Information
The MongoDB service should not be run using a privileged account such as 'root' because this unnecessarily exposes the operating system to high risk.
This setting ensures that the monogd service runs as a least-privileged user.
Rationale:
Using a non-privileged, dedicated service account restricts the database from accessing the critical areas of the operating system which are not required by MongoDB. This will also mitigate the potential for unauthorized access via a compromised, privileged account on the operating system.
Anyone who has been a victim of viruses, worms, and other malicious software (malware) will appreciate the security principle of 'least privilege.' If all processes ran with the minial set of privileges needed to perform the user's tasks, it would be more difficult for malware to infect a machine and propagate to other machines.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Create a user which is only used for running Mongodb and directly related processes. This user must not have administrative rights to the system. Steps to create user
useradd -m -d /home/mongodb -s /bin/bash -g mongodb -u 1234 mongodb
Set the Database data files, the keyfile, and the SSL private key files to only be readable by the mongod/mongos user and then set ownership to mongodb user only
sudo chown -R mongodb:mongodb /data/db
Set the log files to only be writable by the mongod/mongos user and readable only by root.
Default Value:
Not configured