CIS MongoDB Benchmark v1.0.0-CC...4 | Page Overview This document, CIS MongoDB Benchmark, provides...
Transcript of CIS MongoDB Benchmark v1.0.0-CC...4 | Page Overview This document, CIS MongoDB Benchmark, provides...
CISMongoDBBenchmark
v1.0.0-12-30-2016
1|P a g e
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.
2|P a g e
TableofContents
Overview......................................................................................................................................................................4
IntendedAudience..............................................................................................................................................4
ConsensusGuidance...........................................................................................................................................4
TypographicalConventions............................................................................................................................5
ScoringInformation............................................................................................................................................5
ProfileDefinitions................................................................................................................................................6
Acknowledgements.............................................................................................................................................7
Recommendations....................................................................................................................................................8
1InstallationandPatching..............................................................................................................................8
1.1EnsuretheappropriateMongoDBsoftwareversion/patchesareinstalled(Scored)..........................................................................................................................................................8
2Authentication................................................................................................................................................10
2.1EnsurethatauthenticationisenabledforMongoDBdatabases(Scored)..............10
2.2EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored).......................................................................................................................................................12
2.3Ensureauthenticationisenabledintheshardedcluster(Scored)............................13
2.4Ensureanindustrystandardauthenticationmechanismisused(Scored)...........15
3AccessControl................................................................................................................................................17
3.1Ensurethatrole-basedaccesscontrolisenabledandconfiguredappropriately(Scored).......................................................................................................................................................17
3.2EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored).................................................................................................................................19
3.3EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored).......................................................................................................................................................20
3.4EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored)............................................................................................................21
3.5ReviewUser-DefinedRoles(Scored)......................................................................................23
3.6ReviewSuperuser/AdminRoles(Scored)............................................................................24
4DataEncryption.............................................................................................................................................26
4.1EnsureTLSorSSLprotectsallnetworkcommunications(Scored)..........................26
3|P a g e
4.2Ensurethedatabasefileand/orpartitionareencrypted(Scored)..................Error!Bookmarknotdefined.
4.3EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored).....28
5Auditing.............................................................................................................................................................30
5.1Ensurethatsystemactivityisaudited(Scored)................................................................30
5.2Ensurethatauditfiltersareconfiguredproperly(Scored)..........................................32
5.3Ensurethatloggingcapturesasmuchinformationaspossible(NotScored)......33
5.4Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored)....34
6OperatingSystemHardening...................................................................................................................35
6.1EnsurethattheHTTPstatusinterfaceisdisabled(Scored).........................................35
6.2EnsurethatMongoDBusesanon-defaultport(Scored)...............................................36
6.3EnsurethatoperatingsystemresourcelimitsaresetforMongoDB(NotScored).........................................................................................................................................................................37
6.4Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored)..............39
6.5EnsurethattheHTTPinterfaceisdisabled(NotScored)..............................................40
6.6EnsurethatJSONPaccessviaanHTTPinterfaceisdisabled(NotScored)............41
6.7EnsurethattheRESTAPIisdisabled(NotScored)..........................................................42
7FilePermissions.............................................................................................................................................43
7.1Ensurethatkeyfilepermissionsaresetcorrectly(Scored).........................................43
7.2Ensurethatdatabasefilepermissionsaresetcorrectly(Scored).............................44
Appendix:SummaryTable................................................................................................................................45
Appendix:ChangeHistory.................................................................................................................................47
4|P a g e
OverviewThisdocument,CISMongoDBBenchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforMongoDBversion3.0or3.2.ThisguidewastestedagainstMongoDB3.2runningonUbuntuLinux14.04,butappliestootherlinuxdistributionsaswell.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].
IntendedAudience
Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateMongoDB.
ConsensusGuidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.
5|P a g e
TypographicalConventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
ScoringInformation
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
6|P a g e
ProfileDefinitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1-MongoDBonLinux
ItemsinthisprofileapplytoMongoDBrunningonLinuxandintendto:
o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2-MongoDBonLinux
Thisprofileextendsthe"Level1-MongoDBonLinux"profile.ItemsinthisprofileapplytoMongoDBrunningonLinuxandexhibitoneormoreofthefollowingcharacteristics:
o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.
7|P a g e
Acknowledgements
Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:
AuthorVineshRedkarSecurityConsultantEditorTimHarrisonCISSP,ICPPralhadChaskarKarenScarfoneChrisBielinski
8|P a g e
Recommendations1InstallationandPatching
ThissectionprovidesguidanceonensuringthattheMongoDBsoftwareisuptodatetoeliminateeasilyavoidablevulnerabilities.
1.1EnsuretheappropriateMongoDBsoftwareversion/patchesareinstalled(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
TheMongoDBinstallationversion,alongwiththepatchlevel,shouldbethemostrecentthatiscompatiblewiththeorganization'soperationalneeds.
Rationale:
UsingthemostrecentMongoDBsoftwareversionalongwithallapplicablepatcheshelpslimitthepossibilitiesforvulnerabilitiesinthesoftware.Theinstallationversionand/orpatchesappliedshouldbeselectedaccordingtotheneedsoftheorganization.Atminimum,thesoftwareversionshouldbesupported.
