V-265942

Discussion

Failure to provide logical access restrictions associated with changes to configuration may have significant effects on the overall security of the system. When dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals should be allowed to obtain access to system components for the purposes of initiating changes, including upgrades and modifications.

Check Content

To verify that authentication and Role-Based Access Controls (RBAC) is configured correctly and restrictions are being enforced, create a test user and a custom role, and then confirm expected operations:

Once authenticated as a DBA administrator, use db.createUser() to create an additional user.

The following operation adds a user "myTester" to the test database who has read-only access on the test database:

> use test
> db.createUser(
   {
      user: "myTester", pwd: <password>,
      roles: [
         { role: "read", db: "test" }
      ]
    }
 )

Log out and then back in as the "test" database user. Issue the following to attempt to write to the test database with a read-only privilege:

> use test
> db.testCollection.insertOne( { x: 1 } )

This operation will fail with an error similar to the following:

"MongoServerError":"not authorized on test to execute command"{
   "insert":"testCollection",
   "documents":[
      {
         "x":1,
         "_id":"ObjectId(""6500b96d1114d3a3ba7dda39"")"
      }
   ],
   "ordered":true,
   "lsid":{
      "id":"UUID(""6cb3b9af-1ddc-446c-b0e0-bc9bf22807fa"")"
   },
   "$db":"test"
}

If the operation does not fail, this is a finding.