CIS MongoDB Benchmark v1.0.0-CC - ITSecure · 3.3 Ensure that MongoDB is run using a...

CISMongoDBBenchmark

v1.0.0-12-30-2016

1|P a g e

ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcodeTofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.

2|P a g e

TableofContents

Overview......................................................................................................................................................................4

IntendedAudience..............................................................................................................................................4

ConsensusGuidance...........................................................................................................................................4

TypographicalConventions............................................................................................................................5

ScoringInformation............................................................................................................................................5

ProfileDefinitions................................................................................................................................................6

Acknowledgements.............................................................................................................................................7

Recommendations....................................................................................................................................................8

1InstallationandPatching..............................................................................................................................8

1.1EnsuretheappropriateMongoDBsoftwareversion/patchesareinstalled(Scored)..........................................................................................................................................................8

2Authentication................................................................................................................................................10

2.1EnsurethatauthenticationisenabledforMongoDBdatabases(Scored)..............10

2.2EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored).......................................................................................................................................................12

2.3Ensureauthenticationisenabledintheshardedcluster(Scored)............................13

2.4Ensureanindustrystandardauthenticationmechanismisused(Scored)...........15

3AccessControl................................................................................................................................................17

3.1Ensurethatrole-basedaccesscontrolisenabledandconfiguredappropriately(Scored).......................................................................................................................................................17

3.2EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored).................................................................................................................................19

3.3EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored).......................................................................................................................................................20

3.4EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored)............................................................................................................21

3.5ReviewUser-DefinedRoles(Scored)......................................................................................23

3.6ReviewSuperuser/AdminRoles(Scored)............................................................................24

4DataEncryption.............................................................................................................................................26

4.1EnsureTLSorSSLprotectsallnetworkcommunications(Scored)..........................26

3|P a g e

4.2Ensurethedatabasefileand/orpartitionareencrypted(Scored)..................Error!Bookmarknotdefined.

4.3EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored).....28

5Auditing.............................................................................................................................................................30

5.1Ensurethatsystemactivityisaudited(Scored)................................................................30

5.2Ensurethatauditfiltersareconfiguredproperly(Scored)..........................................32

5.3Ensurethatloggingcapturesasmuchinformationaspossible(NotScored)......33

5.4Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored)....34

6OperatingSystemHardening...................................................................................................................35

6.1EnsurethattheHTTPstatusinterfaceisdisabled(Scored).........................................35

6.2EnsurethatMongoDBusesanon-defaultport(Scored)...............................................36

6.3EnsurethatoperatingsystemresourcelimitsaresetforMongoDB(NotScored).........................................................................................................................................................................37

6.4Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored)..............39

6.5EnsurethattheHTTPinterfaceisdisabled(NotScored)..............................................40

6.6EnsurethatJSONPaccessviaanHTTPinterfaceisdisabled(NotScored)............41

6.7EnsurethattheRESTAPIisdisabled(NotScored)..........................................................42

7FilePermissions.............................................................................................................................................43

7.1Ensurethatkeyfilepermissionsaresetcorrectly(Scored).........................................43

7.2Ensurethatdatabasefilepermissionsaresetcorrectly(Scored).............................44

Appendix:SummaryTable................................................................................................................................45

Appendix:ChangeHistory.................................................................................................................................47

4|P a g e

OverviewThisdocument,CISMongoDBBenchmark,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforMongoDBversion3.0or3.2.ThisguidewastestedagainstMongoDB3.2runningonUbuntuLinux14.04,butappliestootherlinuxdistributionsaswell.Toobtainthelatestversionofthisguide,pleasevisithttp://benchmarks.cisecurity.org.Ifyouhavequestions,comments,orhaveidentifiedwaystoimprovethisguide,[email protected].

IntendedAudience

Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnelwhoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateMongoDB.

ConsensusGuidance

Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.

EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.

5|P a g e

TypographicalConventions

Thefollowingtypographicalconventionsareusedthroughoutthisguide:

Convention Meaning

Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.

Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.

<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.

Italicfont Usedtodenotethetitleofabook,article,orotherpublication.

Note Additionalinformationorcaveats

ScoringInformation

Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:

Scored

Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.

NotScored

Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.

6|P a g e

ProfileDefinitions

ThefollowingconfigurationprofilesaredefinedbythisBenchmark:

• Level1-MongoDBonLinux

ItemsinthisprofileapplytoMongoDBrunningonLinuxandintendto:

o bepracticalandprudent;o provideaclearsecuritybenefit;ando notinhibittheutilityofthetechnologybeyondacceptablemeans.

• Level2-MongoDBonLinux

Thisprofileextendsthe"Level1-MongoDBonLinux"profile.ItemsinthisprofileapplytoMongoDBrunningonLinuxandexhibitoneormoreofthefollowingcharacteristics:

o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology.

7|P a g e

Acknowledgements

Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:

AuthorVineshRedkarSecurityConsultantEditorTimHarrisonCISSP,ICPPralhadChaskarKarenScarfoneChrisBielinski

8|P a g e

Recommendations1InstallationandPatching

ThissectionprovidesguidanceonensuringthattheMongoDBsoftwareisuptodatetoeliminateeasilyavoidablevulnerabilities.

