{ "format_version": 3, "policy": { "external_id": "a96d7a658aafa804fec93f5fba282d47", "name": "CIS MongoDB 6 Benchmark v1.0.0 - Level 1", "version": "1.0.1", "description": "CIS Level 1 hardening profile for MongoDB 6.x on Linux. Authentication, non-root service account, TLS configuration, audit/verbose logging, non-default port, keyfile permissions. Linux-only checks; assumes /etc/mongod.conf.", "author": "Center for Internet Security" }, "tests": [ { "external_id": "cd34199f6e9ad0e6a429ceab84cfa24a", "name": "2.1 — Ensure Authentication is configured", "description": "The mongod process must require authentication for all connections.", "rational": "Without authentication enabled any client that can reach the listening port has full administrative access.", "remediation": "Add `security.authorization: enabled` to /etc/mongod.conf and restart mongod.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE '^[[:space:]]*authorization:' /etc/mongod.conf 2>/dev/null | awk '{print tolower($2)}'", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "enabled" } ], "applicability": [] }, { "external_id": "5389b2761b2d4fe2d8824120045badab", "name": "2.2 — Ensure MongoDB does not bypass authentication via the localhost exception", "description": "The localhost exception only grants access until the first user is created.", "rational": "Once the first administrative user exists, no further accounts can be created without authenticating, eliminating an unprotected window.", "remediation": "Create at least one admin user in the admin database with userAdminAnyDatabase role.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "mongosh --quiet --eval 'try { db.getSiblingDB(\"admin\").getUsers().length } catch(e) { 0 }' 2>/dev/null | tail -1", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "b059878e41749802544c2023b68f483d", "name": "3.3 — Ensure MongoDB is run using a non-privileged, dedicated service account", "description": "mongod should run as a dedicated unprivileged service account (commonly 'mongodb').", "rational": "Running as a non-root account limits damage if the database process is compromised.", "remediation": "Ensure the systemd unit specifies `User=mongodb` and that mongod is not invoked as root.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PROCESS", "input": "mongod", "selement": "OWNER", "condition": "NOT EQUALS", "sinput": "root" } ], "applicability": [] }, { "external_id": "8a393aa62f88fd7d2607801c35b72548", "name": "4.1 — Ensure legacy TLS protocols are disabled", "description": "Disable TLS 1.0 and TLS 1.1 — only TLS 1.2 and TLS 1.3 should be accepted.", "rational": "Legacy TLS versions are vulnerable to BEAST, POODLE, and known downgrade attacks.", "remediation": "Set `net.tls.disabledProtocols: TLS1_0,TLS1_1` in /etc/mongod.conf.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE 'disabledProtocols' /etc/mongod.conf 2>/dev/null", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "TLS1_" } ], "applicability": [] }, { "external_id": "1605189af5d4e9864eabebc3fe8b471d", "name": "4.3 — Ensure encryption of data in transit is configured", "description": "MongoDB must use TLS for client-to-server and intra-cluster communication.", "rational": "Without TLS, credentials and query payloads cross the network in plaintext.", "remediation": "Configure `net.tls.mode: requireTLS` plus certificateKeyFile in /etc/mongod.conf.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hcE '^[[:space:]]+mode:[[:space:]]*requireTLS' /etc/mongod.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "42383e827920941bb23a7c55bb7bb059", "name": "5.1 — Ensure that system activity is audited", "description": "MongoDB audit logging records authentication, authorisation, and schema changes.", "rational": "Audit trails are required for forensic investigation and compliance attestation.", "remediation": "Configure `auditLog.destination` and `auditLog.path` in /etc/mongod.conf (Enterprise / Percona builds only).", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE 'auditLog' /etc/mongod.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "0e898d552dbe73bd572201202ebb548e", "name": "5.3 — Ensure that logging captures as much information as possible", "description": "Verbose logging should be enabled so that operational events are recorded with sufficient detail.", "rational": "Insufficient log detail can leave gaps that delay incident response.", "remediation": "Set `systemLog.verbosity: 1` (or higher) and `systemLog.component.command.verbosity` as appropriate in /etc/mongod.conf.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE 'verbosity' /etc/mongod.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "cea8481c437cab5d99cef80a4afbd205", "name": "5.4 — Ensure that new entries are appended to the end of the log file", "description": "systemLog.logAppend should be true so that restarts do not truncate the log.", "rational": "Truncated logs lose forensic evidence of pre-restart activity, including indications of a compromise that triggered the restart.", "remediation": "Set `systemLog.logAppend: true` in /etc/mongod.conf.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE 'logAppend:[[:space:]]*true' /etc/mongod.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "f15f537a71b51d3e47f50dd6032829d1", "name": "6.1 — Ensure that MongoDB uses a non-default port", "description": "Running on a port other than the well-known 27017 reduces noise from opportunistic scanners.", "rational": "Custom ports are not a security control on their own but lower the rate of automated probing.", "remediation": "Set `net.port: ` in /etc/mongod.conf and update firewall rules accordingly.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE '^[[:space:]]+port:' /etc/mongod.conf 2>/dev/null | awk '{print $2}'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "27017" } ], "applicability": [] }, { "external_id": "4e47f0c80dd105846cc9bfb2bbaf76dd", "name": "7.1 — Ensure appropriate key file permissions are set", "description": "The keyfile used for intra-cluster authentication must be readable only by the mongod user.", "rational": "World- or group-readable key files let any local user impersonate cluster members.", "remediation": "Run: `chmod 600 /etc/mongod.keyfile && chown mongodb:mongodb /etc/mongod.keyfile`.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "for f in /etc/mongod.keyfile /var/lib/mongo/mongod.keyfile; do [ -f \"$f\" ] && stat -c '%a' \"$f\"; done | head -1", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "600" } ], "applicability": [] } ] }