions","ccis":["CCI-000382"]}]}