STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020: STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:SV-96623r1_rule
V-81909
SRG-APP-000378-DB-000365
MD3X-00-000650
CAT II
10
Revoke any roles with unnecessary privileges to privileged functionality by executing the revoke command.
Revoke any unnecessary privileges from any roles by executing the revoke command.
Create, as needed, new role(s) with associated privileges.
If MongoDB supports only software development, experimentation, and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding.
Review the MongoDB security settings with respect to non-administrative users' ability to create, alter, or replace functions or views.
These MongoDB commands can help with showing existing roles and permissions of users of the databases.
db.getRoles( { rolesInfo: 1, showPrivileges:true, showBuiltinRoles: true })
If any such permissions exist and are not documented and approved, this is a finding.
V-81909
False
MD3X-00-000650
If MongoDB supports only software development, experimentation, and/or developer-level testing (that is, excluding production systems, integration testing, stress testing, and user acceptance testing), this is not a finding.
Review the MongoDB security settings with respect to non-administrative users' ability to create, alter, or replace functions or views.
These MongoDB commands can help with showing existing roles and permissions of users of the databases.
db.getRoles( { rolesInfo: 1, showPrivileges:true, showBuiltinRoles: true })
If any such permissions exist and are not documented and approved, this is a finding.
M
3265