Detections
Analytics
2.3 Ensure authentication is enabled in the sharded cluster
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Authentication is enabled in a sharded cluster when the certificate or key files are created and configured for all components. This ensures that every client that accesses the cluster must provide credentials, to include MongoDB instances that access each other within the cluster.With keyfile authentication, each mongod or mongos instance in the sharded cluster uses the contents of the keyfile as the shared password for authenticating other members in the deployment. Only mongod or mongos instances with the correct keyfile can join the sharded cluster.
For Production Environment: x.509 certificate authentication with secure TSL/SSL connection must be used for authentication.
For Development Purpose: Key file can be used as an authentication mechanism between the shared cluster. Keyfiles are bare-minimum forms of security and are best suited for testing or development environments.
Rationale:
Enforcing a key or certificate on a sharded cluster prevents unauthorized access to the MongoDB database and provides traceability of database activities to a specific user or component. A MongoDB sharded cluster can enforce user authentication as well as internal authentication of its components to secure against unauthorized access.
Solution
To authenticate to servers, clients can use x.509 certificates instead of usernames and passwords.MongoDB supports x.509 certificate authentication for use with a secure TLS/SSL connection. The x.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password.
Change the configuration file /etc/mongod.conf on each host, adding the following rows:
net:
port: 27017
tls:
mode: requireSSL
PEMKeyFile: /etc/mongodb/ssl/server1.pem
CAFile: /etc/mongodb/ssl/mongoCA.crt
clusterFile: /etc/mongodb/ssl/server1.pem
security:
authorization: enabled
clusterAuthMode: x509
Restart the daemon
sudo service mongodb restart
To enable authentication in the sharded cluster, perform the following steps:(Only for Development Purpose)
Generate A Key File
On each component in the shared cluster, enable authentication by editing the configuration file /etc/mongod.conf. Set the keyFile option to the key file's path and then start the component with this command:
keyFile = /srv/mongodb/keyfile
When starting the component, set --keyFile option, which is an option for both mongos instances and mongod instances. Set the --keyFile to the key file's path.
Default Value:
Not configured
See Also
Item Details
Audit Name: CIS MongoDB 7 L2 OS Windows v1.0.0
References: CSCv7|1.8
Plugin: Windows
Control ID: 3381118b403f7294f04deb56a83ad68123cb0ddb9c483cc8b491960416df7c64