MD4X-00-005700 - MongoDB must prohibit the use of cached authenticators after an organization-defined time period.

Information

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

With MongoDB configured using SASL LDAP authentication and on certain Linux distributions, saslauthd starts with the caching of authentication credentials enabled.

Until restarted or until the cache expires, saslauthd will not contact the LDAP server to re-authenticate users in its authentication cache. This allows saslauthd to successfully authenticate users in its cache, even in the LDAP server is down or if the cached users' credentials are revoked.

To set the expiration time (in seconds) for the authentication cache, see the -t option of saslauthd (https://www.systutorials.com/docs/linux/man/8-saslauthd/).

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MDB_Enterprise_Advanced_4-x_V1R4_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(13), CAT|II, CCI|CCI-002007, Rule-ID|SV-252177r961521_rule, STIG-ID|MD4X-00-005700, Vuln-ID|V-252177

Plugin: Unix

Control ID: aed03511359c926c6ee7997fd7c49c3578c4fc77cb2960c7a983ca150f362c4a