V-279383
MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide
Title
MongoDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
Description
<VulnDiscussion>The DOD standard for authentication of an interactive user is the presentation of a common access card (CAC) or other physical token bearing a valid, current, DOD-issued Public Key Infrastructure (PKI) certificate, coupled with a Personal Identification Number (PIN) to be entered by the user at the beginning of each session and whenever reauthentication is required. Without reauthentication, users may access resources or perform tasks for which they do not have authorization. ...
Fix Text (Documentation Requirement)
Enable authentication for MongoDB by following the instructions here: https://www.mongodb.com/docs/v8.0/tutorial/enable-authentication/ Create an administrative user in MongoDB: > use admin > db.createUser( { user: "UserAdmin", pwd: passwordPrompt(), // or cleartext password roles: [ { role: "userAdminAnyDatabase", db: "admin" }, { role: "readWriteAnyDatabase", db: "admin" } ] } ) Enable authorization by adding the following entry to the MongoDB configuration file: security: authorization: enabled Restart the MongoDB service from the OS. $ sudo systemctl restart mongod The "UserAdmin" user created above can use the "createUser" and "createRole" MongoDB commands to add the required users and roles per organizational or site-specific documentation....