MD3X-00-000020 - MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Information

MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Use createRole(), updateRole(), dropRole(), grantRole() statements to add and remove permissions on server-level securables, bringing them into line with the documented requirements.

MongoDB commands for role management can be found here:
https://docs.mongodb.com/v3.4/reference/method/js-role-management/

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MDB_Enterprise_Advanced_3-x_V2R3_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|I, CCI|CCI-000213, Rule-ID|SV-221159r960792_rule, STIG-ID|MD3X-00-000020, STIG-Legacy|SV-96559, STIG-Legacy|V-81845, Vuln-ID|V-221159

Plugin: MongoDB

Control ID: ab9e805ce735460351959e1b282b4ec74e4186521989132e5fd0b01c25eb68af