STIGQter STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

MongoDB must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

DISA Rule

SV-96591r1_rule

Vulnerability Number

V-81877

Group Title

SRG-APP-000180-DB-000115

Rule Version

MD3X-00-000390

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Prereq: To view a user's roles, must have the "viewUser" privilege.

Connect to MongoDB.

For each database, identify the user's roles for the database.

use <database>
db.getUser("[username]")

The server will return a document with the user's roles.

To revoke a user's role from a database use the db.revokeRolesFromUser() method.

To grant a role to a user use the db.grantRolesToUser() method.

Check Contents

MongoDB grants access to data and commands through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system. You can additionally create user-defined roles.

Check a user's role to ensure correct privileges for the function:

Prereq: To view a user's roles, you must have the "viewUser" privilege.

Connect to MongoDB.

For each database in the system, identify the user's roles for the database:

use <database>
db.getUser("[username]")

The server will return a document with the user's roles.

View a role's privileges:

Prereq: To view a user's roles, you must have the "viewUser" privilege.

For each database, identify the privileges granted by a role:

use <database>
db.getRole( "read", { showPrivileges: true } )

The server will return a document with the "privileges" and "inheritedPrivileges" arrays. The "privileges returned document lists the privileges directly specified by the role and excludes those privileges inherited from other roles. The "inheritedPrivileges" returned document lists all privileges granted by this role, both directly specified and inherited. If the role does not inherit from other roles, the two fields are the same.

If a user has a role with inappropriate privileges, this is a finding.

Vulnerability Number

V-81877

Documentable

False

Rule Version

MD3X-00-000390

Severity Override Guidance

MongoDB grants access to data and commands through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system. You can additionally create user-defined roles.

Check a user's role to ensure correct privileges for the function:

Prereq: To view a user's roles, you must have the "viewUser" privilege.

Connect to MongoDB.

For each database in the system, identify the user's roles for the database:

use <database>
db.getUser("[username]")

The server will return a document with the user's roles.

View a role's privileges:

Prereq: To view a user's roles, you must have the "viewUser" privilege.

For each database, identify the privileges granted by a role:

use <database>
db.getRole( "read", { showPrivileges: true } )

The server will return a document with the "privileges" and "inheritedPrivileges" arrays. The "privileges returned document lists the privileges directly specified by the role and excludes those privileges inherited from other roles. The "inheritedPrivileges" returned document lists all privileges granted by this role, both directly specified and inherited. If the role does not inherit from other roles, the two fields are the same.

If a user has a role with inappropriate privileges, this is a finding.

Check Content Reference

M

Target Key

3265

Comments