3.1 Ensure least privilege for database accounts

Information

MongoDB grants access to data and commands through 'role-based' approach, MongoDB is shipped with built-in roles that provide the different levels of access commonly needed in a database system. In addition, you can create custom-roles.

The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:

dbOwner role, when scoped to the admin database userAdmin role, when scoped to the admin database userAdminAnyDatabase role

Rationale:

Ensuring highly privileged Roles are granted only for database administrators, and roles are not scoped to 'admin' databases will reduce attack surface and follows the least privilege principle.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If any accounts were listed with built in-roles:

dbOwner
userAdmin
userAdminAnyDatabase

in 'admin' database role then drop them.

See Also

https://workbench.cisecurity.org/files/3463

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.3

Plugin: MongoDB

Control ID: 65952a3e97696a8074a006547f33247e454619a494d7aef80aaf31fdef81b9a4