MongoDB must prevent unauthorized and unintended information transfer via shared system resources.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-265928	SRG-APP-000243-DB-000373	MD7X-00-005500	SV-265928r1028570_rule	2024-09-27	1

Description
The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. Satisfies: SRG-APP-000243-DB-000373, SRG-APP-000243-DB-000374

Description

The purpose of this control is to prevent information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after the resource has been released back to the information system. Control of information in shared resources is also referred to as object reuse. Satisfies: SRG-APP-000243-DB-000373, SRG-APP-000243-DB-000374

ℹ️ Check
By default, the MongoDB official installation packages restrict user and group ownership and read/write permissions on the underlying data files and critical configuration files from other operating system users. In addition, process and memory isolation is used by default. System administrators should also consider if whole database encryption would be an effective control on an application basis. Run the following commands to verify proper permissions for the following database files or directories: $ stat /etc/mongod.conf If the owner and group are not both "mongod", this is a finding. If the file permissions are more permissive than "600", this is a finding. $ stat /var/lib/mongo If the owner and group are not both "mongod", this is a finding. If the file permissions are more permissive than "755", this is a finding. $ ls -l /var/lib/mongo If the owner and group of any file or sub-directory is not "mongod", this is a finding. If the permission of any file in the main directory (/var/lib/mongo) or sub-directory of (/var/lib/mongo) is more permissive than "600", this is a finding. If the permission of any sub-directory of (/var/lib/mongo) is more permissive than "700", this is a finding.

ℹ️ Check

By default, the MongoDB official installation packages restrict user and group ownership and read/write permissions on the underlying data files and critical configuration files from other operating system users. In addition, process and memory isolation is used by default. System administrators should also consider if whole database encryption would be an effective control on an application basis. Run the following commands to verify proper permissions for the following database files or directories: $ stat /etc/mongod.conf If the owner and group are not both "mongod", this is a finding. If the file permissions are more permissive than "600", this is a finding. $ stat /var/lib/mongo If the owner and group are not both "mongod", this is a finding. If the file permissions are more permissive than "755", this is a finding. $ ls -l /var/lib/mongo If the owner and group of any file or sub-directory is not "mongod", this is a finding. If the permission of any file in the main directory (/var/lib/mongo) or sub-directory of (/var/lib/mongo) is more permissive than "600", this is a finding. If the permission of any sub-directory of (/var/lib/mongo) is more permissive than "700", this is a finding.

✔️ Fix
Correct the permission to the files and/or directories that are in violation. MongoDB Configuration file (default location /etc/mongod.conf): $ chown mongod:mongod /etc/mongod.conf $ chmod 600 /etc/mongod.conf MongoDB datafiles and directories (default location '/var/lib/mongo'): $ chown -R mongod:mongod /var/lib/mongo $ chmod 755 /var/lib/mongo $ find /var/lib/mongo/* -type f \| xargs chmod 600 $ find /var/lib/mongo/* -type d \| xargs chmod 700

✔️ Fix

Correct the permission to the files and/or directories that are in violation. MongoDB Configuration file (default location /etc/mongod.conf): $ chown mongod:mongod /etc/mongod.conf $ chmod 600 /etc/mongod.conf MongoDB datafiles and directories (default location '/var/lib/mongo'): $ chown -R mongod:mongod /var/lib/mongo $ chmod 755 /var/lib/mongo $ find /var/lib/mongo/* -type f | xargs chmod 600 $ find /var/lib/mongo/* -type d | xargs chmod 700