V-252175

Discussion

Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.

Check Content

To verify that access restrictions are being enforced, create a test user and a custom role and then confirm expected operations:

Once authenticated as a DBA administrator, use db.createUser() to create an additional user. The following operation adds a user myTester to the test database who has read-only access on the test database:

 use test
 db.createUser(
   {
      user: "myTester", pwd: password,
      roles: [
         { role: "read", db: "test" }
      ]
    }
 )

Log out, then log back in as the "test" database user. Issue the following to attempt to write to the test database with a read-only privilege:

 use test
 db.testCollection.insert( { x: 1 } )

This operation will fail with a WriteResult error:

WriteCommandError({
        "ok" : 0,
        "errmsg" : "not authorized on test to execute command { insert: \"###\", ordered: \"###\", lsid: { id: \"###\" }, $db: \"###\" }",
        "code" : 13,
        "codeName" : "Unauthorized"
})

If the operation does not fail, this is a finding.