1.1EnsuretheappropriateMongoDBsoftwareversion/patchesareinstalled(Scored)

ProfileApplicability:

•Level1-MongoDBonLinux

Description:

TheMongoDBinstallationversion,alongwiththepatchlevel,shouldbethemostrecentthatiscompatiblewiththeorganization'soperationalneeds.

Rationale:

UsingthemostrecentMongoDBsoftwareversionalongwithallapplicablepatcheshelpslimitthepossibilitiesforvulnerabilitiesinthesoftware.Theinstallationversionand/orpatchesappliedshouldbeselectedaccordingtotheneedsoftheorganization.Atminimum,thesoftwareversionshouldbesupported.

NotethatasofOctober2016,onlyMongoDBversions3.0and3.2arestillsupported.

Audit:

RunthefollowingcommandfromwithintheMongoDBshelltodetermineiftheMongoDBsoftwareversioncomplieswithyourorganization’soperationalneeds:

> db.version()

9|P a g e

Remediation:

UpgradetothelatestversionoftheMongoDBsoftware:

1. Backupthedataset.2. DownloadthebinariesforthelatestMongoDBrevisionfromtheMongoDB

DownloadPageandstorethebinariesinatemporarylocation.ThebinariesdownloadascompressedfilesthatextracttothedirectorystructureusedbytheMongoDBinstallation.

3. ShutdowntheMongoDBinstance.4. ReplacetheexistingMongoDBbinarieswiththedownloadedbinaries.5. RestarttheMongoDBinstance.

DefaultValue:

Patchesarenotinstalledbydefault.

References:

1. http://docs.mongodb.org/manual/tutorial/upgrade-revision/2. https://docs.mongodb.com/manual/release-notes/3. https://www.mongodb.com/download-center#community4. https://www.mongodb.com/support-policy

10|P a g e

2Authentication

ThissectioncontainsrecommendationsforrequiringauthenticationbeforeallowingaccesstotheMongoDBdatabase.

2.1EnsurethatauthenticationisenabledforMongoDBdatabases(Scored)



Description:

Thissettingensuresthatallclients,users,and/orserversarerequiredtoauthenticatepriortobeinggrantedaccesstotheMongoDBdatabase.

Rationale:

Failuretoauthenticateclients,users,and/orserverscanenableunauthorizedaccesstotheMongoDBdatabaseandcanpreventtracingactionsbacktotheirsources.

Audit:

Runthefollowingcommandtoverifywhetherauthenticationisenabled(AuthvaluesettoTrue)ontheMongoDBserver.

cat /etc/mongod.conf | grep “Auth=”

11|P a g e

Remediation:

TheauthenticationmechanismshouldbeimplementedbeforeanyoneaccessestheMongoDBServer.

Toenabletheauthenticationmechanism:

• StarttheMongoDBinstancewithoutauthentication.

mongod --port 27017 --dbpath /data/db1

• Createthesystemuseradministrator,ensuringthatitspasswordmeetsorganizationally-definedpasswordcomplexityrequirements.

use admin db.createUser( { user: "siteUserAdmin", pwd: "password", roles: [ { role: "userAdminAnyDatabase", db: "admin" } ] } )

• RestarttheMongoDBinstancewithauthenticationenabled.

mongod --auth --config /etc/mongod.conf

DefaultValue:

Notconfigured

References:

1. https://www.mongodb.com/blog/post/improved-password-based-authentication-mongodb-30-scram-explained-part-1

2. https://www.owasp.org/index.php/Authentication_Cheat_Sheet

12|P a g e

2.2EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored)



Description:

MongoDBshouldnotbesettobypassauthenticationviathelocalhostexception.Thelocalhostexceptionallowsyoutoenableauthorizationbeforecreatingthefirstuserinthesystem.

Note:ThisrecommendationonlyapplieswhentherearenouserscreatedintheMongoDBinstance.

Rationale:

DisablingthisexceptionwillpreventunauthorizedlocalaccesstotheMongoDBdatabase.Itwillalsoensuretraceabilityofeachdatabaseactivitytoaspecificuser.

Audit:

Toverifythelocalhostexceptionisdisabled,runthefollowingcommandtoensurethatenableLocalhostAuthBypassissetto0(false):

cat /etc/mongod.conf |grep “enableLocalhostAuthBypass”

Remediation:

SinceenableLocalhostAuthBypassisnotavailableusingthesetParameterdatabasecommand,usethesetParameteroptionintheconfigurationfiletosetittofalse.

setParameter: enableLocalhostAuthBypass: false

DefaultValue:

Notconfigured

References:

1. http://docs.mongodb.org/manual/core/authentication/#localhost-exception

13|P a g e

2.3Ensureauthenticationisenabledintheshardedcluster(Scored)



Description:

Authenticationisenabledinashardedclusterwhenkeyfilesarecreatedandconfiguredforallcomponents.Thisensuresthateveryclientthataccessestheclustermustprovidecredentials,toincludeMongoDBinstancesthataccesseachotherwithinthecluster.

Rationale:

EnforcingakeyonashardedclusterpreventsunauthorizedaccesstotheMongoDBdatabaseandprovidestraceabilityofdatabaseactivitiestoaspecificuserorcomponent.

