3.3 Ensure that MongoDB is run using a non-privileged, dedicated service account

Information

The MongoDB service should not be run using a privileged account such as 'root' because this unnecessarily exposes the operating system to high risk.

Using a non-privileged, dedicated service account restricts the database from accessing the critical areas of the operating system which are not required by the MongoDB. This will also mitigate the potential for unauthorized access via a compromised, privileged account on the operating system.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

- Create a dedicated user for performing MongoDB database activity.
- Set the Database data files, the keyfile, and the SSL private key files to only be readable by the mongod/mongos user.
- Set the log files to only be writable by the mongod/mongos user and readable only by root.

See Also

https://workbench.cisecurity.org/benchmarks/15858

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4.3

Plugin: Unix

Control ID: 97fd2224074c9660acfdd28157e77affe188f3420300587ae8e825c5b470ebdc