Details

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If MongoDB is configured to authenticate using SASL and LDAP/Active Directory modify and restart the saslauthd command line options in the system boot script and set the ‘-t’ option to the appropriate timeout in seconds.

From the Linux Command line (with root/sudo privs) run the following command to restart the saslauthd process after making the change for the ‘-t’ parameter:

systemctl restart saslauthd

If any mongos process is running (a MongoDB shared cluster) the ‘userCacheInvalidationIntervalSecs’ option to adjust the timeout in seconds can be changed from the default ’30’ seconds.

This is accomplished by modifying the mongos configuration file (default location: /etc/mongos.conf) and then restarting mongos.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MDB_Enterprise_Advanced_3-x_V1R2_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.

References

• 800-53|IA-5(13)
• CAT|II
• CCI|CCI-002007
• Rule-ID|SV-96629r1_rule
• STIG-ID|MD3X-00-000710
• Vuln-ID|V-81915

Source

• Tenable.com/audits