Audit:

Runthefollowingcommandtoverifythatthekeyfileparameterisconfigured:

cat /etc/mongod.conf | grep “keyFile=”

Remediation:

Toenableauthenticationintheshardedcluster,performthefollowingsteps:

• Generateakeyfile.

http://docs.mongodb.org/v2.4/tutorial/generate-key-file/#generate-key-file

• Oneachcomponentinthesharedcluster,enableauthenticationbydoingoneofthefollowing:

o Intheconfigurationfile/etc/mongod.conf,setthekeyFileoptiontothekeyfile’spathandthenstartthecomponentwiththiscommand:

keyFile = /srv/mongodb/keyfile

• Whenstartingthecomponent,set--keyFileoption,whichisanoptionforbothmongosinstancesandmongodinstances.Setthe--keyFiletothekeyfile’spath.

14|P a g e

DefaultValue:

Notconfigured

References:

1. http://docs.mongodb.org/v2.2/administration/sharded-clusters/

15|P a g e

2.4Ensureanindustrystandardauthenticationmechanismisused(Scored)



Description:

UsingoneormoreindustrystandardauthenticationmechanismshelpsorganizationsenforcetheiraccountandpasswordpoliciesfortheirMongoDBusers.

Rationale:

Withoutanindustrystandardauthenticationmechanisminplace,accountandpasswordmanagementismoretedious,andauthenticationmaynotalignwiththeorganization'spolicies.

Audit:

ToverifytheauthenticationmechanisminuseforMongoDB,runthefollowingcommands:

cat /etc/mongod.conf | grep “clusterAuthMode:” cat /etc/mongod.conf | grep “mode:” cat /etc/mongod.conf | grep “authorization:" cat /etc/mongod.conf | grep “authenticationMechanisms:”

Remediation:

Inordertoimplementanindustrystandardauthenticationmechanism,usethecorrespondingsamplefromthelistbelowasamodelforspecifyingtheauthenticationmechanismsintheMongoDBconfigurationfile.

x.509CertificatesforClientAuthentication:

security: clusterAuthMode: x509 net: ssl: mode: requireSSL PEMKeyFile: <path to TLS/SSL certificate and key PEM file> CAFile: <path to root CA PEM file>

SeethereferencesectionforalinktoadetailedprocedureforgeneratingthePEMKeyFileandCAFile.

MongoDBwithKerberosAuthenticationonLinux:

16|P a g e

security: authorization: enabled setParameter: authenticationMechanisms: GSSAPI storage: dbPath: /opt/mongodb/data

SeethereferencesectionforalinktoadetailedprocedureforestablishingtheKerberosserviceprincipalandkeytabfile.

References:

1. https://docs.mongodb.com/v3.2/tutorial/configure-x509-client-authentication/2. https://docs.mongodb.com/v3.2/tutorial/control-access-to-mongodb-with-

kerberos-authentication/3. https://docs.mongodb.com/v3.2/core/kerberos/#kerberos-service-principal4. https://docs.mongodb.com/v3.2/core/kerberos/#keytab-files

17|P a g e

3AccessControl

ThissectioncontainsrecommendationsforrestrictingaccesstoMongoDBsystems.

3.1Ensurethatrole-basedaccesscontrolisenabledandconfiguredappropriately(Scored)



Description:

Role-basedaccesscontrol(RBAC)isamethodofregulatingaccesstoresourcesbasedontherolesofindividualuserswithinanenterprise.Auserisgrantedoneormorerolesthatdeterminetheuser’saccesstodatabaseresourcesandoperations.Outsideofroleassignments,theuserhasnoaccesstothesystem.MongoDBcanuseRBACtogovernaccesstoMongoDBsystems.MongoDBdoesnotenableauthorizationbydefault.

Rationale:

Whenproperlyimplemented,RBACenablesuserstocarryoutawiderangeofauthorizedtasksbydynamicallyregulatingtheiractionsaccordingtoflexiblefunctions.Thisallowsanorganizationtocontrolemployees’accesstoalldatabasetablesthroughRBAC.

Audit:

ConnecttoMongoDBwiththeappropriateprivilegesandrunthefollowingcommand:

mongo --port 27017 -u <siteUserAdmin> -p <password> --authenticationDatabase <database name>

Identifyusers'rolesandprivileges:

> db.getUser() > db.getRole()

Verifythattheappropriateroleorroleshavebeenconfiguredforeachuser.

18|P a g e

Remediation:

1. EstablishrolesforMongoDB.2. Assigntheappropriateprivilegestoeachrole.3. Assigntheappropriateuserstoeachrole.4. Removeanyindividualprivilegesassignedtousersthatarenowaddressedbythe

roles.5. SeethereferencebelowformoreInformation.

References:

1. http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/

19|P a g e

3.2EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored)



Description:

EnsuringthatMongoDBrunsinatrustednetworkenvironmentinvolveslimitingthenetworkinterfacesonwhichMongoDBinstanceslistenforincomingconnections.AnyuntrustednetworkconnectionsshouldbedroppedbyMongoDB.

Rationale:

Thisconfigurationblocksconnectionsfromuntrustednetworks,leavingonlysystemsonauthorizedandtrustednetworksabletoattempttoconnecttotheMongoDB.Ifnotconfigured,thismayleadtounauthorizedconnectionsfromuntrustednetworkstoMongoDB.

