Detections
Analytics
2.1 Ensure Authentication is configured
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
This setting ensures that all clients, users, servers are required to authenticate before being granted access to the MongoDB database.Authentication is the process of verifying the identity of a client. When access control, i.e. authorization, is enabled, MongoDB requires all clients to authenticate themselves in order to determine their access.
from MongoDB documentation
Authentication Mechanisms
MongoDB supports a number of authentication mechanisms that clients can use to verify their identity. These mechanisms allow MongoDB to integrate into your existing authentication system.
MongoDB supports multiple authentication mechanisms:
SCRAM (Default)
x.509 Certificate Authentication.
Certificate Authority
For production use, your MongoDB deployment should use valid certificates generated and signed by a certificate authority. You or your organization can generate and maintain an independent certificate authority, or use certificates generated by third-party TLS/SSL vendors.
In addition to supporting the aforementioned mechanisms, MongoDB Enterprise also supports the following mechanisms:
LDAP proxy authentication
Kerberos authentication.
Rationale:
Failure to authenticate clients, users, servers can enable unauthorized access to the MongoDB database and can prevent tracing actions back to their sources.
It's highly recommended that password length and complexity also be in-place. When performing the traditional user/password authentication against MongoDB there is not in-place intrinsic password complexity check and there is no LOCKING mechanism with multiple failure logins. So, MongoDB is prone to brute force attacks compared to other database systems.
Solution
The authentication mechanism should be implemented before anyone accesses the MongoDB Server.To enable the authentication mechanism:
Start the MongoDB instance without authentication.
mongod --port 27017 --dbpath /data/db1
Or
mongod.exe --port 27017 --dbpath db1
Create the system user administrator, ensuring that its password meets organizationally-defined password in terms of length and complexity requirements as there is no in-place locking mechanism for multiple failed login attempts against MongoDB.
use admin
db.createUser(
{
user: 'MongoAdmin',
pwd: 'password',
roles: [ { role: 'root', db: 'admin' } ]
}
)
Open mongod.conf and change for authorization value to enabled:
security:
authorization: 'enabled'
Restart the MongoDB instance
service mongod restart
Default Value:
By default, authorization is set to disable.
See Also
Item Details
Audit Name: CIS MongoDB 7 L1 OS Linux v1.0.0
References: CSCv7|16.3
Plugin: Unix
Control ID: 1988c993412f2b77db04652f333f74fdc26bff754bb22f24217a97fc43db7a98