CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB...
Transcript of CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB...
![Page 1: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/1.jpg)
CISMongoDB3.2Benchmark
v1.0.0-06-07-2017
![Page 2: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/2.jpg)
1|P a g e
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.
![Page 3: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/3.jpg)
2|P a g e
TableofContentsOverview......................................................................................................................................................................4
IntendedAudience..............................................................................................................................................4
ConsensusGuidance...........................................................................................................................................4
TypographicalConventions............................................................................................................................5
ScoringInformation............................................................................................................................................5
ProfileDefinitions................................................................................................................................................6
Acknowledgements.............................................................................................................................................7
Recommendations....................................................................................................................................................8
1InstallationandPatching..............................................................................................................................8
1.1EnsuretheappropriateMongoDBsoftwareversion/patchesareinstalled(Scored)..........................................................................................................................................................8
2Authentication................................................................................................................................................10
2.1EnsurethatauthenticationisenabledforMongoDBdatabases(Scored)..............10
2.2EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored).......................................................................................................................................................12
2.3Ensureauthenticationisenabledintheshardedcluster(Scored)............................14
2.4Ensureanindustrystandardauthenticationmechanismisused(Scored)...........16
3AccessControl................................................................................................................................................18
3.1Ensurethatrole-basedaccesscontrolisenabledandconfiguredappropriately(Scored).......................................................................................................................................................18
3.2EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored).................................................................................................................................20
3.3EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored).......................................................................................................................................................22
3.4EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored)............................................................................................................24
3.5ReviewUser-DefinedRoles(Scored)......................................................................................26
3.6ReviewSuperuser/AdminRoles(Scored)............................................................................28
4DataEncryption.............................................................................................................................................30
4.1EnsureTLSorSSLprotectsallnetworkcommunications(Scored)..........................30
![Page 4: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/4.jpg)
3|P a g e
4.2EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored).....32
5Auditing.............................................................................................................................................................34
5.1Ensurethatsystemactivityisaudited(Scored)................................................................34
5.2Ensurethatauditfiltersareconfiguredproperly(Scored)..........................................36
5.3Ensurethatloggingcapturesasmuchinformationaspossible(NotScored)......38
5.4Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored)....40
6OperatingSystemHardening...................................................................................................................41
6.1MongodbDatabaseRunningwithLeastPrivileges(Scored).......................................41
6.2EnsurethatMongoDBusesanon-defaultport(Scored)...............................................43
6.3EnsurethatoperatingsystemresourcelimitsaresetforMongoDB(NotScored).........................................................................................................................................................................44
6.4Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored)..............46
6.5EnsureThe'test'databaseisnotinstalled(NotScored)................................................47
7FilePermissions.............................................................................................................................................48
7.1Ensurethatkeyfilepermissionsaresetcorrectly(Scored).........................................48
7.2Ensurethatdatabasefilepermissionsaresetcorrectly(Scored).............................50
Appendix:ChangeHistory.................................................................................................................................53
![Page 5: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/5.jpg)
4|P a g e
OverviewThisdocument,CISMongoDBBenchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforMongoDBversion3.2.ThisguidewastestedagainstMongoDB3.2runningonUbuntuLinux14.04,butappliestootherlinuxdistributionsaswell.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
IntendedAudience
Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateMongoDB.
ConsensusGuidance
This benchmark was created using a consensus review process comprised of subject matter experts. Consensus participants provide perspective from a diverse set of backgrounds including consulting, software development, audit and compliance, security research, operations, government, and legal. Each CIS benchmark undergoes two phases of consensus review. The first phase occurs during initial benchmark development. During this phase, subject matter experts convene to discuss, create, and test working drafts of the benchmark. This discussion occurs until consensus has been reached on benchmark recommendations. The second phase begins after the benchmark has been published. During this phase, all feedback provided by the Internet community is reviewed by the consensus team for incorporation in the benchmark. If you are interested in participating in the consensus process, please visit https://community.cisecurity.org.
![Page 6: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/6.jpg)
5|P a g e
TypographicalConventions
The following typographical conventions are used throughout this guide:
Convention Meaning Stylized Monospace font Used for blocks of code, command, and script examples. Text
should be interpreted exactly as presented. Monospacefont Used for inline code, commands, or examples. Text should be
interpreted exactly as presented. <italicfontinbrackets> Italic texts set in angle brackets denote a variable requiring
substitution for a real value. Italic font Used to denote the title of a book, article, or other publication. Note Additional information or caveats
ScoringInformation
A scoring status indicates whether compliance with the given recommendation impacts the assessed target's benchmark score. The following scoring statuses are used in this benchmark:
Scored
Failure to comply with "Scored" recommendations will decrease the final benchmark score. Compliance with "Scored" recommendations will increase the final benchmark score.
NotScored
Failure to comply with "Not Scored" recommendations will not decrease the final benchmark score. Compliance with "Not Scored" recommendations will not increase the final benchmark score.
![Page 7: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/7.jpg)
6|P a g e
ProfileDefinitions
The following configuration profiles are defined by this Benchmark:
• Level 1 - MongoDB on Linux
ItemsinthisprofileapplytoMongoDBrunningonLinuxandintendto:
o be practical and prudent; o provide a clear security benefit; and o not inhibit the utility of the technology beyond acceptable means.
• Level 2 - MongoDB on Linux
Thisprofileextendsthe“Level1-MongoDBonLinux”profile.ItemsinthisprofileapplytoMongoDBrunningonLinuxandexhibitoneormoreofthefollowingcharacteristics:
o are intended for environments or use cases where security is paramount o acts as defense in depth measure o may negatively inhibit the utility or performance of the technology.