NotethatasofOctober2016,onlyMongoDBversions3.0and3.2arestillsupported.
Audit:
RunthefollowingcommandfromwithintheMongoDBshelltodetermineiftheMongoDBsoftwareversioncomplieswithyourorganization’soperationalneeds:
> db.version()
9|P a g e
Remediation:
UpgradetothelatestversionoftheMongoDBsoftware:
1. Backupthedataset.2. DownloadthebinariesforthelatestMongoDBrevisionfromtheMongoDB
DownloadPageandstorethebinariesinatemporarylocation.ThebinariesdownloadascompressedfilesthatextracttothedirectorystructureusedbytheMongoDBinstallation.
3. ShutdowntheMongoDBinstance.4. ReplacetheexistingMongoDBbinarieswiththedownloadedbinaries.5. RestarttheMongoDBinstance.
DefaultValue:
Patchesarenotinstalledbydefault.
References:
1. http://docs.mongodb.org/manual/tutorial/upgrade-revision/2. https://docs.mongodb.com/manual/release-notes/3. https://www.mongodb.com/download-center#community4. https://www.mongodb.com/support-policy
10|P a g e
2Authentication
ThissectioncontainsrecommendationsforrequiringauthenticationbeforeallowingaccesstotheMongoDBdatabase.
2.1EnsurethatauthenticationisenabledforMongoDBdatabases(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
Thissettingensuresthatallclients,users,and/orserversarerequiredtoauthenticatepriortobeinggrantedaccesstotheMongoDBdatabase.
Rationale:
Failuretoauthenticateclients,users,and/orserverscanenableunauthorizedaccesstotheMongoDBdatabaseandcanpreventtracingactionsbacktotheirsources.
Audit:
Runthefollowingcommandtoverifywhetherauthenticationisenabled(AuthvaluesettoTrue)ontheMongoDBserver.
cat /etc/mongod.conf | grep “Auth=”
11|P a g e
Remediation:
TheauthenticationmechanismshouldbeimplementedbeforeanyoneaccessestheMongoDBServer.
Toenabletheauthenticationmechanism:
• StarttheMongoDBinstancewithoutauthentication.
mongod --port 27017 --dbpath /data/db1
• Createthesystemuseradministrator,ensuringthatitspasswordmeetsorganizationally-definedpasswordcomplexityrequirements.
use admin db.createUser( { user: "siteUserAdmin", pwd: "password", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )
• RestarttheMongoDBinstancewithauthenticationenabled.
mongod --auth --config /etc/mongod.conf
DefaultValue:
Notconfigured
References:
1. https://www.mongodb.com/blog/post/improved-password-based-authentication-mongodb-30-scram-explained-part-1
2. https://www.owasp.org/index.php/Authentication_Cheat_Sheet
12|P a g e
2.2EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
MongoDBshouldnotbesettobypassauthenticationviathelocalhostexception.Thelocalhostexceptionallowsyoutoenableauthorizationbeforecreatingthefirstuserinthesystem.
Note:ThisrecommendationonlyapplieswhentherearenouserscreatedintheMongoDBinstance.
Rationale:
DisablingthisexceptionwillpreventunauthorizedlocalaccesstotheMongoDBdatabase.Itwillalsoensuretraceabilityofeachdatabaseactivitytoaspecificuser.
Audit:
Toverifythelocalhostexceptionisdisabled,runthefollowingcommandtoensurethatenableLocalhostAuthBypassissetto0(false):
cat /etc/mongod.conf |grep “enableLocalhostAuthBypass”
Remediation:
SinceenableLocalhostAuthBypassisnotavailableusingthesetParameterdatabasecommand,usethesetParameteroptionintheconfigurationfiletosetittofalse.
setParameter: enableLocalhostAuthBypass: false
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/core/authentication/#localhost-exception
13|P a g e
2.3Ensureauthenticationisenabledintheshardedcluster(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
Authenticationisenabledinashardedclusterwhenkeyfilesarecreatedandconfiguredforallcomponents.Thisensuresthateveryclientthataccessestheclustermustprovidecredentials,toincludeMongoDBinstancesthataccesseachotherwithinthecluster.
Rationale:
EnforcingakeyonashardedclusterpreventsunauthorizedaccesstotheMongoDBdatabaseandprovidestraceabilityofdatabaseactivitiestoaspecificuserorcomponent.
Audit:
Runthefollowingcommandtoverifythatthekeyfileparameterisconfigured:
cat /etc/mongod.conf | grep “keyFile=”
Remediation:
Toenableauthenticationintheshardedcluster,performthefollowingsteps:
• Generateakeyfile.
http://docs.mongodb.org/v2.4/tutorial/generate-key-file/#generate-key-file
• Oneachcomponentinthesharedcluster,enableauthenticationbydoingoneofthefollowing:
o Intheconfigurationfile/etc/mongod.conf,setthekeyFileoptiontothekeyfile’spathandthenstartthecomponentwiththiscommand:
keyFile = /srv/mongodb/keyfile
• Whenstartingthecomponent,set--keyFileoption,whichisanoptionforbothmongosinstancesandmongodinstances.Setthe--keyFiletothekeyfile’spath.
