3.3 Ensure that MongoDB is run using a non-privileged, dedicated service account

Information

The MongoDB service should not be run using a privileged account such as 'root' because this unnecessarily exposes the operating system to high risk.

Using a non-privileged, dedicated service account restricts the database from accessing the critical areas of the operating system which are not required by the MongoDB. This will also mitigate the potential for unauthorized access via a compromised, privileged account on the operating system.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

- Create a dedicated user for performing MongoDB database activity.
- Set the Database data files, the keyfile, and the SSL private key files to only be readable by the mongod/mongos user.
- Set the log files to only be writable by the mongod/mongos user and readable only by root.

See Also

https://workbench.cisecurity.org/benchmarks/15675

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4.3

Plugin: Windows

Control ID: 938fca1aa9d1d1eef7b5b8ce4d3df264214e8b5f21ba8b75a06fb3d3f87415d8