![Page 8: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/8.jpg)
7|P a g e
Acknowledgements
Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide: Author Vinesh Redkar Security Consultant Contributor Chris Bielinski Philippe Langlois, Center for Internet Security Pralhad Chaskar Editor Karen Scarfone Tim Harrison CISSP, ICP, Center for Internet Security
![Page 9: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/9.jpg)
8|P a g e
Recommendations1InstallationandPatching
ThissectionprovidesguidanceonensuringthattheMongoDBsoftwareisuptodatetoeliminateeasilyavoidablevulnerabilities.
1.1EnsuretheappropriateMongoDBsoftwareversion/patchesareinstalled(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
TheMongoDBinstallationversion,alongwiththepatchlevel,shouldbethemostrecentthatiscompatiblewiththeorganization'soperationalneeds.
Rationale:
UsingthemostrecentMongoDBsoftwareversionalongwithallapplicablepatcheshelpslimitthepossibilitiesforvulnerabilitiesinthesoftware.Theinstallationversionand/orpatchesappliedshouldbeselectedaccordingtotheneedsoftheorganization.Atminimum,thesoftwareversionshouldbesupported.
Note:AsofOctober2016,onlyMongoDBversions3.0and3.2arestillsupported.
![Page 10: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/10.jpg)
9|P a g e
Audit:
RunthefollowingcommandfromwithintheMongoDBshelltodetermineiftheMongoDBsoftwareversioncomplieswithyourorganization’soperationalneeds:
> db.version()
Remediation:
UpgradetothelatestversionoftheMongoDBsoftware:
1. Backup the data set. 2. Download the binaries for the latest MongoDB revision from the MongoDB Download
Page and store the binaries in a temporary location. The binaries download as compressed files that extract to the directory structure used by the MongoDB installation.
3. Shutdown the MongoDB instance. 4. Replace the existing MongoDB binaries with the downloaded binaries. 5. Restart the MongoDB instance.
DefaultValue:
Patchesarenotinstalledbydefault.
References:
1. http://docs.mongodb.org/manual/tutorial/upgrade-revision/ 2. https://docs.mongodb.com/manual/release-notes/ 3. https://www.mongodb.com/download-center#community 4. https://www.mongodb.com/support-policy
CISControls:
4–ContinuousVulnerabilityAssessmentandRemediation
![Page 11: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/11.jpg)
10|P a g e
2Authentication
ThissectioncontainsrecommendationsforrequiringauthenticationbeforeallowingaccesstotheMongoDBdatabase.
2.1EnsurethatauthenticationisenabledforMongoDBdatabases(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
Thissettingensuresthatallclients,users,and/orserversarerequiredtoauthenticatepriortobeinggrantedaccesstotheMongoDBdatabase.
Rationale:
Failuretoauthenticateclients,users,and/orserverscanenableunauthorizedaccesstotheMongoDBdatabaseandcanpreventtracingactionsbacktotheirsources.
Audit:
Runthefollowingcommandtoverifywhetherauthenticationisenabled(AuthvaluesettoTrue)ontheMongoDBserver.
cat /etc/mongod.conf | grep “Auth=”
![Page 12: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/12.jpg)
11|P a g e
Remediation:
TheauthenticationmechanismshouldbeimplementedbeforeanyoneaccessestheMongoDBServer.
Toenabletheauthenticationmechanism:
• Start the MongoDB instance without authentication.
mongod --port 27017 --dbpath /data/db1]
• Create the system user administrator, ensuring that its password meets organizationally-defined password complexity requirements.
use admin db.createUser( { user: "siteUserAdmin", pwd: "password", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )
• Restart the MongoDB instance with authentication enabled.
mongod --auth --config /etc/mongod.conf
DefaultValue:
Notconfigured
References:
1. https://www.mongodb.com/blog/post/improved-password-based-authentication-mongodb-30-scram-explained-part-1
2. https://www.owasp.org/index.php/Authentication_Cheat_Sheet
CISControls:
16–AccountMonitoringandControl
![Page 13: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/13.jpg)
12|P a g e
2.2EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
MongoDBshouldnotbesettobypassauthenticationviathelocalhostexception.Thelocalhostexceptionallowsyoutoenableauthorizationbeforecreatingthefirstuserinthesystem.
Note:ThisrecommendationonlyapplieswhentherearenouserscreatedintheMongoDBinstance.
Rationale:
DisablingthisexceptionwillpreventunauthorizedlocalaccesstotheMongoDBdatabase.Itwillalsoensuretraceabilityofeachdatabaseactivitytoaspecificuser.
Audit:
Toverifythelocalhostexceptionisdisabled,runthefollowingcommandtoensurethatenableLocalhostAuthBypassissetto0(false):
cat /etc/mongod.conf |grep "enableLocalhostAuthBypass"
Remediation:
SinceenableLocalhostAuthBypassisnotavailableusingthesetParameterdatabasecommand,usethesetParameteroptionintheconfigurationfiletosetittofalse.
setParameter: enableLocalhostAuthBypass: false
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/core/authentication/#localhost-exception
![Page 14: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/14.jpg)
13|P a g e
Notes:
The--setParameteroptiononthecommandlinemayalsobeusedtoconfigurethis;however,havingitintheconfigfilemayprovidegreaterconfidencethatthissettingisconfiguredcorrectlyineveryinstance.
CISControls:
16–AccountMonitoringandControl
![Page 15: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/15.jpg)
14|P a g e
2.3Ensureauthenticationisenabledintheshardedcluster(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
Authenticationisenabledinashardedclusterwhenkeyfilesarecreatedandconfiguredforallcomponents.Thisensuresthateveryclientthataccessestheclustermustprovidecredentials,toincludeMongoDBinstancesthataccesseachotherwithinthecluster.
Rationale:
EnforcingakeyonashardedclusterpreventsunauthorizedaccesstotheMongoDBdatabaseandprovidestraceabilityofdatabaseactivitiestoaspecificuserorcomponent.
