2.4 Ensure an industry standard authentication mechanism is used - clusterAuthMode

Information

Using one or more industry standard authentication mechanisms helps organizations enforce their account and password policies for their MongoDB users.

Rationale:

Without an industry standard authentication mechanism in place, account and password management is more tedious, and authentication may not align with the organization's policies.

Solution

In order to implement an industry standard authentication mechanism, use the corresponding sample from the list below as a model for specifying the authentication mechanisms in the MongoDB configuration file.

x.509 Certificates for Client Authentication:

security:

clusterAuthMode: x509

net:

ssl:

mode: requireSSL

PEMKeyFile: <path to TLS/SSL certificate and key PEM file>

CAFile: <path to root CA PEM file>

See the reference section for a link to a detailed procedure for generating the PEMKeyFile and CAFile.

MongoDB with Kerberos Authentication on Linux:

security:

authorization: enabled

setParameter:

authenticationMechanisms: GSSAPI

storage:

dbPath: /opt/mongodb/data

See the reference section for a link to a detailed procedure for establishing the Kerberos service principal and keytab file.

See Also

https://workbench.cisecurity.org/files/1725

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CSCv6|16

Plugin: Windows

Control ID: 80815e6c1b3264df0d137253e6a6836eb16f5e221ecf311f9daaac050976b132