MD8X-00-002700 - MongoDB database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to MongoDB, etc.) must be owned by database/DBMS principals authorized for ownership.

Information

Within the database, object ownership implies full privileges to the owned object, including the privilege to assign access to the owned objects to other subjects. Database functions and procedures can be coded using definer's rights. This allows anyone who uses the object to perform the actions if they were the owner. If not properly managed, this can lead to privileged actions being taken by unauthorized individuals.

Conversely, if critical tables or other objects rely on unauthorized owner accounts, these objects may be lost when an account is removed.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

For each user identified as having a "dbOwner" role on a database they are not authorized for, revoke the "dbOwner" role from that user on that database by running the following commands:

use <database>
db.revokeRolesFromUser() command

https://www.mongodb.com/docs/v8.0/reference/command/revokeRolesFromUser/

Example to revoke "dbOwner" role from "user1" on the "anotherDatabase" in the "admin" database:

use admin
db.revokeRolesFromUser(
"user1",
[
{ role: "dbOwner", db: "anotherDatabase" }
]
)

Item Details

Audit Name: DISA MongoDB Enterprise Advanced 8.x STIG v1r1 MongoDB

Category: CONFIGURATION MANAGEMENT

Plugin: MongoDB

Control ID: e4da62c47967dcfbb44b16bc5717f38e95f058e426d6143495d896fd27755bb7

Detections

Analytics

MD8X-00-002700 - MongoDB database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to MongoDB, etc.) must be owned by database/DBMS principals authorized for ownership.

Information

Solution

See Also

Item Details