14|P a g e
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/v2.2/administration/sharded-clusters/
15|P a g e
2.4Ensureanindustrystandardauthenticationmechanismisused(Scored)
ProfileApplicability:
•Level2-MongoDBonLinux
Description:
UsingoneormoreindustrystandardauthenticationmechanismshelpsorganizationsenforcetheiraccountandpasswordpoliciesfortheirMongoDBusers.
Rationale:
Withoutanindustrystandardauthenticationmechanisminplace,accountandpasswordmanagementismoretedious,andauthenticationmaynotalignwiththeorganization'spolicies.
Audit:
ToverifytheauthenticationmechanisminuseforMongoDB,runthefollowingcommands:
cat /etc/mongod.conf | grep “clusterAuthMode:” cat /etc/mongod.conf | grep “mode:” cat /etc/mongod.conf | grep “authorization:" cat /etc/mongod.conf | grep “authenticationMechanisms:”
Remediation:
Inordertoimplementanindustrystandardauthenticationmechanism,usethecorrespondingsamplefromthelistbelowasamodelforspecifyingtheauthenticationmechanismsintheMongoDBconfigurationfile.
x.509CertificatesforClientAuthentication:
security: clusterAuthMode: x509 net: ssl: mode: requireSSL PEMKeyFile: <path to TLS/SSL certificate and key PEM file> CAFile: <path to root CA PEM file>
SeethereferencesectionforalinktoadetailedprocedureforgeneratingthePEMKeyFileandCAFile.
MongoDBwithKerberosAuthenticationonLinux:
16|P a g e
security: authorization: enabled setParameter: authenticationMechanisms: GSSAPI storage: dbPath: /opt/mongodb/data
SeethereferencesectionforalinktoadetailedprocedureforestablishingtheKerberosserviceprincipalandkeytabfile.
References:
1. https://docs.mongodb.com/v3.2/tutorial/configure-x509-client-authentication/2. https://docs.mongodb.com/v3.2/tutorial/control-access-to-mongodb-with-
kerberos-authentication/3. https://docs.mongodb.com/v3.2/core/kerberos/#kerberos-service-principal4. https://docs.mongodb.com/v3.2/core/kerberos/#keytab-files
17|P a g e
3AccessControl
ThissectioncontainsrecommendationsforrestrictingaccesstoMongoDBsystems.
3.1Ensurethatrole-basedaccesscontrolisenabledandconfiguredappropriately(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
Role-basedaccesscontrol(RBAC)isamethodofregulatingaccesstoresourcesbasedontherolesofindividualuserswithinanenterprise.Auserisgrantedoneormorerolesthatdeterminetheuser’saccesstodatabaseresourcesandoperations.Outsideofroleassignments,theuserhasnoaccesstothesystem.MongoDBcanuseRBACtogovernaccesstoMongoDBsystems.MongoDBdoesnotenableauthorizationbydefault.
Rationale:
Whenproperlyimplemented,RBACenablesuserstocarryoutawiderangeofauthorizedtasksbydynamicallyregulatingtheiractionsaccordingtoflexiblefunctions.Thisallowsanorganizationtocontrolemployees’accesstoalldatabasetablesthroughRBAC.
Audit:
ConnecttoMongoDBwiththeappropriateprivilegesandrunthefollowingcommand:
mongo --port 27017 -u <siteUserAdmin> -p <password> --authenticationDatabase <database name>
Identifyusers'rolesandprivileges:
> db.getUser() > db.getRole()
Verifythattheappropriateroleorroleshavebeenconfiguredforeachuser.
18|P a g e
Remediation:
1. EstablishrolesforMongoDB.2. Assigntheappropriateprivilegestoeachrole.3. Assigntheappropriateuserstoeachrole.4. Removeanyindividualprivilegesassignedtousersthatarenowaddressedbythe
roles.5. SeethereferencebelowformoreInformation.
References:
1. http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/
19|P a g e
3.2EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
EnsuringthatMongoDBrunsinatrustednetworkenvironmentinvolveslimitingthenetworkinterfacesonwhichMongoDBinstanceslistenforincomingconnections.AnyuntrustednetworkconnectionsshouldbedroppedbyMongoDB.
Rationale:
Thisconfigurationblocksconnectionsfromuntrustednetworks,leavingonlysystemsonauthorizedandtrustednetworksabletoattempttoconnecttotheMongoDB.Ifnotconfigured,thismayleadtounauthorizedconnectionsfromuntrustednetworkstoMongoDB.
Audit:
1. Verifythatnetworkexposureislimited,reviewthesettingsintheMongoDBconfigurationfile:cat /etc/mongod.conf |grep –A12 “net” | grep “bindIp“
2. VerifytherelevantnetworksettingsontheLinuxsystemitself:iptables –L
Remediation:
ConfiguretheMongoDBconfigurationfiletolimititsexposuretoonlythenetworkinterfacesonwhichMongoDBinstancesshouldlistenforincomingconnections.