Audit:
Runthefollowingcommandtoverifythatthekeyfileparameterisconfigured:
cat /etc/mongod.conf | grep “keyFile=”
Remediation:
Toenableauthenticationintheshardedcluster,performthefollowingsteps:
• Generate a key file. • On each component in the shared cluster, enable authentication by doing one of the
following: o In the configuration file /etc/mongod.conf, set the keyFile option to the key
file’s path and then start the component with this command:
keyFile = /srv/mongodb/keyfile
• When starting the component, set --keyFile option, which is an option for both mongos instances and mongod instances. Set the --keyFile to the key file’s path.
![Page 16: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/16.jpg)
15|P a g e
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/v2.2/administration/sharded-clusters/
CISControls:
16–AccountMonitoringandControl
![Page 17: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/17.jpg)
16|P a g e
2.4Ensureanindustrystandardauthenticationmechanismisused(Scored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
UsingoneormoreindustrystandardauthenticationmechanismshelpsorganizationsenforcetheiraccountandpasswordpoliciesfortheirMongoDBusers.
Rationale:
Withoutanindustrystandardauthenticationmechanisminplace,accountandpasswordmanagementismoretedious,andauthenticationmaynotalignwiththeorganization'spolicies.
Audit:
ToverifytheauthenticationmechanisminuseforMongoDB,runthefollowingcommands:
cat /etc/mongod.conf | grep “clusterAuthMode:” cat /etc/mongod.conf | grep “mode:” cat /etc/mongod.conf | grep “authorization:" cat /etc/mongod.conf | grep “authenticationMechanisms:”
Remediation:
Inordertoimplementanindustrystandardauthenticationmechanism,usethecorrespondingsamplefromthelistbelowasamodelforspecifyingtheauthenticationmechanismsintheMongoDBconfigurationfile.
x.509CertificatesforClientAuthentication:
security: clusterAuthMode: x509 net: ssl: mode: requireSSL PEMKeyFile: <path to TLS/SSL certificate and key PEM file> CAFile: <path to root CA PEM file>
SeethereferencesectionforalinktoadetailedprocedureforgeneratingthePEMKeyFileandCAFile.
![Page 18: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/18.jpg)
17|P a g e
MongoDBwithKerberosAuthenticationonLinux:
security: authorization: enabled setParameter: authenticationMechanisms: GSSAPI storage: dbPath: /opt/mongodb/data
SeethereferencesectionforalinktoadetailedprocedureforestablishingtheKerberosserviceprincipalandkeytabfile.
References:
1. https://docs.mongodb.com/v3.2/tutorial/configure-x509-client-authentication/ 2. https://docs.mongodb.com/v3.2/tutorial/control-access-to-mongodb-with-kerberos-
authentication/ 3. https://docs.mongodb.com/v3.2/core/kerberos/#kerberos-service-principal 4. https://docs.mongodb.com/v3.2/core/kerberos/#keytab-files
Notes:
ConfiguringtheX.509certificateanddeployingKerberosisbeyondthescopeofthedocument.
CISControls:
16–AccountMonitoringandControl
![Page 19: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/19.jpg)
18|P a g e
3AccessControl
ThissectioncontainsrecommendationsforrestrictingaccesstoMongoDBsystems.
3.1Ensurethatrole-basedaccesscontrolisenabledandconfiguredappropriately(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
Role-basedaccesscontrol(RBAC)isamethodofregulatingaccesstoresourcesbasedontherolesofindividualuserswithinanenterprise.Auserisgrantedoneormorerolesthatdeterminetheuser’saccesstodatabaseresourcesandoperations.Outsideofroleassignments,theuserhasnoaccesstothesystem.MongoDBcanuseRBACtogovernaccesstoMongoDBsystems.MongoDBdoesnotenableauthorizationbydefault.
Rationale:
Whenproperlyimplemented,RBACenablesuserstocarryoutawiderangeofauthorizedtasksbydynamicallyregulatingtheiractionsaccordingtoflexiblefunctions.Thisallowsanorganizationtocontrolemployees’accesstoalldatabasetablesthroughRBAC.
Audit:
ConnecttoMongoDBwiththeappropriateprivilegesandrunthefollowingcommand:
mongo --port 27017 -u <siteUserAdmin> -p <password> --authenticationDatabase <database name>
Identifyusers'rolesandprivileges:
> db.getUser() > db.getRole()
Verifythattheappropriateroleorroleshavebeenconfiguredforeachuser.
![Page 20: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/20.jpg)
19|P a g e
Remediation:
1. Establish roles for MongoDB. 2. Assign the appropriate privileges to each role. 3. Assign the appropriate users to each role. 4. Remove any individual privileges assigned to users that are now addressed by the roles. 5. See the reference below for more Information.
References:
1. http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/
CISControls:
14.4–ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 21: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/21.jpg)
20|P a g e
3.2EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
EnsuringthatMongoDBrunsinatrustednetworkenvironmentinvolveslimitingthenetworkinterfacesonwhichMongoDBinstanceslistenforincomingconnections.AnyuntrustednetworkconnectionsshouldbedroppedbyMongoDB.
Rationale:
Thisconfigurationblocksconnectionsfromuntrustednetworks,leavingonlysystemsonauthorizedandtrustednetworksabletoattempttoconnecttotheMongoDB.Ifnotconfigured,thismayleadtounauthorizedconnectionsfromuntrustednetworkstoMongoDB.
Audit:
1. Verify that network exposure is limited, review the settings in the MongoDB configuration file:
cat /etc/mongod.conf |grep –A12 “net” | grep “bindIp"
2. Verify the relevant network settings on the Linux system itself:
iptables –L
Remediation:
ConfiguretheMongoDBconfigurationfiletolimititsexposuretoonlythenetworkinterfacesonwhichMongoDBinstancesshouldlistenforincomingconnections.
