Documentation - V-265935

Title

MongoDB must enforce discretionary access control (DAC) policies, as defined by the data owner, over defined subjects and objects.

Description

<VulnDiscussion>DAC is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled table permissions. When DAC policies are implemented, su...

Fix Text (Documentation Requirement)

Enable authentication for MongoDB by following the instructions here: https://www.mongodb.com/docs/v7.0/tutorial/enable-authentication/ Create an administrative user in MongoDB: use admin db.createUser( { user: "UserAdmin", pwd: passwordPrompt(), // or cleartext password roles: [ { role: "userAdminAnyDatabase", db: "admin" }, { role: "readWriteAnyDatabase", db: "admin" } ] } ) Enable authorization by adding the following entry to the MongoDB configuration file: security: authorization: enabled Restart the MongoDB service from the OS. $ sudo systemctl restart mongod The "UserAdmin" user created above can use the "createUser" and "createRole" MongoDB commands to add the required users and roles per organizational- or site-specific documentation. h...