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/tutorial/configure-linux-iptables-firewall/2. http://docs.mongodb.org/manual/tutorial/configure-windows-netsh-firewall/
20|P a g e
3.3EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
TheMongoDBserviceshouldnotberunusingaprivilegedaccountsuchas'root'becausethisunnecessarilyexposestheoperatingsystemtohighrisk.
Rationale:
Usinganon-privileged,dedicatedserviceaccountrestrictsthedatabasefromaccessingthecriticalareasoftheoperatingsystemwhicharenotrequiredbytheMongoDB.Thiswillalsomitigatethepotentialforunauthorizedaccessviaacompromised,privilegedaccountontheoperatingsystem.
Audit:
Runthefollowingcommandtogetlistingofallmongoinstances,thePIDnumber,andthePIDowner.
ps -ef | grep -E "mongos|mongod"
Remediation:
1. CreateadedicateduserforperformingMongoDBdatabaseactivity.2. SettheDatabasedatafiles,thekeyfile,andtheSSLprivatekeyfilestoonlybe
readablebythemongod/mongosuser.3. Setthelogfilestoonlybewritablebythemongod/mongosuserandreadableonly
byroot.
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/
21|P a g e
3.4EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored)
ProfileApplicability:
•Level2-MongoDBonLinux
Description:
Reviewingallrolesperiodicallyandeliminatingunneededrolesaswellasunneededprivilegesfromnecessaryroleshelpsminimizetheprivilegesthateachuserhas.
Rationale:
Althoughrole-basedaccesscontrol(RBAC)hasmanyadvantagesforregulatingaccesstoresources,overtimesomerolesmaynolongerbeneeded,andsomerolesmaygrantprivilegesthatarenolongerneeded.
Audit:
Performthefollowingcommandtoviewallrolesonthedatabaseonwhichthecommandruns,includingbothbuilt-inanduser-definedroles,aswellastheprivilegesgrantedbyeachrole.Ensurethatonlynecessaryrolesarelistedandonlythenecessaryprivilegesarelistedforeachrole.
db.runCommand( { rolesInfo: 1, showPrivileges: true showBuiltinRoles: true } )
Remediation:
Torevokespecifiedprivilegesfromtheuser-definedroleonthedatabasewherethecommandisrun.TherevokePrivilegesFromRolecommandhasthefollowingsyntax:
{ revokePrivilegesFromRole: "<role>", privileges: [ { resource: { <resource> }, actions: [ "<action>", ... ] }, ... ], }
22|P a g e
References:
1. https://docs.mongodb.com/v3.2/reference/method/db.revokePrivilegesFromRole/
2. https://docs.mongodb.com/v3.2/reference/command/revokePrivilegesFromRole/#dbcmd.revokePrivilegesFromRole
23|P a g e
3.5ReviewUser-DefinedRoles(Scored)
ProfileApplicability:
•Level2-MongoDBonLinux
Description:
Reviewingallrolesperiodicallyandremovingallusersfromthoseroleswhodonotneedtobelongtothemhelpsminimizetheprivilegesthateachuserhas.
Rationale:
Althoughrole-basedaccesscontrol(RBAC)hasmanyadvantagesforregulatingaccesstoresources,overtimesomeusersmaybeassignedtorolesthatarenolongernecessary,suchasauserchangingjobswithintheorganization.Userswhohaveexcessiveprivilegesposeunnecessaryrisktotheorganization.
Audit:
Checkeachroleforeachdatabaseusingoneofthefollowingcommands.
Tospecifyarolefromthecurrentdatabase,specifytherolebyitsname:
db.runCommand( { rolesInfo: "<rolename>" } )
Tospecifyarolefromanotherdatabase,specifytherolebyadocumentthatspecifiestheroleanddatabase:
db.runCommand( { rolesInfo: { role: "<rolename>", db: "<database>" } } )
Remediation:
Toremoveauserfromoneormorerolesonthecurrentdatabase,usethefollowingcommand:
use <dbName> db.revokeRolesFromUser( "<username>", [ <roles> ])
References:
1. https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/2. https://docs.mongodb.com/manual/reference/command/rolesInfo/3. https://docs.mongodb.com/manual/reference/privilege-
actions/#authr.revokeRole
24|P a g e
3.6ReviewSuperuser/AdminRoles(Scored)
ProfileApplicability:
•Level2-MongoDBonLinux
Description:
Rolesprovideseveraladvantagesthatmakeiteasiertomanageprivilegesinadatabasesystem.Securityadministratorscancontrolaccesstotheirdatabasesinawaythatmirrorsthestructureoftheirorganizations(theycancreaterolesinthedatabasethatmapdirectlytothejobfunctionsintheirorganizations).Theassignmentofprivilegesissimplified.Insteadofgrantingthesamesetofprivilegestoeachindividualuserinaparticularjobfunction,theadministratorcangrantthissetofprivilegestoarolerepresentingthatjobfunctionandthengrantthatroletoeachuserinthatjobfunction.
Rationale:
ReviewingtheSuperuser/Adminroleswithinadatabasehelpsminimizethepossibilityofprivilegedunwantedaccess.