DefaultValue:
Notconfigured
![Page 22: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/22.jpg)
21|P a g e
References:
1. http://docs.mongodb.org/manual/tutorial/configure-linux-iptables-firewall/ 2. http://docs.mongodb.org/manual/tutorial/configure-windows-netsh-firewall/
CISControls:
9.1–LimitOpenPorts,Protocols,andServicesEnsurethatonlyports,protocols,andserviceswithvalidatedbusinessneedsarerunningoneachsystem.
![Page 23: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/23.jpg)
22|P a g e
3.3EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
TheMongoDBserviceshouldnotberunusingaprivilegedaccountsuchas'root'becausethisunnecessarilyexposestheoperatingsystemtohighrisk.
Rationale:
Usinganon-privileged,dedicatedserviceaccountrestrictsthedatabasefromaccessingthecriticalareasoftheoperatingsystemwhicharenotrequiredbytheMongoDB.Thiswillalsomitigatethepotentialforunauthorizedaccessviaacompromised,privilegedaccountontheoperatingsystem.
Audit:
Runthefollowingcommandtogetlistingofallmongoinstances,thePIDnumber,andthePIDowner.
ps -ef | grep -E "mongos|mongod"
Remediation:
1. Create a dedicated user for performing MongoDB database activity. 2. Set the Database data files, the keyfile, and the SSL private key files to only be readable
by the mongod/mongos user. 3. Set the log files to only be writable by the mongod/mongos user and readable only by
root.
DefaultValue:
Notconfigured
![Page 24: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/24.jpg)
23|P a g e
References:
1. http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/
CISControls:
5.1–MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 25: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/25.jpg)
24|P a g e
3.4EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
Reviewingallrolesperiodicallyandeliminatingunneededrolesaswellasunneededprivilegesfromnecessaryroleshelpsminimizetheprivilegesthateachuserhas.
Rationale:
Althoughrole-basedaccesscontrol(RBAC)hasmanyadvantagesforregulatingaccesstoresources,overtimesomerolesmaynolongerbeneeded,andsomerolesmaygrantprivilegesthatarenolongerneeded.
Audit:
Performthefollowingcommandtoviewallrolesonthedatabaseonwhichthecommandruns,includingbothbuilt-inanduser-definedroles,aswellastheprivilegesgrantedbyeachrole.Ensurethatonlynecessaryrolesarelistedandonlythenecessaryprivilegesarelistedforeachrole.
db.runCommand( { rolesInfo: 1, showPrivileges: true, showBuiltinRoles: true } )
Remediation:
Torevokespecifiedprivilegesfromtheuser-definedroleonthedatabasewherethecommandisrun.TherevokePrivilegesFromRolecommandhasthefollowingsyntax:
{ revokePrivilegesFromRole: "<role>", privileges: [ { resource: { <resource> }, actions: [ “<action>", ... ] }, ... ], }
![Page 26: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/26.jpg)
25|P a g e
References:
1. https://docs.mongodb.com/v3.2/reference/method/db.revokePrivilegesFromRole/ 2. https://docs.mongodb.com/v3.2/reference/command/revokePrivilegesFromRole/#dbcmd.r
evokePrivilegesFromRole
Notes:
YoumusthavethedropRoleactiononadatabasetodroparolefromthatdatabase.
CISControls:
14.4–ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 27: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/27.jpg)
26|P a g e
3.5ReviewUser-DefinedRoles(Scored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
Reviewingallrolesperiodicallyandremovingallusersfromthoseroleswhodonotneedtobelongtothemhelpsminimizetheprivilegesthateachuserhas.
Rationale:
Althoughrole-basedaccesscontrol(RBAC)hasmanyadvantagesforregulatingaccesstoresources,overtimesomeusersmaybeassignedtorolesthatarenolongernecessary,suchasauserchangingjobswithintheorganization.Userswhohaveexcessiveprivilegesposeunnecessaryrisktotheorganization.
Audit:
Checkeachroleforeachdatabaseusingoneofthefollowingcommands.
Tospecifyarolefromthecurrentdatabase,specifytherolebyitsname:
db.runCommand( { rolesInfo: "<rolename>" } )
Tospecifyarolefromanotherdatabase,specifytherolebyadocumentthatspecifiestheroleanddatabase:
db.runCommand( { rolesInfo: { role: "<rolename>", db: "<database>" } } )
Remediation:
Toremoveauserfromoneormorerolesonthecurrentdatabase,usethefollowingcommand:
use <dbName> db.revokeRolesFromUser( "<username>", [ <roles> ])
References:
1. https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/ 2. https://docs.mongodb.com/manual/reference/command/rolesInfo/ 3. https://docs.mongodb.com/manual/reference/privilege-actions/#authr.revokeRole
![Page 28: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/28.jpg)
27|P a g e
Notes:
Logged-inusermusthavetherevokeRoleactiononadatabasetorevokearoleonthatdatabase.Also,roleInfoworksforbothuser-definedrolesandbuilt-inroles.
CISControls:
16.1–PerformRegularAccountReviewsReviewallsystemaccountsanddisableanyaccountthatcannotbeassociatedwithabusinessprocessandowner.
![Page 29: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/29.jpg)
28|P a g e
3.6ReviewSuperuser/AdminRoles(Scored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
Rolesprovideseveraladvantagesthatmakeiteasiertomanageprivilegesinadatabasesystem.Securityadministratorscancontrolaccesstotheirdatabasesinawaythatmirrorsthestructureoftheirorganizations(theycancreaterolesinthedatabasethatmapdirectlytothejobfunctionsintheirorganizations).Theassignmentofprivilegesissimplified.Insteadofgrantingthesamesetofprivilegestoeachindividualuserinaparticularjobfunction,theadministratorcangrantthissetofprivilegestoarolerepresentingthatjobfunctionandthengrantthatroletoeachuserinthatjobfunction.
