Information
The MongoDB service should not be run using a privileged account such as 'root' because this unnecessarily exposes the operating system to high risk.
Using a non-privileged, dedicated service account restricts the database from accessing the critical areas of the operating system which are not required by the MongoDB. This will also mitigate the potential for unauthorized access via a compromised, privileged account on the operating system.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
- Create a dedicated user for performing MongoDB database activity.
- Set the Database data files, the keyfile, and the SSL private key files to only be readable by the mongod/mongos user.
- Set the log files to only be writable by the mongod/mongos user and readable only by root.