Audit:
Superuserrolesprovidetheabilitytoassignanyuseranyprivilegeonanydatabase,whichmeansthatuserswithoneoftheserolescanassignthemselvesanyprivilegeonanydatabase:
db.runCommand( { rolesInfo: "dbOwner" } ) db.runCommand( { rolesInfo: "userAdmin" } ) db.runCommand( { rolesInfo: "userAdminAnyDatabase" } )
RootroleprovidesaccesstotheoperationsandalltheresourcesofthereadWriteAnyDatabase,dbAdminAnyDatabase,userAdminAnyDatabase,clusterAdminroles,restorecombined.
db.runCommand( { rolesInfo: "readWriteAnyDatabase" } ) db.runCommand( { rolesInfo: "dbAdminAnyDatabase" } ) db.runCommand( { rolesInfo: "userAdminAnyDatabase" } ) db.runCommand( { rolesInfo: "clusterAdmin" } )
ClusterAdministrationRolesareusedforadministeringthewholesystemratherthanjustasingledatabase.
db.runCommand( { rolesInfo: "hostManager" } )
25|P a g e
Remediation:
Toremoveauserfromoneormorerolesonthecurrentdatabase.
use <dbName> db.revokeRolesFromUser( "<username>", [ <roles> ])
References:
1. https://docs.mongodb.com/v3.0/reference/built-in-roles/#built-in-roles2. https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/
26|P a g e
4DataEncryption
Thissectioncontainsrecommendationsforsecuringdataatrest(stored)anddatainmotion(transiting)forMongoDB.
4.1EnsureTLSorSSLprotectsallnetworkcommunications(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
UseTLSorSSLtoprotectallincomingandoutgoingconnections.ThisshouldincludeusingTLSorSSLtoencryptcommunicationbetweenmongodandmongoscomponentsofaMongoDBclientaswellasbetweenallapplicationsandMongoDB.
MostMongoDBdistributionsincludesupportforSSLorTLS.
Rationale:
ThispreventssniffingofcleartexttrafficbetweenMongoDBcomponentsorperformingaman-in-the-middleattackforMongoDB.
Audit:
ToverifythattheserverrequiresSSLorTLSuse(net.ssl.modevaluesettorequireSSL),runoneofthefollowingcommands:
mongos --config /etc/mongos.conf
or
cat /etc/mongos.conf | grep –A20 ‘net’ | grep –A10 ‘ssl’ | grep ‘mode’
Remediation:
ConfigureMongoDBserverstorequiretheuseofSSLorTLStoencryptallMongoDBnetworkcommunications.
27|P a g e
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/tutorial/configure-ssl/
28|P a g e
4.2EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
TheFederalInformationProcessingStandard(FIPS)isacomputersecuritystandardusedtocertifysoftwaremodulesandlibrariesthatencryptanddecryptdatasecurely.YoucanconfigureMongoDBtorunwithaFIPS140-2certifiedlibraryforOpenSSL.
Rationale:
FIPSisindustrystandardthatdictateshowdatashouldbeencryptedinrestandduringtransmission.
Audit:
ToverifythattheserverusesFIPSMode(net.ssl.FIPSModevaluesettotrue),runfollowingcommands:
mongos --config /etc/mongos.conf
net: ssl: FIPSMode: true
or
ToverifyFIPSmodeisrunning,checktheserverlogfileforamessagethatFIPSisactive:
FIPS 140-2 mode activated
29|P a g e
Remediation:
ConfiguringFIPSmode,ensurethatyourcertificateisFIPScompliant.RunmongodormongosinstanceinFIPSmode.
Makechangestoconfigurationfile,toconfigureyourmongodormongosinstancetouseFIPSmode,shutdowntheinstanceandupdatetheconfigurationfilewiththefollowingsetting:
net: ssl: FIPSMode: true
Startmongodormongosinstancewithaconfigurationfile.
mongod --config /etc/mongod.conf
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/v3.2/tutorial/configure-fips/
30|P a g e
5Auditing
ThissectioncontainsrecommendationsrelatedtoconfiguringauditlogginginMongoDB.
5.1Ensurethatsystemactivityisaudited(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
Trackaccessandchangestodatabaseconfigurationsanddata.MongoDBEnterpriseincludesasystemauditingfacilitythatcanrecordsystemevents(e.g.useroperations,connectionevents)onaMongoDBinstance.Theseauditrecordspermitforensicanalysisandallowadministratorstoverifypropercontrols.
Rationale:
Systemlevellogscanbehandywhiletroubleshootinganoperationalproblemorhandlingasecurityincident.