Rationale:
ReviewingtheSuperuser/Adminroleswithinadatabasehelpsminimizethepossibilityofprivilegedunwantedaccess.
Audit:
Superuserrolesprovidetheabilitytoassignanyuseranyprivilegeonanydatabase,whichmeansthatuserswithoneoftheserolescanassignthemselvesanyprivilegeonanydatabase:
db.runCommand( { rolesInfo: "dbOwner" } ) db.runCommand( { rolesInfo: "userAdmin" } ) db.runCommand( { rolesInfo: "userAdminAnyDatabase" } )
RootroleprovidesaccesstotheoperationsandalltheresourcesofthereadWriteAnyDatabase,dbAdminAnyDatabase,userAdminAnyDatabase,clusterAdminroles,restorecombined.
db.runCommand( { rolesInfo: "readWriteAnyDatabase" } ) db.runCommand( { rolesInfo: "dbAdminAnyDatabase" } ) db.runCommand( { rolesInfo: "userAdminAnyDatabase" } ) db.runCommand( { rolesInfo: "clusterAdmin" } )
ClusterAdministrationRolesareusedforadministeringthewholesystemratherthanjustasingledatabase.
db.runCommand( { rolesInfo: "hostManager" } )
![Page 30: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/30.jpg)
29|P a g e
Remediation:
Toremoveauserfromoneormorerolesonthecurrentdatabase.
use <dbName> db.revokeRolesFromUser( "<username>", [ <roles> ])
References:
1. https://docs.mongodb.com/v3.0/reference/built-in-roles/#built-in-roles 2. https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/
CISControls:
5.1–MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
16.1–PerformRegularAccountReviewsReviewallsystemaccountsanddisableanyaccountthatcannotbeassociatedwithabusinessprocessandowner.
![Page 31: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/31.jpg)
30|P a g e
4DataEncryption
Thissectioncontainsrecommendationsforsecuringdataatrest(stored)anddatainmotion(transiting)forMongoDB.
4.1EnsureTLSorSSLprotectsallnetworkcommunications(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
UseTLSorSSLtoprotectallincomingandoutgoingconnections.ThisshouldincludeusingTLSorSSLtoencryptcommunicationbetweenmongodandmongoscomponentsofaMongoDBclientaswellasbetweenallapplicationsandMongoDB.
MostMongoDBdistributionsincludesupportforSSLorTLS.
Rationale:
ThispreventssniffingofcleartexttrafficbetweenMongoDBcomponentsorperformingaman-in-the-middleattackforMongoDB.
Audit:
ToverifythattheserverrequiresSSLorTLSuse(net.ssl.modevaluesettorequireSSL),runoneofthefollowingcommands:
cat /etc/mongos.conf | grep –A20 ‘net’ | grep –A10 ‘ssl’ | grep ‘mode’
Remediation:
ConfigureMongoDBserverstorequiretheuseofSSLorTLStoencryptallMongoDBnetworkcommunications.
ToimplementSSLorTLStoencryptallMongoDBnetworkcommunication,performthefollowingsteps:
![Page 32: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/32.jpg)
31|P a g e
Formongod(“PrimarydaemonprocessfortheMongoDBsystem”)
Intheconfigurationfile/etc/mongod.conf,setthePEMKeyFileoptiontothecertificatefile’spathandthenstartthecomponentwiththiscommand:
ssl: mode: requireSSL PEMKeyFile: /etc/ssl/mongodb.pem CAFile: /etc/ssl/ca.pem
Andrestartmonogdbinstancewithmongod --config /etc/mongod.conf
Or
mongod --sslMode requireSSL --sslPEMKeyFile /etc/ssl/mongodb.pem --sslCAFile /etc/ssl/ca.pem
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/tutorial/configure-ssl/
Notes:
Value Description
disabled TheserverdoesnotuseTLS/SSL.
allowSSL ConnectionsbetweenserversdonotuseTLS/SSL.Forincomingconnections,theserveracceptsbothTLS/SSLandnon-TLS/non-SSL.
preferSSL ConnectionsbetweenserversuseTLS/SSL.Forincomingconnections,theserveracceptsbothTLS/SSLandnon-TLS/non-SSL.
requireSSL TheserverusesandacceptsonlyTLS/SSLencryptedconnections.
CISControls:
14.2–EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
![Page 33: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/33.jpg)
32|P a g e
4.2EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
TheFederalInformationProcessingStandard(FIPS)isacomputersecuritystandardusedtocertifysoftwaremodulesandlibrariesthatencryptanddecryptdatasecurely.YoucanconfigureMongoDBtorunwithaFIPS140-2certifiedlibraryforOpenSSL.
Rationale:
FIPSisindustrystandardthatdictateshowdatashouldbeencryptedinrestandduringtransmission.
Audit:
ToverifythattheserverusesFIPSMode(net.ssl.FIPSModevaluesettotrue),runfollowingcommands:
mongos --config /etc/mongos.conf
net: ssl: FIPSMode: true
or
ToverifyFIPSmodeisrunning,checktheserverlogfileforamessagethatFIPSisactive:
FIPS 140-2 mode activated
![Page 34: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/34.jpg)
33|P a g e
Remediation:
ConfiguringFIPSmode,ensurethatyourcertificateisFIPScompliant.RunmongodormongosinstanceinFIPSmode.
Makechangestoconfigurationfile,toconfigureyourmongodormongosinstancetouseFIPSmode,shutdowntheinstanceandupdatetheconfigurationfilewiththefollowingsetting:
net: ssl: FIPSMode: true
Startmongodormongosinstancewithaconfigurationfile.
mongod --config /etc/mongod.conf
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/v3.2/tutorial/configure-fips/
CISControls:
14.2–EncryptAllSensitiveInformationOverLess-trustedNetworksAllcommunicationofsensitiveinformationoverless-trustednetworksshouldbeencrypted.Wheneverinformationflowsoveranetworkwithalowertrustlevel,theinformationshouldbeencrypted.
