Rule ID
SV-265945r1028621_rule
Version
V1R1
CCIs
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The application must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. It is the responsibility of the data owner to assess the cryptography requirements in light of applicable federal laws, Executive Orders, directives, policies, regulations, and standards. NSA-approved cryptography for classified networks is hardware based. This requirement addresses the compatibility of a DBMS with the encryption devices.
If MongoDB is deployed in an unclassified environment, this is not a finding.
Run the following command as an administrative user:
> db.getSiblingDB("admin").runCommand({getCmdLineOpts: 1}).parsed.net.tls.FIPSMode
If the output is not "true", this is a finding.Enable FIPS mode for MongoDB Enterprise.
Edit the MongoDB database configuration file (default location: /etc/mongod.conf) to contain the following parameter setting:
net:
tls:
FIPSMode: true
Stop/start (restart) the mongod or mongos instance using this configuration and run the following command to verify the output is "true":
> db.getSiblingDB("admin").runCommand({getCmdLineOpts: 1}).parsed.net.tls.FIPSMode
The output of this command must be "true".
Alternatively, run the following command to search the mongod logfile for "FIPS mode 140-2 activated":
$ grep "FIPS 140-2 mode activated" /var/log/mongodb/mongod.log
There should be a line similar to what is shown below:
{"t":{"$date":"2024-05-21T19:17:49.262+00:00"},"s":"I", "c":"NETWORK", "id":23172, "ctx":"main","msg":"FIPS 140-2 mode activated"}