DISA STIG MongoDB Enterprise Advanced 3.x v2r1 OS

Audit Details

Name: DISA STIG MongoDB Enterprise Advanced 3.x v2r1 OS

Updated: 6/3/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.1

Estimated Item Count: 41

File Details

Filename: DISA_STIG_MongoDB_Enterprise_Advanced_3.x_OS_Linux_v2r1.audit

Size: 108 kB

MD5: 0d94bcb942187d67b017b87361107099
SHA256: efaeee9e1a2dfe779d7aefd37d73b22239329167bfde78ff3599e8ebeacf4c06

Audit Items

DescriptionCategories
MD3X-00-000010 - MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.

ACCESS CONTROL

MD3X-00-000040 - MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

MD3X-00-000190 - The audit information produced by MongoDB must be protected from unauthorized read access.

AUDIT AND ACCOUNTABILITY

MD3X-00-000220 - MongoDB must protect its audit features from unauthorized access.

AUDIT AND ACCOUNTABILITY

MD3X-00-000250 - MongoDB software installation account must be restricted to authorized users.

CONFIGURATION MANAGEMENT

MD3X-00-000260 - Database software, including DBMS configuration files, must be stored in dedicated directories, or DASD pools, separate from the host OS and other applications.

CONFIGURATION MANAGEMENT

MD3X-00-000280 - Unused database components, DBMS software, and database objects must be removed.

CONFIGURATION MANAGEMENT

MD3X-00-000290 - Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled - enabled

CONFIGURATION MANAGEMENT

MD3X-00-000290 - Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled - JSONPEnabled

CONFIGURATION MANAGEMENT

MD3X-00-000290 - Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled - RESTInterfaceEnabled

CONFIGURATION MANAGEMENT

MD3X-00-000310 - MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

IDENTIFICATION AND AUTHENTICATION

MD3X-00-000320 - If DBMS authentication using passwords is employed, MongoDB must enforce the DoD standards for password complexity and lifetime.

IDENTIFICATION AND AUTHENTICATION

MD3X-00-000330 - If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords.

IDENTIFICATION AND AUTHENTICATION

MD3X-00-000340 - If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords - allowInvalidCertificates

IDENTIFICATION AND AUTHENTICATION

MD3X-00-000340 - If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords - CAFile

IDENTIFICATION AND AUTHENTICATION

MD3X-00-000340 - If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords - mode

IDENTIFICATION AND AUTHENTICATION

MD3X-00-000340 - If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords - PEMKeyFile

IDENTIFICATION AND AUTHENTICATION

MD3X-00-000360 - MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB - CAFile

IDENTIFICATION AND AUTHENTICATION

MD3X-00-000360 - MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB - PEMKeyFile

IDENTIFICATION AND AUTHENTICATION

MD3X-00-000380 - MongoDB must use NIST FIPS 140-2-validated cryptographic modules for cryptographic operations.

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

MD3X-00-000410 - MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.

SYSTEM AND COMMUNICATIONS PROTECTION

MD3X-00-000420 - MongoDB must fail to a secure state if system initialization fails, shutdown fails, or aborts fail.

SYSTEM AND COMMUNICATIONS PROTECTION

MD3X-00-000440 - MongoDB must protect the confidentiality and integrity of all information at rest.

SYSTEM AND COMMUNICATIONS PROTECTION

MD3X-00-000460 - Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.

SYSTEM AND COMMUNICATIONS PROTECTION

MD3X-00-000470 - MongoDB must prevent unauthorized and unintended information transfer via shared system resources - .conf file

SYSTEM AND COMMUNICATIONS PROTECTION

MD3X-00-000470 - MongoDB must prevent unauthorized and unintended information transfer via shared system resources - Data Dir

SYSTEM AND COMMUNICATIONS PROTECTION

MD3X-00-000490 - MongoDB must check the validity of all data inputs except those specifically identified by the organization.

SYSTEM AND INFORMATION INTEGRITY

MD3X-00-000500 - MongoDB and associated applications must reserve the use of dynamic code execution for situations that require it.

SYSTEM AND INFORMATION INTEGRITY

MD3X-00-000520 - MongoDB must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

SYSTEM AND INFORMATION INTEGRITY

MD3X-00-000530 - MongoDB must reveal detailed error messages only to the ISSO, ISSM, SA, and DBA.

SYSTEM AND INFORMATION INTEGRITY

MD3X-00-000600 - MongoDB must utilize centralized management of the content captured in audit records generated by all components of MongoDB.

AUDIT AND ACCOUNTABILITY

MD3X-00-000620 - MongoDB must allocate audit record storage capacity in accordance with site audit record storage requirements.

AUDIT AND ACCOUNTABILITY

MD3X-00-000630 - MongoDB must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.

AUDIT AND ACCOUNTABILITY

MD3X-00-000700 - MongoDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

IDENTIFICATION AND AUTHENTICATION

MD3X-00-000710 - MongoDB must prohibit the use of cached authenticators after an organization-defined time period.

IDENTIFICATION AND AUTHENTICATION

MD3X-00-000730 - MongoDB must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.

SYSTEM AND COMMUNICATIONS PROTECTION

MD3X-00-000740 - MongoDB must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.

SYSTEM AND COMMUNICATIONS PROTECTION

MD3X-00-000760 - MongoDB must maintain the confidentiality and integrity of information during preparation for transmission - mode

SYSTEM AND COMMUNICATIONS PROTECTION

MD3X-00-000770 - MongoDB must maintain the confidentiality and integrity of information during reception - PEMKeyFile

SYSTEM AND COMMUNICATIONS PROTECTION

MD3X-00-000800 - MongoDB must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

IDENTIFICATION AND AUTHENTICATION

MD3X-00-001100 - MongoDB must be configured in accordance with the security configuration settings based on DoD security configuration and implementation guidance, including STIGs, NSA configuration guides, CTOs, DTMs, and IAVMs.

CONFIGURATION MANAGEMENT