Rule ID
SV-252177r961521_rule
Version
V1R4
CCIs
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
If MongoDB is configured to authenticate using SASL and LDAP check the saslauthd command line options in the system boot script that starts saslauthd (the location will be dependent on the specific Linux operating system and boot script layout and naming conventions). If the "-t" option is not set for the "saslauthd" process in the system boot script, this is a finding.
With MongoDB configured using SASL LDAP authentication and on certain Linux distributions, saslauthd starts with the caching of authentication credentials enabled. Until restarted or until the cache expires, saslauthd will not contact the LDAP server to re-authenticate users in its authentication cache. This allows saslauthd to successfully authenticate users in its cache, even in the LDAP server is down or if the cached users' credentials are revoked. To set the expiration time (in seconds) for the authentication cache, see the -t option of saslauthd (https://www.systutorials.com/docs/linux/man/8-saslauthd/).