Details
This setting ensures that all clients, users, and/or servers are required to authenticate prior to being granted access to the MongoDB database.
Rationale:
Failure to authenticate clients, users, and/or servers can enable unauthorized access to the MongoDB database and can prevent tracing actions back to their sources.
Solution
The authentication mechanism should be implemented before anyone accesses the MongoDB Server.
To enable the authentication mechanism:
Start the MongoDB instance without authentication.
mongod –port 27017 –dbpath /data/db1
Or
mongod.exe –port 27017 –dbpath db1
Create the system user administrator, ensuring that its password meets organizationally-defined password complexity requirements.
use admin
db.createUser({user: “siteUserAdmin”,pwd: “admin”,roles: [ { role: “userAdminAnyDatabase”, db: “admin” } ]})
Restart the MongoDB instance with authentication enabled.
mongod –auth –config /etc/mongod.conf
Or
mongod.exe –auth –config mongod.conf
Default Value:
Not configured
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.