Audit:

1. Verifythatnetworkexposureislimited,reviewthesettingsintheMongoDBconfigurationfile:cat /etc/mongod.conf |grep –A12 “net” | grep “bindIp“

2. VerifytherelevantnetworksettingsontheLinuxsystemitself:iptables –L

Remediation:

ConfiguretheMongoDBconfigurationfiletolimititsexposuretoonlythenetworkinterfacesonwhichMongoDBinstancesshouldlistenforincomingconnections.

DefaultValue:

Notconfigured

References:

1. http://docs.mongodb.org/manual/tutorial/configure-linux-iptables-firewall/2. http://docs.mongodb.org/manual/tutorial/configure-windows-netsh-firewall/

20|P a g e

3.3EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored)



Description:

TheMongoDBserviceshouldnotberunusingaprivilegedaccountsuchas'root'becausethisunnecessarilyexposestheoperatingsystemtohighrisk.

Rationale:

Usinganon-privileged,dedicatedserviceaccountrestrictsthedatabasefromaccessingthecriticalareasoftheoperatingsystemwhicharenotrequiredbytheMongoDB.Thiswillalsomitigatethepotentialforunauthorizedaccessviaacompromised,privilegedaccountontheoperatingsystem.

Audit:

Runthefollowingcommandtogetlistingofallmongoinstances,thePIDnumber,andthePIDowner.

ps -ef | grep -E "mongos|mongod"

Remediation:

1. CreateadedicateduserforperformingMongoDBdatabaseactivity.2. SettheDatabasedatafiles,thekeyfile,andtheSSLprivatekeyfilestoonlybe

readablebythemongod/mongosuser.3. Setthelogfilestoonlybewritablebythemongod/mongosuserandreadableonly

byroot.

DefaultValue:

Notconfigured

References:

1. http://docs.mongodb.org/manual/tutorial/manage-users-and-roles/

21|P a g e

3.4EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored)



Description:

Reviewingallrolesperiodicallyandeliminatingunneededrolesaswellasunneededprivilegesfromnecessaryroleshelpsminimizetheprivilegesthateachuserhas.

Rationale:

Althoughrole-basedaccesscontrol(RBAC)hasmanyadvantagesforregulatingaccesstoresources,overtimesomerolesmaynolongerbeneeded,andsomerolesmaygrantprivilegesthatarenolongerneeded.

Audit:

Performthefollowingcommandtoviewallrolesonthedatabaseonwhichthecommandruns,includingbothbuilt-inanduser-definedroles,aswellastheprivilegesgrantedbyeachrole.Ensurethatonlynecessaryrolesarelistedandonlythenecessaryprivilegesarelistedforeachrole.

db.runCommand( { rolesInfo: 1, showPrivileges: true showBuiltinRoles: true } )

Remediation:

Torevokespecifiedprivilegesfromtheuser-definedroleonthedatabasewherethecommandisrun.TherevokePrivilegesFromRolecommandhasthefollowingsyntax:

{ revokePrivilegesFromRole: "<role>", privileges: [ { resource: { <resource> }, actions: [ "<action>", ... ] }, ... ], }

22|P a g e

References:

1. https://docs.mongodb.com/v3.2/reference/method/db.revokePrivilegesFromRole/

2. https://docs.mongodb.com/v3.2/reference/command/revokePrivilegesFromRole/#dbcmd.revokePrivilegesFromRole

23|P a g e

3.5ReviewUser-DefinedRoles(Scored)



Description:

Reviewingallrolesperiodicallyandremovingallusersfromthoseroleswhodonotneedtobelongtothemhelpsminimizetheprivilegesthateachuserhas.

Rationale:

Althoughrole-basedaccesscontrol(RBAC)hasmanyadvantagesforregulatingaccesstoresources,overtimesomeusersmaybeassignedtorolesthatarenolongernecessary,suchasauserchangingjobswithintheorganization.Userswhohaveexcessiveprivilegesposeunnecessaryrisktotheorganization.

Audit:

Checkeachroleforeachdatabaseusingoneofthefollowingcommands.

Tospecifyarolefromthecurrentdatabase,specifytherolebyitsname:

db.runCommand( { rolesInfo: "<rolename>" } )

Tospecifyarolefromanotherdatabase,specifytherolebyadocumentthatspecifiestheroleanddatabase:

db.runCommand( { rolesInfo: { role: "<rolename>", db: "<database>" } } )

Remediation:

Toremoveauserfromoneormorerolesonthecurrentdatabase,usethefollowingcommand:

use <dbName> db.revokeRolesFromUser( "<username>", [ <roles> ])

References:

1. https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/2. https://docs.mongodb.com/manual/reference/command/rolesInfo/3. https://docs.mongodb.com/manual/reference/privilege-

actions/#authr.revokeRole

24|P a g e

3.6ReviewSuperuser/AdminRoles(Scored)



Description:

Rolesprovideseveraladvantagesthatmakeiteasiertomanageprivilegesinadatabasesystem.Securityadministratorscancontrolaccesstotheirdatabasesinawaythatmirrorsthestructureoftheirorganizations(theycancreaterolesinthedatabasethatmapdirectlytothejobfunctionsintheirorganizations).Theassignmentofprivilegesissimplified.Insteadofgrantingthesamesetofprivilegestoeachindividualuserinaparticularjobfunction,theadministratorcangrantthissetofprivilegestoarolerepresentingthatjobfunctionandthengrantthatroletoeachuserinthatjobfunction.

