MongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-265947	SRG-APP-000428-DB-000386	MD7X-00-008500	SV-265947r1028627_rule	2024-09-27	1

Description
DBMSs handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to MongoDB or implemented via additional software or operating system/file system settings, as appropriate to the situation. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). The decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides. Satisfies: SRG-APP-000428-DB-000386, SRG-APP-000429-DB-000387

Description

DBMSs handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. These cryptographic mechanisms may be native to MongoDB or implemented via additional software or operating system/file system settings, as appropriate to the situation. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). The decision whether and what to encrypt rests with the data owner and is also influenced by the physical measures taken to secure the equipment and media on which the information resides. Satisfies: SRG-APP-000428-DB-000386, SRG-APP-000429-DB-000387

ℹ️ Check
Review the documentation or specification for the organization-defined information. If any data is PII, classified, or is deemed by the organization the need to be encrypted at rest, verify the method of encryption is documented. If no documented mechanism is being used encrypt data at rest such as hardware encryption, volume encryption, filesystem encryption or the use of third-party products to enable encryption at rest, this is a finding. If the documented method to encrypt MongoDB data at rest is the native MongoDB encryption at rest, verify the MongoDB configuration file (default location: /etc/mongod.conf) contains the following options: security: kmip: keyIdentifier: <string> rotateMasterKey: <boolean> serverName: <string> port: <string> clientCertificateFile: <string> clientCertificatePassword: <string> clientCertificateSelector: <string> serverCAFile: <string> connectRetries: <int> connectTimeoutMS: <int> activateKeys: <boolean> keyStatePollingSeconds: <int> If these above options are not configured in the MongoDB security.kmip section in the MongoDB configuration file, this is a finding.

ℹ️ Check

Review the documentation or specification for the organization-defined information. If any data is PII, classified, or is deemed by the organization the need to be encrypted at rest, verify the method of encryption is documented. If no documented mechanism is being used encrypt data at rest such as hardware encryption, volume encryption, filesystem encryption or the use of third-party products to enable encryption at rest, this is a finding. If the documented method to encrypt MongoDB data at rest is the native MongoDB encryption at rest, verify the MongoDB configuration file (default location: /etc/mongod.conf) contains the following options: security: kmip: keyIdentifier: <string> rotateMasterKey: <boolean> serverName: <string> port: <string> clientCertificateFile: <string> clientCertificatePassword: <string> clientCertificateSelector: <string> serverCAFile: <string> connectRetries: <int> connectTimeoutMS: <int> activateKeys: <boolean> keyStatePollingSeconds: <int> If these above options are not configured in the MongoDB security.kmip section in the MongoDB configuration file, this is a finding.

✔️ Fix
Configure encryption at rest through hardware encryption, volume encryption, filesystem encryption, or third-party products if not using MongoDBs native encryption at rest. When using MongoDBs native encryption at rest, configure MongoDB to use the Encrypted Storage Engine and a KMIP appliance as documented here: https://www.mongodb.com/docs/v7.0/core/security-encryption-at-rest/ https://www.mongodb.com/docs/v7.0/tutorial/configure-encryption/

✔️ Fix

Configure encryption at rest through hardware encryption, volume encryption, filesystem encryption, or third-party products if not using MongoDBs native encryption at rest. When using MongoDBs native encryption at rest, configure MongoDB to use the Encrypted Storage Engine and a KMIP appliance as documented here: https://www.mongodb.com/docs/v7.0/core/security-encryption-at-rest/ https://www.mongodb.com/docs/v7.0/tutorial/configure-encryption/