STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

Unused database components, DBMS software, and database objects must be removed.

DISA Rule

SV-96573r1_rule

Vulnerability Number

V-81859

Group Title

SRG-APP-000141-DB-000091

Rule Version

MD3X-00-000280

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

On data-bearing nodes and arbiter nodes, the mongodb-enterprise-tools, mongodb-enterprise-shell and mongodb-enterprise-mongos can be removed (or not installed).

On applications servers that typically run the mongos process when connecting to a shared cluster, the only package required is the mongodb-enterprise-mongos package.

Check Contents

Review the list of components and features installed with the MongoDB database.

If unused components are installed and are not documented and authorized, this is a finding.

RPM can also be used to check to see what is installed:

yum list installed | grep mongodb

This returns MongoDB database packages that have been installed.

If any packages displayed by this command are not being used, this is a finding.

Vulnerability Number

V-81859

Documentable

False

Rule Version

MD3X-00-000280

Severity Override Guidance

Review the list of components and features installed with the MongoDB database.

If unused components are installed and are not documented and authorized, this is a finding.

RPM can also be used to check to see what is installed:

yum list installed | grep mongodb

This returns MongoDB database packages that have been installed.

If any packages displayed by this command are not being used, this is a finding.

Check Content Reference

M

Target Key

3265

Comments