Rationale:

ReviewingtheSuperuser/Adminroleswithinadatabasehelpsminimizethepossibilityofprivilegedunwantedaccess.

Audit:

Superuserrolesprovidetheabilitytoassignanyuseranyprivilegeonanydatabase,whichmeansthatuserswithoneoftheserolescanassignthemselvesanyprivilegeonanydatabase:

db.runCommand( { rolesInfo: "dbOwner" } ) db.runCommand( { rolesInfo: "userAdmin" } ) db.runCommand( { rolesInfo: "userAdminAnyDatabase" } )

RootroleprovidesaccesstotheoperationsandalltheresourcesofthereadWriteAnyDatabase,dbAdminAnyDatabase,userAdminAnyDatabase,clusterAdminroles,restorecombined.

db.runCommand( { rolesInfo: "readWriteAnyDatabase" } ) db.runCommand( { rolesInfo: "dbAdminAnyDatabase" } ) db.runCommand( { rolesInfo: "userAdminAnyDatabase" } ) db.runCommand( { rolesInfo: "clusterAdmin" } )

ClusterAdministrationRolesareusedforadministeringthewholesystemratherthanjustasingledatabase.

db.runCommand( { rolesInfo: "hostManager" } )

25|P a g e

Remediation:

Toremoveauserfromoneormorerolesonthecurrentdatabase.

use <dbName> db.revokeRolesFromUser( "<username>", [ <roles> ])

References:

1. https://docs.mongodb.com/v3.0/reference/built-in-roles/#built-in-roles2. https://docs.mongodb.com/manual/reference/method/db.revokeRolesFromUser/

26|P a g e

4DataEncryption

Thissectioncontainsrecommendationsforsecuringdataatrest(stored)anddatainmotion(transiting)forMongoDB.

4.1EnsureTLSorSSLprotectsallnetworkcommunications(Scored)



Description:

UseTLSorSSLtoprotectallincomingandoutgoingconnections.ThisshouldincludeusingTLSorSSLtoencryptcommunicationbetweenmongodandmongoscomponentsofaMongoDBclientaswellasbetweenallapplicationsandMongoDB.

MostMongoDBdistributionsincludesupportforSSLorTLS.

Rationale:

ThispreventssniffingofcleartexttrafficbetweenMongoDBcomponentsorperformingaman-in-the-middleattackforMongoDB.

Audit:

ToverifythattheserverrequiresSSLorTLSuse(net.ssl.modevaluesettorequireSSL),runoneofthefollowingcommands:

mongos --config /etc/mongos.conf

or

cat /etc/mongos.conf | grep –A20 ‘net’ | grep –A10 ‘ssl’ | grep ‘mode’

Remediation:

ConfigureMongoDBserverstorequiretheuseofSSLorTLStoencryptallMongoDBnetworkcommunications.

27|P a g e

DefaultValue:

Notconfigured

References:

1. http://docs.mongodb.org/manual/tutorial/configure-ssl/

28|P a g e

4.2EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored)



Description:

TheFederalInformationProcessingStandard(FIPS)isacomputersecuritystandardusedtocertifysoftwaremodulesandlibrariesthatencryptanddecryptdatasecurely.YoucanconfigureMongoDBtorunwithaFIPS140-2certifiedlibraryforOpenSSL.

Rationale:

FIPSisindustrystandardthatdictateshowdatashouldbeencryptedinrestandduringtransmission.

Audit:

ToverifythattheserverusesFIPSMode(net.ssl.FIPSModevaluesettotrue),runfollowingcommands:

mongos --config /etc/mongos.conf

net: ssl: FIPSMode: true

or

ToverifyFIPSmodeisrunning,checktheserverlogfileforamessagethatFIPSisactive:

FIPS 140-2 mode activated

29|P a g e

Remediation:

ConfiguringFIPSmode,ensurethatyourcertificateisFIPScompliant.RunmongodormongosinstanceinFIPSmode.

Makechangestoconfigurationfile,toconfigureyourmongodormongosinstancetouseFIPSmode,shutdowntheinstanceandupdatetheconfigurationfilewiththefollowingsetting:

net: ssl: FIPSMode: true

Startmongodormongosinstancewithaconfigurationfile.

mongod --config /etc/mongod.conf

DefaultValue:

Notconfigured

References:

1. https://docs.mongodb.com/v3.2/tutorial/configure-fips/

30|P a g e

5Auditing

ThissectioncontainsrecommendationsrelatedtoconfiguringauditlogginginMongoDB.

5.1Ensurethatsystemactivityisaudited(Scored)



Description:

Trackaccessandchangestodatabaseconfigurationsanddata.MongoDBEnterpriseincludesasystemauditingfacilitythatcanrecordsystemevents(e.g.useroperations,connectionevents)onaMongoDBinstance.Theseauditrecordspermitforensicanalysisandallowadministratorstoverifypropercontrols.

Rationale:

Systemlevellogscanbehandywhiletroubleshootinganoperationalproblemorhandlingasecurityincident.

