STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

MongoDB must use NIST FIPS 140-2-validated cryptographic modules for cryptographic operations.

DISA Rule

SV-96589r1_rule

Vulnerability Number

V-81875

Group Title

SRG-APP-000179-DB-000114

Rule Version

MD3X-00-000380

Severity

CAT I

CCI(s)

• CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
• CCI-002450 - The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Weight

10

Fix Recommendation

Enable FIPS 140-2 mode for MongoDB Enterprise.

Edit the MongoDB database configuration file (default location: /etc/mongod.conf) to contain the following parameter setting:

net:
ssl:
FIPSMode: true

Stop/start (restart) the mongod or mongos instance using this configuration.

For the operating system finding, please refer to the appropriate operating system documentation for the procedure to install, configure, and test FIPS mode.

Check Contents

If MongoDB is deployed in a classified environment:

In the MongoDB database configuration file (default location: /etc/mongod.conf), search for and review the following parameters:

net:
ssl:
FIPSMode: true

If this parameter is not present in the configuration file, this is a finding.

If "FIPSMode" is set to "false", this is a finding.

Check the server log file for a message that FIPS is active:
Search the log for the following text ""FIPS 140-2 mode activated"".

If this text is not found, this is a finding.

Verify that FIPS has been enabled at the operating system. The following will return "1" if FIPS is enabled:
cat /proc/sys/crypto/fips_enabled

If the above command does not return "1", this is a finding.

Vulnerability Number

V-81875

Documentable

False

Rule Version

MD3X-00-000380

Severity Override Guidance

If MongoDB is deployed in a classified environment:

In the MongoDB database configuration file (default location: /etc/mongod.conf), search for and review the following parameters:

net:
ssl:
FIPSMode: true

If this parameter is not present in the configuration file, this is a finding.

If "FIPSMode" is set to "false", this is a finding.

Check the server log file for a message that FIPS is active:
Search the log for the following text ""FIPS 140-2 mode activated"".

If this text is not found, this is a finding.

Verify that FIPS has been enabled at the operating system. The following will return "1" if FIPS is enabled:
cat /proc/sys/crypto/fips_enabled

If the above command does not return "1", this is a finding.

Check Content Reference

M

Target Key

3265

Comments