STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide

V-279412

CAT II (Medium)

MongoDB must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.

Rule ID

SV-279412r1179403_rule

STIG

MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-004910

Discussion

A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.

Check Content

Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named "net.tls.CAFile". 

Example shown below:
 
net:
   tls:
      mode: requireTLS
      certificateKeyFile: /etc/ssl/mongodb.pem
      CAFile: /etc/ssl/caToValidateClientCertificates.pem
      ocsp:
        enabled: true
        responderURL: <your organization's OCSP responder URL>

Run the following command on the file indicated by this key:

stat  /etc/ssl/caToValidateClientCertificates.pem

If the output does not show file permissions of "-rw-------", this is a finding.

Fix Text

Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named "net.tls.CAFile". 

Example shown below:
 
net:
   tls:
      mode: requireTLS
      certificateKeyFile: /etc/ssl/mongodb.pem
      CAFile: /etc/ssl/caToValidateClientCertificates.pem
      ocsp:
        enabled: true
        responderURL: <your organization's OCSP responder URL>

Run the following commands on the file indicated by this key:

chmod 600  /etc/ssl/caToValidateClientCertificates.pem