V-279398

SV-279398r1179494_rule

CAT II

MongoDB must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate recognized and approved by the organization.

From: MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide (V1R1)

Description

<VulnDiscussion>Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

1. Identify that the MongoDB repository is installed and enabled by running the following command: $ yum repolist enabled | grep "mongodb-enterprise-8.0". 2. Review the contents of the repository file (/etc/yum.repos.d/mongodb-enterprise-8.0.repo) and compare them to the standard configuration below: [mongodb-enterprise-8.0] name=MongoDB Enterprise Repository baseurl=https://repo.mongodb.com/yum/redhat/9/mongodb-enterprise/8.0/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://pgp.mongodb.com/server-8.0.asc 3. Examine the installed MongoDB components and their versions by running the following command: $ yum list installed mongodb-* 4. The output will resemble the following, but with potentially different versions: Installed Packages mongodb-database-tools.x86_64 100.12.2-1 @mongodb-enterprise-8.0 mongodb-enterprise.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0 mongodb-enterprise-cryptd.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0 mongodb-enterprise-database.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0 mongodb-enterprise-database-tools-extra.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0 mongodb-enterprise-mongos.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0 mongodb-enterprise-server.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0 mongodb-enterprise-tools.x86_64 8.0.12-1.el9 @mongodb-enterprise-8.0 mongodb-mongosh.x86_64 2.5.6-1.el8 @mongodb-enterprise-8.0 5. Check for available updates for the installed MongoDB components by running the following command: $ sudo yum check-update --repo mongodb-enterprise-8.0 The output will list any components that need to be updated. If the MongoDB repository is not enabled, its contents do not match the standard configuration, or if any components are not installed or are not the most current version available, this is a finding.

Fix Text

Ensure the MongoDB repository is configured according to the official documentation. Install any missing or outdated components by running the command: $ sudo yum update --repo mongodb-enterprise-8.0 Restart the MongoDB service: $ sudo systemctl restart mongod The YUM method is the preferred method because it provides automatic dependency management, built-in rollback support, and simplified security updates. These features reduce the risk of misconfiguration and ensure a more stable and secure environment that is easier to maintain and keep compliant. For additional details, refer to the MongoDB documentation: https://www.mongodb.com/docs/v8.0/tutorial/install-mongodb-enterprise-on-red-hat/

CCI Reference

CCI-003992

Created: 2026-04-07 20:08:22
Last Updated: 2026-04-07 20:08:22