14.5–EncryptatRestSensitiveInformationSensitiveinformationstoredonsystemsshallbeencryptedatrestandrequireasecondaryauthenticationmechanism,notintegratedintotheoperatingsystem,inordertoaccesstheinformation.
![Page 35: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/35.jpg)
34|P a g e
5Auditing
ThissectioncontainsrecommendationsrelatedtoconfiguringauditlogginginMongoDB.
5.1Ensurethatsystemactivityisaudited(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
Trackaccessandchangestodatabaseconfigurationsanddata.MongoDBEnterpriseincludesasystemauditingfacilitythatcanrecordsystemevents(e.g.useroperations,connectionevents)onaMongoDBinstance.Theseauditrecordspermitforensicanalysisandallowadministratorstoverifypropercontrols.
Rationale:
Systemlevellogscanbehandywhiletroubleshootinganoperationalproblemorhandlingasecurityincident.
Audit:
ToverifythatsystemactivityisbeingauditedforMongoDB,runthefollowingcommandtoconfirmtheauditLog.destinationvalueissetcorrectly:
cat /etc/mongod.conf |grep –A4 "auditLog" | grep "destination"
Remediation:
SetthevalueofauditLog.destinationtotheappropriatevaluefromthefollowingoptions:
syslog
Toenableauditingandprintauditeventstosyslog
mongod --dbpath data/db --auditDestination syslog
console
Toenableauditingandprintauditeventstostandardoutput(i.e.,stdout)
mongod --dbpath data/db --auditDestination console
![Page 36: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/36.jpg)
35|P a g e
JsonFile
ToenableauditingandprintauditeventstoafileinJSONformat.PrintingauditeventstofileinJSONformatdegradesserverperformancemorethanprintingtoafileinBSONformat.
mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json
BsonFile
ToenableauditingandprintauditeventstoafileinBSONbinaryformat
mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/tutorial/configure-auditing/
CISControls:
6.2–EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 37: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/37.jpg)
36|P a g e
5.2Ensurethatauditfiltersareconfiguredproperly(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
MongoDBEnterprisesupportsauditingofvariousoperations.Whenenabled,theauditfacility,bydefault,recordsallauditableoperationsasdetailedinAuditEventActions,Details,andResults.Tospecifywhicheventstorecord,theauditfeatureincludesthe--auditFilteroption.ThischeckisonlyforEnterpriseeditions.
Rationale:
Alloperationscarriedoutonthedatabasearelogged.Thishelpsinbacktrackingandtracinganyincidentthatoccurs.
Audit:
ToverifythatauditfiltersareconfiguredonMongoDBaspertheorganization’srequirements,runthefollowingcommand:
cat /etc/mongod.conf |grep –A10 "auditLog" | grep "filter"
Remediation:
Settheauditfiltersbasedontheorganization’srequirements.
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/manual/reference/audit-message/ 2. https://docs.mongodb.com/manual/tutorial/configure-audit-filters/
![Page 38: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/38.jpg)
37|P a g e
CISControls:
6.2–EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 39: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/39.jpg)
38|P a g e
5.3Ensurethatloggingcapturesasmuchinformationaspossible(NotScored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
TheSystemLog.quietoptionstopsloggingofinformationsuchas:
• connection events • authentication events • replication sync activities • evidence of some potentially impactful commands being run (eg: drop, dropIndexes,
validate)
Thisinformationshouldbeloggedwheneverpossible.ThischeckisonlyforEnterpriseeditions.
Rationale:
TheuseofSystemLog.quietmakestroubleshootingproblemsandinvestigatingpossiblesecurityincidentsmuchmoredifficult.
Audit:
ToverifythattheSystemLog.quietoptionisdisabled(valueofFalse),runthefollowingcommand:
cat /etc/mongod.conf |grep "SystemLog.quiet"
Remediation:
SetSystemLog.quiettoFalseinthe/etc/mongod.conffiletodisableit.
References:
1. https://docs.mongodb.com/manual/reference/configuration-options/#systemLog.quiet
![Page 40: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/40.jpg)
39|P a g e
CISControls:
6.2–EnsureAuditLogSettingsSupportAppropriateLogEntryFormattingValidateauditlogsettingsforeachhardwaredeviceandthesoftwareinstalledonit,ensuringthatlogsincludeadate,timestamp,sourceaddresses,destinationaddresses,andvariousotherusefulelementsofeachpacketand/ortransaction.SystemsshouldrecordlogsinastandardizedformatsuchassyslogentriesorthoseoutlinedbytheCommonEventExpressioninitiative.Ifsystemscannotgeneratelogsinastandardizedformat,lognormalizationtoolscanbedeployedtoconvertlogsintosuchaformat.
![Page 41: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/41.jpg)
40|P a g e
5.4Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
Bydefault,newlogentrieswilloverwriteoldentriesafterarestartofthemongodorMongolsservice.EnablingthesystemLog.logAppendsettingcausesnewentriestobeappendedtotheendofthelogfileratherthanoverwritingtheexistingcontentofthelogwhenthemongosormongodinstancerestarts.
Rationale:
Allowingoldentriestobeoverwrittenbynewentriesinsteadofappendingnewentriestotheendofthelogmaydestroyoldlogdatathatisneededforavarietyofpurposes.
Audit:
Toverifythatnewlogentrieswillbeappendedtotheendofthelogfileafterarestart(systemLog.logAppendvaluesettotrue),runthefollowingcommand:
cat /etc/mongod.conf |grep "systemLog.logAppend"
Remediation:
Set systemLog.logAppendtotrueinthe/etc/mongod.conffile.