Audit:
ToverifythatsystemactivityisbeingauditedforMongoDB,runthefollowingcommandtoconfirmtheauditLog.destinationvalueissetcorrectly:
cat /etc/mongod.conf |grep –A4 “auditLog” | grep “destination”
31|P a g e
Remediation:
SetthevalueofauditLog.destinationtotheappropriatevaluefromthefollowingoptions:
syslog Toenableauditingandprintauditeventstosyslog
mongod --dbpath data/db --auditDestination syslog
console Toenableauditingandprintauditeventstostandardoutput(i.e.,stdout)
mongod --dbpath data/db --auditDestination console
JsonFile ToenableauditingandprintauditeventstoafileinJSONformat.PrintingauditeventstoafileinJSONformatdegradesserverperformancemorethanprintingtoafileinBSONformat.
mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json
BsonFile ToenableauditingandprintauditeventstoafileinBSONbinaryformat
mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson
DefaultValue:
Notconfigured
References:
1. http://docs.mongodb.org/manual/tutorial/configure-auditing/
32|P a g e
5.2Ensurethatauditfiltersareconfiguredproperly(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
MongoDBEnterprisesupportsauditingofvariousoperations.Whenenabled,theauditfacility,bydefault,recordsallauditableoperationsasdetailedinAuditEventActions,Details,andResults.Tospecifywhicheventstorecord,theauditfeatureincludesthe--auditFilteroption.ThischeckisonlyforEnterpriseeditions.
Rationale:
Alloperationscarriedoutonthedatabasearelogged.Thishelpsinbacktrackingandtracinganyincidentthatoccurs.
Audit:
ToverifythatauditfiltersareconfiguredonMongoDBaspertheorganization’srequirements,runthefollowingcommand:
cat /etc/mongod.conf |grep –A10 “auditLog” | grep “filter”
Remediation:
Settheauditfiltersbasedontheorganization’srequirements.
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/manual/reference/audit-message/2. https://docs.mongodb.com/manual/tutorial/configure-audit-filters/
33|P a g e
5.3Ensurethatloggingcapturesasmuchinformationaspossible(NotScored)
ProfileApplicability:
•Level2-MongoDBonLinux
Description:
TheSystemLog.quietoptionstopsloggingofinformationsuchas:
• connectionevents• authenticationevents• replicationsyncactivities• evidenceofsomepotentiallyimpactfulcommandsbeingrun(eg:drop,dropIndexes,
validate)
Thisinformationshouldbeloggedwheneverpossible.ThischeckisonlyforEnterpriseeditions.
Rationale:
TheuseofSystemLog.quietmakestroubleshootingproblemsandinvestigatingpossiblesecurityincidentsmuchmoredifficult.
Audit:
ToverifythattheSystemLog.quietoptionisdisabled(valueofFalse),runthefollowingcommand:
cat /etc/mongod.conf |grep “SystemLog.quiet”
Remediation:
SetSystemLog.quiettoFalseinthe/etc/mongod.conffiletodisableit.
References:
1. https://docs.mongodb.com/manual/reference/configuration-options/#systemLog.quiet
34|P a g e
5.4Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored)
ProfileApplicability:
•Level2-MongoDBonLinux
Description:
Bydefault,newlogentrieswilloverwriteoldentriesafterarestartofthemongodorMongolsservice.EnablingthesystemLog.logAppendsettingcausesnewentriestobeappendedtotheendofthelogfileratherthanoverwritingtheexistingcontentofthelogwhenthemongosormongodinstancerestarts.
Rationale:
Allowingoldentriestobeoverwrittenbynewentriesinsteadofappendingnewentriestotheendofthelogmaydestroyoldlogdatathatisneededforavarietyofpurposes.
Audit:
Toverifythatnewlogentrieswillbeappendedtotheendofthelogfileafterarestart(systemLog.logAppendvaluesettotrue),runthefollowingcommand:
cat /etc/mongod.conf |grep “systemLog.logAppend”
Remediation:
SetsystemLog.logAppendtotrueinthe/etc/mongod.conffile.
References:
1. https://docs.mongodb.com/manual/reference/configuration-options/#systemLog.logAppend
35|P a g e
6OperatingSystemHardening
ThissectioncontainsrecommendationsrelatedtohardeningtheoperatingsystemrunningbelowMongoDB.
6.1EnsurethattheHTTPstatusinterfaceisdisabled(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
MongoDBbydefaultprovidesanHTTPinterfacerunningonport28017toprovidethe“home”statuspage.Thispageprovidescertaincriticalinformationaboutthedatabase’sstatisticsandclients.
PleasenotethatthisfunctionhasbeenDeprecatedsinceversion3.2.
Rationale:
AnattackercouldaccessthestatuspagetolearnmoreabouttheMongoDBserveranddeterminehowtocompromiseit.
Audit:
ToverifythattheHTTPstatusinterfaceisdisabledonMongoDB(nohttpinterfacehasthevalueTrue),executethefollowingcommand:
cat /etc/mongod.conf |grep “nohttpinterface” nohttpinterface = False
Remediation:
DisabletheHTTPstatusinterfacebysettingnohttpinterface = Trueinthe/etc/mongod.conffile.
DefaultValue:
Enabled
References:
1. https://docs.mongodb.com/ecosystem/tools/http-interfaces/#http-status-interface
36|P a g e
6.2EnsurethatMongoDBusesanon-defaultport(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
ChangingtheportusedbyMongoDBmakesitharderforattackerstofindthedatabaseandtargetit.
Rationale:
Standardportsareusedinautomatedattacksandbyattackerstoverifywhichapplicationsarerunningonaserver.
