MongoDB software installation account must be restricted to authorized users.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-265911	SRG-APP-000133-DB-000198	MD7X-00-002700	SV-265911r1028721_rule	2024-09-27	1

Description
When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system. If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed access to information system components for purposes of initiating changes, including upgrades and modifications. Database administrators (DBAs) and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a great impact on database security and operation. It is especially important to grant privileged access to only those persons who are qualified and authorized to use them.

Description

When dealing with change control issues, it should be noted any changes to the hardware, software, and/or firmware components of the information system and/or application can have significant effects on the overall security of the system. If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed access to information system components for purposes of initiating changes, including upgrades and modifications. Database administrators (DBAs) and other privileged administrative or application owner accounts are granted privileges that allow actions that can have a great impact on database security and operation. It is especially important to grant privileged access to only those persons who are qualified and authorized to use them.

ℹ️ Check
To ensure log, network, security, and other audit configurations are not modifiable by unauthorized operating system users, the default installation of MongoDB restricts permission on the configuration file. Verify User ownership, Group ownership, and permissions on the "<MongoDB configuration file>": (default name and location is /etc/mongod.conf) Using the default name and location the command would be: $ stat /etc/mongod.conf If the User owner is not "mongod", this is a finding. If the Group owner is not "mongod", this is a finding. If the filename is more permissive than "600", this is a finding. Note that the audit destination cannot be modified at runtime.

ℹ️ Check

To ensure log, network, security, and other audit configurations are not modifiable by unauthorized operating system users, the default installation of MongoDB restricts permission on the configuration file. Verify User ownership, Group ownership, and permissions on the "<MongoDB configuration file>": (default name and location is /etc/mongod.conf) Using the default name and location the command would be: $ stat /etc/mongod.conf If the User owner is not "mongod", this is a finding. If the Group owner is not "mongod", this is a finding. If the filename is more permissive than "600", this is a finding. Note that the audit destination cannot be modified at runtime.

✔️ Fix
It is recommended to use the official installation packages provided by MongoDB. In the event the software was installed manually, and permissions need to be restricted, consider a clean reinstallation. Alternatively, run the following commands to properly set permissions on the configuration file: $ chown mongod <MongoDB configuration file> $ chgrp mongod <MongoDB configuration file> $ chmod 600 <<MongoDB configuration file> The name and location for the MongoDB configuration file will vary according to local circumstances. The default name and location is /etc/mongod.conf. Using the default name and location the commands would be: $ chown mongod /etc/mongod.conf $ chgrp mongod /etc/mongod.conf $ chmod 600 /etc/mongod.conf

✔️ Fix

It is recommended to use the official installation packages provided by MongoDB. In the event the software was installed manually, and permissions need to be restricted, consider a clean reinstallation. Alternatively, run the following commands to properly set permissions on the configuration file: $ chown mongod <MongoDB configuration file> $ chgrp mongod <MongoDB configuration file> $ chmod 600 <<MongoDB configuration file> The name and location for the MongoDB configuration file will vary according to local circumstances. The default name and location is /etc/mongod.conf. Using the default name and location the commands would be: $ chown mongod /etc/mongod.conf $ chgrp mongod /etc/mongod.conf $ chmod 600 /etc/mongod.conf