Documentation - V-265941

V-265941

MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide

CAT II

Title

MongoDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.

Description

<VulnDiscussion>Allowing regular users to install software without explicit privileges creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceed the rights of a regular user. DBMS functionality and the nature and requirements of databases will vary; so while users are not permitted to install unapproved software, there m...

Fix Text (Documentation Requirement)

Revoke unapproved roles from nonadministrative users as per the site-specific document by executing db.revokeRolesFromUser for each user and database: > use <database> > db.revokeRolesFromUser( "<username>", [ <roles> ], { <writeConcern> } ) https://www.mongodb.com/docs/v7.0/reference/method/db.revokeRolesFromUser/ Edit the MongoDB configuration file (default location: /etc/mongod.conf) to include the following: security: javascriptEnabled: false

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel