STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB.

DISA Rule

SV-96585r2_rule

Vulnerability Number

V-81871

Group Title

SRG-APP-000176-DB-000068

Rule Version

MD3X-00-000360

Severity

CAT I

CCI(s)

• CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

10

Fix Recommendation

Run these commands:
"chown mongod:mongod /etc/ssl/mongodb.pem"
"chmod 600 /etc/ssl/mongodb.pem"
"chown mongod:mongod /etc/ssl/mongodbca.pem"
"chmod 600 /etc/ssl/mongodbca.pem"

Check Contents

In the MongoDB database configuration file (default location: /etc/mongod.conf), review the following parameters:

net:
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/mongodbca.pem

Verify ownership, group ownership, and permissions on the file given for PEMKeyFile (default 'mongodb.pem').

Run following command and review its output:
ls -al /etc/mongod.conf

typical output:
-rw------- 1 mongod mongod 566 Apr 26 20:20 /etc/mongod.conf

If the user owner is not "mongod", this is a finding.

If the group owner is not "mongod", this is a finding.

If the file is more permissive than "600", this is a finding.

Verify ownership, group ownership, and permissions on the file given for CAFile (default 'ca.pem').

If the user owner is not "mongod", this is a finding.

If the group owner is not "mongod", this is a finding.

If the file is more permissive than "600", this is a finding.

Vulnerability Number

V-81871

Documentable

False

Rule Version

MD3X-00-000360

Severity Override Guidance

In the MongoDB database configuration file (default location: /etc/mongod.conf), review the following parameters:

net:
ssl:
mode: requireSSL
PEMKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/mongodbca.pem

Verify ownership, group ownership, and permissions on the file given for PEMKeyFile (default 'mongodb.pem').

Run following command and review its output:
ls -al /etc/mongod.conf

typical output:
-rw------- 1 mongod mongod 566 Apr 26 20:20 /etc/mongod.conf

If the user owner is not "mongod", this is a finding.

If the group owner is not "mongod", this is a finding.

If the file is more permissive than "600", this is a finding.

Verify ownership, group ownership, and permissions on the file given for CAFile (default 'ca.pem').

If the user owner is not "mongod", this is a finding.

If the group owner is not "mongod", this is a finding.

If the file is more permissive than "600", this is a finding.

Check Content Reference

M

Target Key

3265

Comments