STIGQter STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

MongoDB must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.

DISA Rule

SV-96613r1_rule

Vulnerability Number

V-81899

Group Title

SRG-APP-000328-DB-000301

Rule Version

MD3X-00-000570

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Revoke any roles with unnecessary privileges to privileged functionality by executing the revoke command as documented here:
https://docs.mongodb.com/v3.4/reference/method/db.revokeRolesFromUser/

Revoke any unnecessary privileges from any roles by executing the revoke command as document here:
https://docs.mongodb.com/v3.4/reference/method/db.revokePrivilegesFromRole/

If a new role with associated privileges needs to be created, follow the documentation here:
https://docs.mongodb.com/v3.4/reference/command/createRole/

Check Contents

Review the system documentation to obtain the definition of the database/DBMS functionality considered privileged in the context of the system in question.

If any functionality considered privileged has access privileges granted to non-privileged users, this is a finding.

Vulnerability Number

V-81899

Documentable

False

Rule Version

MD3X-00-000570

Severity Override Guidance

Review the system documentation to obtain the definition of the database/DBMS functionality considered privileged in the context of the system in question.

If any functionality considered privileged has access privileges granted to non-privileged users, this is a finding.

Check Content Reference

M

Target Key

3265

Comments