References:
1. https://docs.mongodb.com/manual/reference/configuration-options/#systemLog.logAppend
CISControls:
6.3–EnsureAuditLoggingSystemsAreNotSubjecttoLoss(i.e.rotation/archive)Ensurethatallsystemsthatstorelogshaveadequatestoragespaceforthelogsgeneratedonaregularbasis,sothatlogfileswillnotfillupbetweenlogrotationintervals.Thelogsmustbearchivedanddigitallysignedonaperiodicbasis.
![Page 42: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/42.jpg)
41|P a g e
6OperatingSystemHardening
ThissectioncontainsrecommendationsrelatedtohardeningtheoperatingsystemrunningbelowMongoDB.
6.1MongodbDatabaseRunningwithLeastPrivileges(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
Thissettingensuresthatmonogdservicerunasleastprivilegeuser.
Rationale:
Anyonewhohasbeenavictimofviruses,worms,andothermalicioussoftware(malware)willappreciatethesecurityprincipleof“leastprivilege.”Ifallprocessesranwiththesmallestsetofprivilegesneededtoperformtheuser'stasks,itwouldbemoredifficultformaliciousandannoyingsoftwaretoinfectamachineandpropagatetoothermachines.
Audit:
ConnectMongoDBService
mongod --port 27017 --dbpath /data/db1
Itwillhighlightiftheserviceisrunningasrootprivilegeornot.
Remediation:
CreateauserwhichisonlyusedforrunningMongodbanddirectlyrelatedprocesses.Thisusermustnothaveadministrativerightstothesystem.
Stepstocreateuser
useradd -m -d /home/mongodb -s /bin/bash -g mongodb -u 1234 mongodb
Andthensetownershiptomongodbuseronly
sudo chown -R mongodb:mongodb /data/db
![Page 43: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/43.jpg)
42|P a g e
CISControls:
5.1–MinimizeandSparinglyUseAdministrativePrivilegesMinimizeadministrativeprivilegesandonlyuseadministrativeaccountswhentheyarerequired.Implementfocusedauditingontheuseofadministrativeprivilegedfunctionsandmonitorforanomalousbehavior.
![Page 44: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/44.jpg)
43|P a g e
6.2EnsurethatMongoDBusesanon-defaultport(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
ChangingtheportusedbyMongoDBmakesitharderforattackerstofindthedatabaseandtargetit.
Rationale:
Standardportsareusedinautomatedattacksandbyattackerstoverifywhichapplicationsarerunningonaserver.
Audit:
ToverifytheportnumberusedbyMongoDB,executethefollowingcommandandensurethattheportnumberisnot27017:
cat /etc/mongod.conf |grep “port”
Remediation:
ChangetheportforMongoDBservertoanumberotherthan27017.
Impact:
HackersfrequentlyscanIPaddressesforcommonlyusedports,soit'snotuncommontouseadifferentportto"flyundertheradar".Thisisjusttoavoiddetection,otherthanthatthereisnoaddedsafetybyusingadifferentport.
References:
1. https://docs.mongodb.com/manual/reference/default-mongodb-port/
CISControls:
9 – LimitationandControlofNetworkPorts,Protocols,andServices
![Page 45: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/45.jpg)
44|P a g e
6.3EnsurethatoperatingsystemresourcelimitsaresetforMongoDB(NotScored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
Operatingsystemsprovidewaystolimitandcontroltheusageofsystemresourcessuchasthreads,files,andnetworkconnectionsonaper-processandper-userbasis
Rationale:
Theseulimitspreventasingleuserfromconsumingtoomanysystemresources.
Audit:
ToverifytheresourcelimitssetforMongoDB,runthefollowingcommands.
ExtracttheprocessIDforMongoDB:
ps -ef|grep mongod
Viewthelimitsassociatedwiththatprocessnumber:
cat /proc/1322/limits
Remediation:
Everydeploymentmayhaveuniquerequirementsandsettings.RecommendedthresholdsandsettingsareparticularlyimportantforMongoDBdeployments:
• f (file size): unlimited • t (cpu time): unlimited • v (virtual memory): unlimited [1] • n (open files): 64000 • m (memory size): unlimited [1] [2] • u (processes/threads): 64000
Restartthemongodandmongosinstancesafterchangingtheulimitsettingstoensurethatthechangestakeeffect.
![Page 46: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/46.jpg)
45|P a g e
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/manual/reference/ulimit/#recommended-ulimit-settings
![Page 47: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/47.jpg)
46|P a g e
6.4Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
MongoDBsupportstheexecutionofJavaScriptcodeforcertainserver-sideoperations:mapReduce,group,and$where.Ifyoudonotusetheseoperations,server-sidescriptingshouldbedisabled.
Rationale:
Ifserver-sidescriptingisnotneededandisnotdisabled,thisintroducesunnecessaryriskthatanattackermaytakeadvantageofinsecurecoding.
Audit:
Ifserver-sidescriptingisnotrequired,verifythatitisdisabled(javascriptEnabledvalueoffalse)usingthefollowingcommand:
cat /etc/mongod.conf |grep –A10 "security" | grep "javascriptEnabled"
Remediation:
Ifserver-sidescriptingisnotrequired,disableitbyusingthe--noscriptingoptiononthecommandline.
DefaultValue:
Enabled
CISControls:
18.9–SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
![Page 48: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/48.jpg)
47|P a g e
6.5EnsureThe'test'databaseisnotinstalled(NotScored)
ProfileApplicability:
• Level2-MongoDBonLinux
Description:
ThedefaultMongoDBinstallationcomeswithanunuseddatabasecalled'test'.Itisrecommendedthatthetestdatabasebedropped.
Rationale:
Thetestdatabasecanbeaccessedbyallusersandcanbeusedtoconsumesystemresources.DroppingthetestdatabasewillreducetheattacksurfaceoftheMongoDBserver.
