Details

Using one or more industry standard authentication mechanisms helps organizations enforce their account and password policies for their MongoDB users.

Rationale:

Without an industry standard authentication mechanism in place, account and password management is more tedious, and authentication may not align with the organization’s policies.

Solution

In order to implement an industry standard authentication mechanism, use the corresponding sample from the list below as a model for specifying the authentication mechanisms in the MongoDB configuration file.

x.509 Certificates for Client Authentication:

security:

clusterAuthMode: x509

net:

ssl:

mode: requireSSL

PEMKeyFile:

CAFile:

See the reference section for a link to a detailed procedure for generating the PEMKeyFile and CAFile.

MongoDB with Kerberos Authentication on Linux:

security:

authorization: enabled

setParameter:

authenticationMechanisms: GSSAPI

storage:

dbPath: /opt/mongodb/data

See the reference section for a link to a detailed procedure for establishing the Kerberos service principal and keytab file.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/1725

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-7b.
• CSCv6|16

Source

• Tenable.com/audits