V-265934
MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide
Title
MongoDB must associate organization-defined types of security labels having organization-defined security label values with information in storage.
Description
<VulnDiscussion>Without the association of security labels to information, there is no basis for MongoDB to make security-related access-control decisions. Security labels are abstractions representing the basic properties or characteristics of an entity (e.g., subjects and objects) with respect to safeguarding information. These labels are typically associated with internal data structures (e.g., tables, rows) within the database and are used to enable the implementation of access control and...
Fix Text (Documentation Requirement)
To implement security labeling, ensure the following: 1. Organizational or site specific documentation and guidance is available or developed. 2. Ensure security labels are applied to MongoDB collection(s) requiring them in accordance with the organization or site specific documentation. 3. Create a Security Label Tag Viewer role ("SLTagViewer") with "find" privileges on the specific database and collection that requires security labeling. In the example below, there are three databases and collections in those databases where security labels are required: > use admin > db.createRole( { role: "SLTagViewer", privileges: [ { resource: { db: "db1", collection: "coll1" }, actions: [ "find" ] }, { resource: { db: "db1", collection: "coll2" }, actions: [ "find" ] ...