Rule ID
SV-279332r1179502_rule
Version
V1R1
CCIs
Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization. A comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in noncentralized account stores, such as multiple servers. Account management functions can also include assignment of group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example, using email or text messaging to notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephone notification to report atypical system account usage. The DBMS must be configured to automatically use organization-level account management functions, and these functions must immediately enforce the organization's current account policy. Automation may comprise differing technologies, which when placed together, contain an overall mechanism supporting an organization's automated account management requirements.
Verify that the MongoDB configuration file (default location /etc/mongod.conf) contains the following:
security:
authorization: "enabled"
If using OIDC for human users:
Verify the MongoDB configuration file (default location: /etc/mongod.conf) contains the following:
setParameter:
authenticationMechanisms: "MONGODB-OIDC"
oidcIdentityProviders: [ {
issuer: "<Issuer URL from IdP>",
audience: "<>",
matchPattern: "<>",
JWKSPollSecs: "<>"
} ]
If this parameter is not present, this is a finding.
Refer to Security OIDC/OAuth 2.0 configuration documentation for additional details:
https://www.mongodb.com/docs/manual/core/oidc/security-oidc/Edit the MongoDB configuration file (default location /etc/mongod.conf) to include the following:
security:
authorization: "enabled"
This will enable SCRAM-SHA-256 authentication (default).
Instruction on configuring the default authentication is provided here:
https://www.mongodb.com/docs/v8.0/tutorial/enable-authentication/
The high-level steps described by the above will require the following:
1. Start MongoDB without access control.
2. Connect to the instance.
3. Create the user administrator.
4. Restart the MongoDB instance with access control.
5. Connect and authenticate as the user administrator.
6. Create additional users as needed for the deployment.
For OIDC, edit the MongoDB configuration file (default location /etc/mongod.conf) to include the following:
setParameter:
authenticationMechanisms: "MONGODB-OIDC"
oidcIdentityProviders: [ {
issuer: "<Issuer URL from IdP>",
audience: "<>",
matchPattern: "<>",
JWKSPollSecs: "<>"
} ]
Configuration information for OIDC for MongoDB can be found here: https://www.mongodb.com/docs/manual/core/oidc/workforce/configure-oidc/#std-label-configure-oidc.
Configuration information for OAuth 2.0 for MongoDB can be found here: https://www.mongodb.com/docs/manual/core/oidc/workload/configure-mongodb-workload/#std-label-configure-mongodb-workload.