Audit:

ToverifythatsystemactivityisbeingauditedforMongoDB,runthefollowingcommandtoconfirmtheauditLog.destinationvalueissetcorrectly:

cat /etc/mongod.conf |grep –A4 “auditLog” | grep “destination”

31|P a g e

Remediation:

SetthevalueofauditLog.destinationtotheappropriatevaluefromthefollowingoptions:

syslog Toenableauditingandprintauditeventstosyslog

mongod --dbpath data/db --auditDestination syslog

console Toenableauditingandprintauditeventstostandardoutput(i.e.,stdout)

mongod --dbpath data/db --auditDestination console

JsonFile ToenableauditingandprintauditeventstoafileinJSONformat.PrintingauditeventstoafileinJSONformatdegradesserverperformancemorethanprintingtoafileinBSONformat.

mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json

BsonFile ToenableauditingandprintauditeventstoafileinBSONbinaryformat

mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson

DefaultValue:

Notconfigured

References:

1. http://docs.mongodb.org/manual/tutorial/configure-auditing/

32|P a g e

5.2Ensurethatauditfiltersareconfiguredproperly(Scored)



Description:

MongoDBEnterprisesupportsauditingofvariousoperations.Whenenabled,theauditfacility,bydefault,recordsallauditableoperationsasdetailedinAuditEventActions,Details,andResults.Tospecifywhicheventstorecord,theauditfeatureincludesthe--auditFilteroption.ThischeckisonlyforEnterpriseeditions.

Rationale:

Alloperationscarriedoutonthedatabasearelogged.Thishelpsinbacktrackingandtracinganyincidentthatoccurs.

Audit:

ToverifythatauditfiltersareconfiguredonMongoDBaspertheorganization’srequirements,runthefollowingcommand:

cat /etc/mongod.conf |grep –A10 “auditLog” | grep “filter”

Remediation:

Settheauditfiltersbasedontheorganization’srequirements.

DefaultValue:

Notconfigured

References:

1. https://docs.mongodb.com/manual/reference/audit-message/2. https://docs.mongodb.com/manual/tutorial/configure-audit-filters/

33|P a g e

5.3Ensurethatloggingcapturesasmuchinformationaspossible(NotScored)



Description:

TheSystemLog.quietoptionstopsloggingofinformationsuchas:

• connectionevents• authenticationevents• replicationsyncactivities• evidenceofsomepotentiallyimpactfulcommandsbeingrun(eg:drop,dropIndexes,

validate)

Thisinformationshouldbeloggedwheneverpossible.ThischeckisonlyforEnterpriseeditions.

Rationale:

TheuseofSystemLog.quietmakestroubleshootingproblemsandinvestigatingpossiblesecurityincidentsmuchmoredifficult.

Audit:

ToverifythattheSystemLog.quietoptionisdisabled(valueofFalse),runthefollowingcommand:

cat /etc/mongod.conf |grep “SystemLog.quiet”

Remediation:

SetSystemLog.quiettoFalseinthe/etc/mongod.conffiletodisableit.

References:

1. https://docs.mongodb.com/manual/reference/configuration-options/#systemLog.quiet

34|P a g e

5.4Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored)



Description:

Bydefault,newlogentrieswilloverwriteoldentriesafterarestartofthemongodorMongolsservice.EnablingthesystemLog.logAppendsettingcausesnewentriestobeappendedtotheendofthelogfileratherthanoverwritingtheexistingcontentofthelogwhenthemongosormongodinstancerestarts.

Rationale:

Allowingoldentriestobeoverwrittenbynewentriesinsteadofappendingnewentriestotheendofthelogmaydestroyoldlogdatathatisneededforavarietyofpurposes.

Audit:

Toverifythatnewlogentrieswillbeappendedtotheendofthelogfileafterarestart(systemLog.logAppendvaluesettotrue),runthefollowingcommand:

cat /etc/mongod.conf |grep “systemLog.logAppend”

Remediation:

SetsystemLog.logAppendtotrueinthe/etc/mongod.conffile.

References:

1. https://docs.mongodb.com/manual/reference/configuration-options/#systemLog.logAppend

35|P a g e

6OperatingSystemHardening

ThissectioncontainsrecommendationsrelatedtohardeningtheoperatingsystemrunningbelowMongoDB.

6.1EnsurethattheHTTPstatusinterfaceisdisabled(Scored)



Description:

MongoDBbydefaultprovidesanHTTPinterfacerunningonport28017toprovidethe“home”statuspage.Thispageprovidescertaincriticalinformationaboutthedatabase’sstatisticsandclients.

PleasenotethatthisfunctionhasbeenDeprecatedsinceversion3.2.

Rationale:

AnattackercouldaccessthestatuspagetolearnmoreabouttheMongoDBserveranddeterminehowtocompromiseit.

Audit:

ToverifythattheHTTPstatusinterfaceisdisabledonMongoDB(nohttpinterfacehasthevalueTrue),executethefollowingcommand:

cat /etc/mongod.conf |grep “nohttpinterface” nohttpinterface = False

Remediation:

DisabletheHTTPstatusinterfacebysettingnohttpinterface = Trueinthe/etc/mongod.conffile.

DefaultValue:

Enabled

References:

1. https://docs.mongodb.com/ecosystem/tools/http-interfaces/#http-status-interface

36|P a g e

6.2EnsurethatMongoDBusesanon-defaultport(Scored)



Description:

ChangingtheportusedbyMongoDBmakesitharderforattackerstofindthedatabaseandtargetit.

Rationale:

Standardportsareusedinautomatedattacksandbyattackerstoverifywhichapplicationsarerunningonaserver.

