Details
MongoDB should not be set to bypass authentication via the localhost exception. The localhost exception allows you to enable authorization before creating the first user in the system.
Note: This recommendation only applies when there are no users created in the MongoDB instance.
Rationale:
Disabling this exception will prevent unauthorized local access to the MongoDB database. It will also ensure traceability of each database activity to a specific user.
Solution
Since enableLocalhostAuthBypass is not available using the setParameter database command, use the setParameter option in the configuration file to set it to false.
setParameter:
enableLocalhostAuthBypass: false
Default Value:
Not configured
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.