Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to MongoDB, etc.) must be owned by database/DBMS principals authorized for ownership.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-265913	SRG-APP-000133-DB-000200	MD7X-00-002900	SV-265913r1028525_rule	2024-09-27	1

Description
Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who uses the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. Conversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed.

Description

Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who uses the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals. Conversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed.

ℹ️ Check
For each database in MongoDB, run the following commands: use <database> db.getUsers() Example output: { _id: 'admin.user1', userId: UUID('b78e490a-4661-491f-8197-c3251934e785'), user: 'user1', db: 'admin', roles: [ { role: 'readWrite', db: 'myDatabase' }, { role: 'dbOwner', db: 'myDatabase' }, { role: 'dbOwner', db: 'anotherDatabase' } ] Here, the user named "user1" in the "admin" database has a role of "dbOwner" for the database (db:) "myDatabase" and the database (db:) "anotherDatabase". For users where the role of "dbOwner" is found, verify with the organization or site-specific documentation whether the user is authorized for the "dbOwner" role on the database resources listed. If the user account has the role of "dbOwner" but is not authorized for the role for any database listed in their output, this is a finding.

ℹ️ Check

For each database in MongoDB, run the following commands: use <database> db.getUsers() Example output: { _id: 'admin.user1', userId: UUID('b78e490a-4661-491f-8197-c3251934e785'), user: 'user1', db: 'admin', roles: [ { role: 'readWrite', db: 'myDatabase' }, { role: 'dbOwner', db: 'myDatabase' }, { role: 'dbOwner', db: 'anotherDatabase' } ] Here, the user named "user1" in the "admin" database has a role of "dbOwner" for the database (db:) "myDatabase" and the database (db:) "anotherDatabase". For users where the role of "dbOwner" is found, verify with the organization or site-specific documentation whether the user is authorized for the "dbOwner" role on the database resources listed. If the user account has the role of "dbOwner" but is not authorized for the role for any database listed in their output, this is a finding.

✔️ Fix
For each user identified as having a "dbOwner" role on a database they are not authorized for, revoke the "dbOwner" role from that user on that database by running the following commands: use <database> db.revokeRolesFromUser() command https://www.mongodb.com/docs/v7.0/reference/command/revokeRolesFromUser/ Example to revoke "dbOwner" role from "user1" on the "anotherDatabase" in the "admin" database: use admin db.revokeRolesFromUser( "user1", [ { role: "dbOwner", db: "anotherDatabase" } ] )

✔️ Fix

For each user identified as having a "dbOwner" role on a database they are not authorized for, revoke the "dbOwner" role from that user on that database by running the following commands: use <database> db.revokeRolesFromUser() command https://www.mongodb.com/docs/v7.0/reference/command/revokeRolesFromUser/ Example to revoke "dbOwner" role from "user1" on the "anotherDatabase" in the "admin" database: use admin db.revokeRolesFromUser( "user1", [ { role: "dbOwner", db: "anotherDatabase" } ] )