2.2 Ensure that MongoDB does not bypass authentication via the localhost exception

Information

MongoDB should not be set to bypass authentication via the localhost exception. The localhost exception allows the user to enable authorization before creating the first user in the system. When active, the localhost exception allows all connections from the localhost interface to have full access to that instance. The exception applies only when there are no users created in the MongoDB instance.

Note: This recommendation only applies when there are no users created in the MongoDB instance.

Rationale:

Disabling this exception will prevent unauthorized local access to the MongoDB database. It will also ensure the traceability of each database activity to a specific user. Localhost Exception allows direct connect to Mongod's without any UN/PW.

Solution

To disable local authentication on the MongoDB database.
Type OS Console Command

mongod --setParameter enableLocalhostAuthBypass=0

or
To manually configure use the setParameter option in the mongo configuration file to set it to false.

setParameter:
enableLocalhostAuthBypass: false

Default Value:

By default, localhost exception value (enableLocalhostAuthBypass) is true.

See Also

https://workbench.cisecurity.org/benchmarks/15135

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), CSCv7|16.3

Plugin: Windows

Control ID: 122016553d485311b0891f0065c51c55b119df7e426c885e167c7f2330c8453d