V-252142

Discussion

The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. Satisfies: SRG-APP-000243-DB-000373, SRG-APP-000243-DB-000374

Check Content

By default, the MongoDB official installation packages restrict user and group ownership and read/write permissions on the underlying data files and critical configuration files from other operating system users. 

In addition, process and memory isolation is used by default. System administrators should also consider if whole database encryption would be an effective control on an application basis.

Run the following commands to verify proper permissions for the following database files or directories:

stat /etc/mongod.conf

If the owner and group are not both mongod, this is a finding.

If the file permissions are more permissive than 600, this is a finding.

stat  /var/lib/mongo

If the owner and group are not both mongod, this is a finding.

If the file permissions are more permissive than 755, this is a finding.

ls -l /var/lib/mongo

If the owner and group of  any file or sub-directory is not mongod, this is a finding.

If the permission of any file in the main directory (/var/lib/mongo) or sub-directory of (/var/lib/mongo) is more permissive than 600, this is a finding.

If the permission of any sub-directory of (/var/lib/mongo) is more permissive than 700, this is a finding.