Audit:
ToverifytheportnumberusedbyMongoDB,executethefollowingcommandandensurethattheportnumberisnot27017:
cat /etc/mongod.conf |grep “port”
Remediation:
ChangetheportforMongoDBservertoanumberotherthan27017.
Impact:
HackersfrequentlyscanIPaddressesforcommonlyusedports,soit'snotuncommontouseadifferentportto"flyundertheradar".Thisisjusttoavoiddetection,otherthanthatthereisnoaddedsafetybyusingadifferentport.
References:
1. https://docs.mongodb.com/manual/reference/default-mongodb-port/
37|P a g e
6.3EnsurethatoperatingsystemresourcelimitsaresetforMongoDB(NotScored)
ProfileApplicability:
•Level2-MongoDBonLinux
Description:
Operatingsystemsprovidewaystolimitandcontroltheusageofsystemresourcessuchasthreads,files,andnetworkconnectionsonaper-processandper-userbasis
Rationale:
Theseulimitspreventasingleuserfromconsumingtoomanysystemresources.
Audit:
ToverifytheresourcelimitssetforMongoDB,runthefollowingcommands.
ExtracttheprocessIDforMongoDB:
ps -ef|grep mongod
Viewthelimitsassociatedwiththatprocessnumber:
cat /proc/1322/limits
Remediation:
Everydeploymentmayhaveuniquerequirementsandsettings.RecommendedthresholdsandsettingsareparticularlyimportantforMongoDBdeployments:
• f(filesize):unlimited• t(cputime):unlimited• v(virtualmemory):unlimited[1]• n(openfiles):64000• m(memorysize):unlimited[1][2]• u(processes/threads):64000
Restartthemongodandmongosinstancesafterchangingtheulimitsettingstoensurethatthechangestakeeffect.
38|P a g e
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/manual/reference/ulimit/#recommended-ulimit-settings
39|P a g e
6.4Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored)
ProfileApplicability:
•Level2-MongoDBonLinux
Description:
MongoDBsupportstheexecutionofJavaScriptcodeforcertainserver-sideoperations:mapReduce,group,and$where.Ifyoudonotusetheseoperations,server-sidescriptingshouldbedisabled.
Rationale:
Ifserver-sidescriptingisnotneededandisnotdisabled,thisintroducesunnecessaryriskthatanattackermaytakeadvantageofinsecurecoding.
Audit:
Ifserver-sidescriptingisnotrequired,verifythatitisdisabled(javascriptEnabledvalueofFalse)usingthefollowingcommand:
cat /etc/mongod.conf |grep –A10 “security” | grep “javascriptEnabled”
Remediation:
Ifserver-sidescriptingisnotrequired,disableitbyusingthe--noscriptingoptiononthecommandline.
DefaultValue:
Enabled
40|P a g e
6.5EnsurethattheHTTPinterfaceisdisabled(NotScored)
ProfileApplicability:
•Level2-MongoDBonLinux
Description:
Thenet.http.enabledparameterisusedtoenableordisabletheHTTPinterface.
PleasenotethatthisfunctionhasbeenDeprecatedsinceversion3.2.
Rationale:
Additionalnetworkinterfacesexposethesystemtoagreaterextent.Runningunnecessaryservicesmayallowanattackertopenetratethesystemviaanunknownvulnerability.
Audit:
VerifytheHTTPinterfaceisdisabled(parametervaluesettofalse)byrunningthefollowingcommand:
cat /etc/mongod.conf |grep –A12 “net” | grep –A10 “http” | grep “enabled”
Remediation:
SettheparametervaluetofalsetodisabletheHTTPinterface.
DefaultValue:
false
References:
1. https://docs.mongodb.com/manual/core/security-mongodb-configuration/#http-status-interface
41|P a g e
6.6EnsurethatJSONPaccessviaanHTTPinterfaceisdisabled(NotScored)
ProfileApplicability:
•Level2-MongoDBonLinux
Description:
Thenet.http.JSONPEnabledparameterisusedtoenableordisableJSONPaccessviaanHTTPinterface.EnablingthisparameteralsoenablestheHTTPinterface,eveniftheparameterforenablingtheHTTPinterfaceissettodisabled.
PleasenotethatthisfunctionhasbeenDeprecatedsinceversion3.2.
Rationale:
Additionalnetworkinterfacesexposethesystemtoagreaterextent.Runningunnecessaryservicesmayallowanattackertopenetratethesystemviaanunknownvulnerability.
Audit:
VerifythatJSONPaccessisdisabled(parametervaluesettofalse)byrunningthefollowingcommand:
cat /etc/mongod.conf |grep –A12 “net” | grep –A10 “http” | grep “JSONPEnabled”
Remediation:
SettheparametervaluetofalsetodisableJSONPaccess.
DefaultValue:
false
References:
1. https://docs.mongodb.com/manual/reference/configuration-options/#net.http.JSONPEnabled
42|P a g e
6.7EnsurethattheRESTAPIisdisabled(NotScored)
ProfileApplicability:
•Level2-MongoDBonLinux
Description:
Thenet.http.RESTInterfaceEnabledparameterisusedtoenableordisabletheRESTAPI.EnablingthisparameteralsoenablestheHTTPinterface,eveniftheparameterforenablingtheHTTPinterfaceissettodisabled.
