MD3X-00-000710 - MongoDB must prohibit the use of cached authenticators after an organization-defined time period.

Information

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

If MongoDB is configured to authenticate using SASL and LDAP/Active Directory modify and restart the saslauthd command line options in the system boot script and set the '-t' option to the appropriate timeout in seconds.

From the Linux Command line (with root/sudo privs) run the following command to restart the saslauthd process after making the change for the '-t' parameter:

systemctl restart saslauthd

If any mongos process is running (a MongoDB shared cluster) the 'userCacheInvalidationIntervalSecs' option to adjust the timeout in seconds can be changed from the default '30' seconds.

This is accomplished by modifying the mongos configuration file (default location: /etc/mongos.conf) and then restarting mongos.

See Also

https://iasecontent.disa.mil/stigs/zip/U_MongoDB_Enterprise_Advanced_3-x_V1R1_STIG.zip

Item Details

References: CAT|II, CCI|CCI-002007, Rule-ID|SV-96629r1_rule, STIG-ID|MD3X-00-000710, Vuln-ID|V-81915

Plugin: Unix

Control ID: 3aeed89993a2d718ab47e7ac7d13cc48fbac79e535f69fb485713577f3150f7f