STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide

V-279364

CAT II (Medium)

Access to database files must be limited to relevant processes and to authorized, administrative users.

Rule ID

SV-279364r1179259_rule

STIG

MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001090

Discussion

Applications, including database management systems (DBMSs), must prevent unauthorized and unintended information transfer via shared system resources. Permitting only DBMS processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation. Satisfies: SRG-APP-000243-DB-000374, SRG-APP-000243-DB-000373

Check Content

By default, the MongoDB official installation packages restrict user and group ownership and read/write permissions on the underlying data files and critical configuration files from other operating system users.

In addition, process and memory isolation is used by default. System administrators should also consider if whole database encryption would be an effective control on an application basis.

Run the following commands to verify proper permissions for the following database files or directories:

$ stat /etc/mongod.conf

If the owner and group are not both "mongod", this is a finding.

If the file permissions are more permissive than "600", this is a finding.

$ stat  /var/lib/mongo

If the owner and group are not both "mongod", this is a finding.

If the file permissions are more permissive than "755", this is a finding.

$ ls -l /var/lib/mongo

If the owner and group of any file or sub-directory is not "mongod", this is a finding.

If the permission of any file in the main directory (/var/lib/mongo) or sub-directory of (/var/lib/mongo) is more permissive than "600", this is a finding.

If the permission of any sub-directory of (/var/lib/mongo) is more permissive than "700", this is a finding.

Fix Text

Correct the permission to the files and/or directories that are in violation.

MongoDB Configuration file (default location /etc/mongod.conf): 

$  chown mongod:mongod /etc/mongod.conf
$  chmod 600 /etc/mongod.conf

MongoDB datafiles and directories (default location /var/lib/mongo): 

$ chown -R mongod:mongod /var/lib/mongo
$ chmod 755 /var/lib/mongo

$ find /var/lib/mongo/* -type f | xargs  chmod 600
$ find /var/lib/mongo/* -type d | xargs  chmod 700