STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020: STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:SV-96581r1_rule
V-81867
SRG-APP-000171-DB-000074
MD3X-00-000330
CAT II
10
Do the following:
- Create local CA and signing keys.
- Generate and sign server certificates for member authentication.
- Generate and sign client certificates for client authentication.
- Start MongoDB cluster in non-auth mode.
- Set up replica set and initial users.
- Restart MongoDB replica set in X.509 mode using server certificates.
Example shown here for x.509 Authentication: https://www.mongodb.com/blog/post/secure-mongodb-with-x-509-authentication
Additionally, SSL/TLS must be on as documented here: https://docs.mongodb.com/v3.4/tutorial/configure-ssl/
MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection.
The x.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password.
If X.509 authentication is not used, a SCRAM-SHA-1 authentication protocol is also available. The SCRAM-SHA-1 protocol uses one-way, salted hash functions for passwords as documented here: https://docs.mongodb.com/v3.4/core/security-scram-sha-1/
To authenticate with a client certificate, you must first add a MongoDB user that corresponds to the client certificate. See Add x.509 Certificate subject as a User as documented here: https://docs.mongodb.com/v3.4/tutorial/configure-x509-client-authentication/
To authenticate, use the db.auth() method in the $external database, specifying "MONGODB-X509" for the mechanism field, and the user that corresponds to the client certificate for the user field.
If the mechanism field is not set to "MONGODB-X509", this is a finding.
V-81867
False
MD3X-00-000330
MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection.
The x.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password.
If X.509 authentication is not used, a SCRAM-SHA-1 authentication protocol is also available. The SCRAM-SHA-1 protocol uses one-way, salted hash functions for passwords as documented here: https://docs.mongodb.com/v3.4/core/security-scram-sha-1/
To authenticate with a client certificate, you must first add a MongoDB user that corresponds to the client certificate. See Add x.509 Certificate subject as a User as documented here: https://docs.mongodb.com/v3.4/tutorial/configure-x509-client-authentication/
To authenticate, use the db.auth() method in the $external database, specifying "MONGODB-X509" for the mechanism field, and the user that corresponds to the client certificate for the user field.
If the mechanism field is not set to "MONGODB-X509", this is a finding.
M
3265