PleasenotethatthisfunctionhasbeenDeprecatedsinceversion3.2.
Rationale:
Additionalinterfacesexposethesystemtoagreaterextent.Runningunnecessaryservicesmayallowanattackertopenetratethesystemviaanunknownvulnerability.
Audit:
VerifytheRESTAPIisdisabled(parametervaluesettofalse)byrunningthefollowingcommand:
cat /etc/mongod.conf |grep –A12 “net” | grep –A10 “http” | grep “RESTInterfaceEnabled”
Remediation:
SettheparametervaluetofalsetodisabletheRESTAPI.
DefaultValue:
false
References:
1. https://docs.mongodb.com/manual/reference/configuration-options/#net.http.RESTInterfaceEnabled
43|P a g e
7FilePermissions
Thissectionprovidesrecommendationsforsettingpermissionsforthekeyfileandthedatabasefile.
7.1Ensurethatkeyfilepermissionsaresetcorrectly(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
Thekeyfileisusedforauthenticationintheshardedcluster.Implementingproperfilepermissionsonthekeyfilewillpreventunauthorizedaccesstoit.
Rationale:
ProtectingthekeyfilestrengthensauthenticationintheshardedclusterandpreventsunauthorizedaccesstotheMongoDBdatabase.
Audit:
ToverifythepermissionsfortheMongoDBkeyfile,runthefollowingcommand:
cat /etc/mongod.conf | grep “keyFile=”
Remediation:
SetthekeyFileownershiptomongodbuserandremoveotherpermissionsbyexecutingthesecommands:
chmod 600 /keyfile sudo chown mongodb:mongodb /keyfile
DefaultValue:
Notconfigured
References:
1. https://docs.mongodb.com/v3.0/tutorial/enable-internal-authentication/
44|P a g e
7.2Ensurethatdatabasefilepermissionsaresetcorrectly(Scored)
ProfileApplicability:
•Level1-MongoDBonLinux
Description:
MongoDBdatabasefilesneedtobeprotectedusingfilepermissions.
Rationale:
Thiswillrestrictunauthorizedusersfromaccessingthedatabase.
Audit:
ToverifythatthepermissionsfortheMongoDBdatabasefileareconfiguredsecurely,runthefollowingcommands.
Findoutthedatabaselocationusingthefollowingcommand:
cat /etc/mongod.conf |grep “dbpath”
Usethedatabaselocationaspartofthefollowingcommandtoviewandverifythepermissionssetforthedatabasefile:
ls –l /var/lib/mongodb
Remediation:
Setownershipofthedatabasefiletomongodbuserandremoveotherpermissionsusingthefollowingcommands:
chmod 660 /var/lib/mongodb sudo chown mongodb:mongodb /var/lib/mongodb
DefaultValue:
Notconfigured
45|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 InstallationandPatching1.1 EnsuretheappropriateMongoDBsoftwareversion/patches
areinstalled(Scored) o o
2 Authentication2.1 EnsurethatauthenticationisenabledforMongoDBdatabases
(Scored) o o
2.2 EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored) o o
2.3 Ensureauthenticationisenabledintheshardedcluster(Scored) o o
2.4 Ensureanindustrystandardauthenticationmechanismisused(Scored) o o
3 AccessControl3.1 Ensurethatrole-basedaccesscontrolisenabledand
configuredappropriately(Scored) o o
3.2 EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored) o o
3.3 EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored) o o
3.4 EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored) o o
3.5 ReviewUser-DefinedRoles(Scored) o o3.6 ReviewSuperuser/AdminRoles(Scored) o o4 DataEncryption4.1 EnsureTLSorSSLprotectsallnetworkcommunications
(Scored) o o
4.2 Ensurethedatabasefileand/orpartitionareencrypted(Scored) o o
4.3 EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored) o o
5 Auditing5.1 Ensurethatsystemactivityisaudited(Scored) o o5.2 Ensurethatauditfiltersareconfiguredproperly(Scored) o o5.3 Ensurethatloggingcapturesasmuchinformationaspossible
(NotScored) o o
5.4 Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored) o o
46|P a g e
6 OperatingSystemHardening6.1 EnsurethattheHTTPstatusinterfaceisdisabled(Scored) o o6.2 EnsurethatMongoDBusesanon-defaultport(Scored) o o6.3 Ensurethatoperatingsystemresourcelimitsaresetfor
MongoDB(NotScored) o o
6.4 Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored) o o
6.5 EnsurethattheHTTPinterfaceisdisabled(NotScored) o o6.6 EnsurethatJSONPaccessviaanHTTPinterfaceisdisabled
(NotScored) o o
6.7 EnsurethattheRESTAPIisdisabled(NotScored) o o7 FilePermissions7.1 Ensurethatkeyfilepermissionsaresetcorrectly(Scored) o o7.2 Ensurethatdatabasefilepermissionsaresetcorrectly
(Scored) o o
47|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
12-30-2016 1.0.0 InitialRelease