Audit:
Executethefollowingquerytodetermineifthetestdatabaseispresent:
show dbs
Remediation:
Executethefollowingcommandmongoshelltodropthetestdatabase:
use test
db.dropDatabase()
CISControls:
18.9–SanitizeDeployedSoftwareofDevelopmentArtifactsForin-housedevelopedapplications,ensurethatdevelopmentartifacts(sampledataandscripts;unusedlibraries,components,debugcode;ortools)arenotincludedinthedeployedsoftware,oraccessibleintheproductionenvironment.
![Page 49: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/49.jpg)
48|P a g e
7FilePermissions
Thissectionprovidesrecommendationsforsettingpermissionsforthekeyfileandthedatabasefile.
7.1Ensurethatkeyfilepermissionsaresetcorrectly(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
Thekeyfileisusedforauthenticationintheshardedcluster.Implementingproperfilepermissionsonthekeyfilewillpreventunauthorizedaccesstoit.
Rationale:
ProtectingthekeyfilestrengthensauthenticationintheshardedclusterandpreventsunauthorizedaccesstotheMongoDBdatabase.
Audit:
ToverifythepermissionsfortheMongoDBkeyfile,runthefollowingcommand:
cat /etc/mongod.conf | grep “keyFile=”
Remediation:
SetthekeyFileownershiptomongodbuserandremoveotherpermissionsbyexecutingthesecommands:
chmod 600 /keyfile sudo chown mongodb:mongodb /keyfile
![Page 50: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/50.jpg)
49|P a g e
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/v3.0/tutorial/enable-internal-authentication/
CISControls:
16.14–Encrypt/HashAllAuthenticationFilesandMonitorTheirAccessVerifythatallauthenticationfilesareencryptedorhashedandthatthesefilescannotbeaccessedwithoutrootoradministratorprivileges.Auditallaccesstopasswordfilesinthesystem.
![Page 51: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/51.jpg)
50|P a g e
7.2Ensurethatdatabasefilepermissionsaresetcorrectly(Scored)
ProfileApplicability:
• Level1-MongoDBonLinux
Description:
MongoDBdatabasefilesneedtobeprotectedusingfilepermissions.
Rationale:
Thiswillrestrictunauthorizedusersfromaccessingthedatabase.
Audit:
ToverifythatthepermissionsfortheMongoDBdatabasefileareconfiguredsecurely,runthefollowingcommands.
Findoutthedatabaselocationusingthefollowingcommand:
cat /etc/mongod.conf |grep "dbpath"
Usethedatabaselocationaspartofthefollowingcommandtoviewandverifythepermissionssetforthedatabasefile:
ls –l /var/lib/mongodb
Remediation:
Setownershipofthedatabasefiletomongodbuserandremoveotherpermissionsusingthefollowingcommands:
chmod 600 /var/lib/mongodb sudo chown mongodb:mongodb /var/lib/mongodb
DefaultValue:
Notconfigured
CISControls:
14.4–ProtectInformationwithAccessControlListsAllinformationstoredonsystemsshallbeprotectedwithfilesystem,networkshare,claims,application,ordatabasespecificaccesscontrollists.Thesecontrolswillenforcetheprinciplethatonlyauthorizedindividualsshouldhaveaccesstotheinformationbasedontheirneedtoaccesstheinformationasapartoftheirresponsibilities.
![Page 52: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/52.jpg)
51|P a g e
Appendix:SummaryTableControl Set
Correctly Yes No
1 Installation and Patching 1.1 Ensure the appropriate MongoDB software version/patches are
installed (Scored) o o
2 Authentication 2.1 Ensure that authentication is enabled for MongoDB databases
(Scored) o o
2.2 Ensure that MongoDB does not bypass authentication via the localhost exception (Scored) o o
2.3 Ensure authentication is enabled in the sharded cluster (Scored) o o 2.4 Ensure an industry standard authentication mechanism is used
(Scored) o o
3 Access Control 3.1 Ensure that role-based access control is enabled and configured
appropriately (Scored) o o
3.2 Ensure that MongoDB only listens for network connections on authorized interfaces (Scored) o o
3.3 Ensure that MongoDB is run using a non-privileged, dedicated service account (Scored) o o
3.4 Ensure that each role for each MongoDB database is needed and grants only the necessary privileges (Scored) o o
3.5 Review User-Defined Roles (Scored) o o 3.6 Review Superuser/Admin Roles (Scored) o o 4 Data Encryption 4.1 Ensure TLS or SSL protects all network communications
(Scored) o o
4.2 Ensure Federal Information Processing Standard (FIPS) is enabled (Scored) o o
5 Auditing 5.1 Ensure that system activity is audited (Scored) o o 5.2 Ensure that audit filters are configured properly (Scored) o o 5.3 Ensure that logging captures as much information as possible
(Not Scored) o o
5.4 Ensure that new entries are appended to the end of the log file (Not Scored) o o
6 Operating System Hardening 6.1 Mongodb Database Running with Least Privileges (Scored) o o 6.2 Ensure that MongoDB uses a non-default port (Scored) o o
![Page 53: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/53.jpg)
52|P a g e
6.3 Ensure that operating system resource limits are set for MongoDB (Not Scored) o o
6.4 Ensure that server-side scripting is disabled if not needed (Not Scored) o o
6.5 Ensure The 'test' database is not installed (Not Scored) o o 7 File Permissions 7.1 Ensure that key file permissions are set correctly (Scored) o o 7.2 Ensure that database file permissions are set correctly (Scored) o o
![Page 54: CIS MongoDB 3.2 Benchmark v1.0.0-CC - ITSecure · 2017-10-30 · This document, CIS MongoDB Benchmark, provides prescriptive guidance for establishing a secure configuration posture](https://reader033.fdocuments.net/reader033/viewer/2022061516/5ee1613fad6a402d666c4869/html5/thumbnails/54.jpg)
53|P a g e
Appendix:ChangeHistoryDate Version Changes for this version 06-06-2017 1.0.0 Initial Release