Audit:

ToverifytheportnumberusedbyMongoDB,executethefollowingcommandandensurethattheportnumberisnot27017:

cat /etc/mongod.conf |grep “port”

Remediation:

ChangetheportforMongoDBservertoanumberotherthan27017.

Impact:

HackersfrequentlyscanIPaddressesforcommonlyusedports,soit'snotuncommontouseadifferentportto"flyundertheradar".Thisisjusttoavoiddetection,otherthanthatthereisnoaddedsafetybyusingadifferentport.

References:

1. https://docs.mongodb.com/manual/reference/default-mongodb-port/

37|P a g e

6.3EnsurethatoperatingsystemresourcelimitsaresetforMongoDB(NotScored)



Description:

Operatingsystemsprovidewaystolimitandcontroltheusageofsystemresourcessuchasthreads,files,andnetworkconnectionsonaper-processandper-userbasis

Rationale:

Theseulimitspreventasingleuserfromconsumingtoomanysystemresources.

Audit:

ToverifytheresourcelimitssetforMongoDB,runthefollowingcommands.

ExtracttheprocessIDforMongoDB:

ps -ef|grep mongod

Viewthelimitsassociatedwiththatprocessnumber:

cat /proc/1322/limits

Remediation:

Everydeploymentmayhaveuniquerequirementsandsettings.RecommendedthresholdsandsettingsareparticularlyimportantforMongoDBdeployments:

• f(filesize):unlimited• t(cputime):unlimited• v(virtualmemory):unlimited[1]• n(openfiles):64000• m(memorysize):unlimited[1][2]• u(processes/threads):64000

Restartthemongodandmongosinstancesafterchangingtheulimitsettingstoensurethatthechangestakeeffect.

38|P a g e

DefaultValue:

Notconfigured

References:

1. https://docs.mongodb.com/manual/reference/ulimit/#recommended-ulimit-settings

39|P a g e

6.4Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored)



Description:

MongoDBsupportstheexecutionofJavaScriptcodeforcertainserver-sideoperations:mapReduce,group,and$where.Ifyoudonotusetheseoperations,server-sidescriptingshouldbedisabled.

Rationale:

Ifserver-sidescriptingisnotneededandisnotdisabled,thisintroducesunnecessaryriskthatanattackermaytakeadvantageofinsecurecoding.

Audit:

Ifserver-sidescriptingisnotrequired,verifythatitisdisabled(javascriptEnabledvalueofFalse)usingthefollowingcommand:

cat /etc/mongod.conf |grep –A10 “security” | grep “javascriptEnabled”

Remediation:

Ifserver-sidescriptingisnotrequired,disableitbyusingthe--noscriptingoptiononthecommandline.

DefaultValue:

Enabled

40|P a g e

6.5EnsurethattheHTTPinterfaceisdisabled(NotScored)



Description:

Thenet.http.enabledparameterisusedtoenableordisabletheHTTPinterface.


Rationale:

Additionalnetworkinterfacesexposethesystemtoagreaterextent.Runningunnecessaryservicesmayallowanattackertopenetratethesystemviaanunknownvulnerability.

Audit:

VerifytheHTTPinterfaceisdisabled(parametervaluesettofalse)byrunningthefollowingcommand:

cat /etc/mongod.conf |grep –A12 “net” | grep –A10 “http” | grep “enabled”

Remediation:

SettheparametervaluetofalsetodisabletheHTTPinterface.

DefaultValue:

false

References:

1. https://docs.mongodb.com/manual/core/security-mongodb-configuration/#http-status-interface

41|P a g e

6.6EnsurethatJSONPaccessviaanHTTPinterfaceisdisabled(NotScored)



Description:

Thenet.http.JSONPEnabledparameterisusedtoenableordisableJSONPaccessviaanHTTPinterface.EnablingthisparameteralsoenablestheHTTPinterface,eveniftheparameterforenablingtheHTTPinterfaceissettodisabled.


Rationale:

Additionalnetworkinterfacesexposethesystemtoagreaterextent.Runningunnecessaryservicesmayallowanattackertopenetratethesystemviaanunknownvulnerability.

Audit:

VerifythatJSONPaccessisdisabled(parametervaluesettofalse)byrunningthefollowingcommand:

cat /etc/mongod.conf |grep –A12 “net” | grep –A10 “http” | grep “JSONPEnabled”

Remediation:

SettheparametervaluetofalsetodisableJSONPaccess.

DefaultValue:

false

References:

1. https://docs.mongodb.com/manual/reference/configuration-options/#net.http.JSONPEnabled

42|P a g e

6.7EnsurethattheRESTAPIisdisabled(NotScored)



Description:

Thenet.http.RESTInterfaceEnabledparameterisusedtoenableordisabletheRESTAPI.EnablingthisparameteralsoenablestheHTTPinterface,eveniftheparameterforenablingtheHTTPinterfaceissettodisabled.


Rationale:

Additionalinterfacesexposethesystemtoagreaterextent.Runningunnecessaryservicesmayallowanattackertopenetratethesystemviaanunknownvulnerability.

Audit:

VerifytheRESTAPIisdisabled(parametervaluesettofalse)byrunningthefollowingcommand:

cat /etc/mongod.conf |grep –A12 “net” | grep –A10 “http” | grep “RESTInterfaceEnabled”

Remediation:

SettheparametervaluetofalsetodisabletheRESTAPI.

DefaultValue:

false

References:

1. https://docs.mongodb.com/manual/reference/configuration-options/#net.http.RESTInterfaceEnabled

43|P a g e

7FilePermissions

Thissectionprovidesrecommendationsforsettingpermissionsforthekeyfileandthedatabasefile.

7.1Ensurethatkeyfilepermissionsaresetcorrectly(Scored)



Description:

Thekeyfileisusedforauthenticationintheshardedcluster.Implementingproperfilepermissionsonthekeyfilewillpreventunauthorizedaccesstoit.

Rationale:

ProtectingthekeyfilestrengthensauthenticationintheshardedclusterandpreventsunauthorizedaccesstotheMongoDBdatabase.

Audit:

ToverifythepermissionsfortheMongoDBkeyfile,runthefollowingcommand:

cat /etc/mongod.conf | grep “keyFile=”

Remediation:

SetthekeyFileownershiptomongodbuserandremoveotherpermissionsbyexecutingthesecommands:

chmod 600 /keyfile sudo chown mongodb:mongodb /keyfile

DefaultValue:

Notconfigured

References:

1. https://docs.mongodb.com/v3.0/tutorial/enable-internal-authentication/

44|P a g e

7.2Ensurethatdatabasefilepermissionsaresetcorrectly(Scored)



Description:

MongoDBdatabasefilesneedtobeprotectedusingfilepermissions.

Rationale:

Thiswillrestrictunauthorizedusersfromaccessingthedatabase.

Audit:

ToverifythatthepermissionsfortheMongoDBdatabasefileareconfiguredsecurely,runthefollowingcommands.

Findoutthedatabaselocationusingthefollowingcommand:

cat /etc/mongod.conf |grep “dbpath”

Usethedatabaselocationaspartofthefollowingcommandtoviewandverifythepermissionssetforthedatabasefile:

ls –l /var/lib/mongodb

Remediation:

Setownershipofthedatabasefiletomongodbuserandremoveotherpermissionsusingthefollowingcommands:

chmod 660 /var/lib/mongodb sudo chown mongodb:mongodb /var/lib/mongodb

DefaultValue:

Notconfigured

45|P a g e

Appendix:SummaryTableControl Set

CorrectlyYes No

1 InstallationandPatching1.1 EnsuretheappropriateMongoDBsoftwareversion/patches

areinstalled(Scored) o o

2 Authentication2.1 EnsurethatauthenticationisenabledforMongoDBdatabases

(Scored) o o

2.2 EnsurethatMongoDBdoesnotbypassauthenticationviathelocalhostexception(Scored) o o

2.3 Ensureauthenticationisenabledintheshardedcluster(Scored) o o

2.4 Ensureanindustrystandardauthenticationmechanismisused(Scored) o o

3 AccessControl3.1 Ensurethatrole-basedaccesscontrolisenabledand

configuredappropriately(Scored) o o

3.2 EnsurethatMongoDBonlylistensfornetworkconnectionsonauthorizedinterfaces(Scored) o o

3.3 EnsurethatMongoDBisrunusinganon-privileged,dedicatedserviceaccount(Scored) o o

3.4 EnsurethateachroleforeachMongoDBdatabaseisneededandgrantsonlythenecessaryprivileges(Scored) o o

3.5 ReviewUser-DefinedRoles(Scored) o o3.6 ReviewSuperuser/AdminRoles(Scored) o o4 DataEncryption4.1 EnsureTLSorSSLprotectsallnetworkcommunications

(Scored) o o

4.2 Ensurethedatabasefileand/orpartitionareencrypted(Scored) o o

4.3 EnsureFederalInformationProcessingStandard(FIPS)isenabled(Scored) o o

5 Auditing5.1 Ensurethatsystemactivityisaudited(Scored) o o5.2 Ensurethatauditfiltersareconfiguredproperly(Scored) o o5.3 Ensurethatloggingcapturesasmuchinformationaspossible

(NotScored) o o

5.4 Ensurethatnewentriesareappendedtotheendofthelogfile(NotScored) o o

46|P a g e

6 OperatingSystemHardening6.1 EnsurethattheHTTPstatusinterfaceisdisabled(Scored) o o6.2 EnsurethatMongoDBusesanon-defaultport(Scored) o o6.3 Ensurethatoperatingsystemresourcelimitsaresetfor

MongoDB(NotScored) o o

6.4 Ensurethatserver-sidescriptingisdisabledifnotneeded(NotScored) o o

6.5 EnsurethattheHTTPinterfaceisdisabled(NotScored) o o6.6 EnsurethatJSONPaccessviaanHTTPinterfaceisdisabled

(NotScored) o o

6.7 EnsurethattheRESTAPIisdisabled(NotScored) o o7 FilePermissions7.1 Ensurethatkeyfilepermissionsaresetcorrectly(Scored) o o7.2 Ensurethatdatabasefilepermissionsaresetcorrectly

(Scored) o o

47|P a g e

Appendix:ChangeHistoryDate Version Changesforthisversion

12-30-2016 1.0.0 InitialRelease

CIS MongoDB Benchmark v1.0.0-CC - ITSecure · 3.3 Ensure that MongoDB is run using a...

Documents

Transcript of CIS MongoDB Benchmark v1.0.0-CC - ITSecure · 3.3 Ensure that MongoDB is run using a...