{ "format_version": 3, "policy": { "external_id": "1e0ee52dc5bf9485a088623593523c51", "name": "CIS MongoDB 8 Benchmark v1.0.0 - Level 1", "version": "1.0.1", "description": "CIS Level 1 hardening profile for MongoDB 8.x on Linux. Same set of automatable checks as the 6.x and 7.x profiles.", "author": "Center for Internet Security" }, "tests": [ { "external_id": "c7464e8f357bb9879b76c47f34402ae1", "name": "2.1 — Ensure Authentication is configured", "description": "The mongod process must require authentication for all connections.", "rational": "Without authentication enabled any client that can reach the listening port has full administrative access.", "remediation": "Add `security.authorization: enabled` to /etc/mongod.conf and restart mongod.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE '^[[:space:]]*authorization:' /etc/mongod.conf 2>/dev/null | awk '{print tolower($2)}'", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "enabled" } ], "applicability": [] }, { "external_id": "e6fd7fae5418aaed942fe20c03f5db48", "name": "2.2 — Ensure MongoDB does not bypass authentication via the localhost exception", "description": "The localhost exception only grants access until the first user is created.", "rational": "Once the first administrative user exists, no further accounts can be created without authenticating, eliminating an unprotected window.", "remediation": "Create at least one admin user in the admin database with userAdminAnyDatabase role.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "mongosh --quiet --eval 'try { db.getSiblingDB(\"admin\").getUsers().length } catch(e) { 0 }' 2>/dev/null | tail -1", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "ecb616caac49bf8d6c7ecdf9b589d05b", "name": "3.3 — Ensure MongoDB is run using a non-privileged, dedicated service account", "description": "mongod should run as a dedicated unprivileged service account (commonly 'mongodb').", "rational": "Running as a non-root account limits damage if the database process is compromised.", "remediation": "Ensure the systemd unit specifies `User=mongodb` and that mongod is not invoked as root.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "PROCESS", "input": "mongod", "selement": "OWNER", "condition": "NOT EQUALS", "sinput": "root" } ], "applicability": [] }, { "external_id": "4caa0d2fe95f793578a292187462805c", "name": "4.1 — Ensure legacy TLS protocols are disabled", "description": "Disable TLS 1.0 and TLS 1.1 — only TLS 1.2 and TLS 1.3 should be accepted.", "rational": "Legacy TLS versions are vulnerable to BEAST, POODLE, and known downgrade attacks.", "remediation": "Set `net.tls.disabledProtocols: TLS1_0,TLS1_1` in /etc/mongod.conf.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE 'disabledProtocols' /etc/mongod.conf 2>/dev/null", "selement": "OUTPUT", "condition": "CONTAINS", "sinput": "TLS1_" } ], "applicability": [] }, { "external_id": "5cdc1785d31f7b607b49bf82c6c419f3", "name": "4.3 — Ensure encryption of data in transit is configured", "description": "MongoDB must use TLS for client-to-server and intra-cluster communication.", "rational": "Without TLS, credentials and query payloads cross the network in plaintext.", "remediation": "Configure `net.tls.mode: requireTLS` plus certificateKeyFile in /etc/mongod.conf.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hcE '^[[:space:]]+mode:[[:space:]]*requireTLS' /etc/mongod.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "8f79db8ef63a1e85b5ef7af33a64828c", "name": "5.1 — Ensure that system activity is audited", "description": "MongoDB audit logging records authentication, authorisation, and schema changes.", "rational": "Audit trails are required for forensic investigation and compliance attestation.", "remediation": "Configure `auditLog.destination` and `auditLog.path` in /etc/mongod.conf (Enterprise / Percona builds only).", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE 'auditLog' /etc/mongod.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "ffae11c00a2caf91086ce6e8fe41e444", "name": "5.3 — Ensure that logging captures as much information as possible", "description": "Verbose logging should be enabled so that operational events are recorded with sufficient detail.", "rational": "Insufficient log detail can leave gaps that delay incident response.", "remediation": "Set `systemLog.verbosity: 1` (or higher) and `systemLog.component.command.verbosity` as appropriate in /etc/mongod.conf.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE 'verbosity' /etc/mongod.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "413b67742224696cac680844942e7e7f", "name": "5.4 — Ensure that new entries are appended to the end of the log file", "description": "systemLog.logAppend should be true so that restarts do not truncate the log.", "rational": "Truncated logs lose forensic evidence of pre-restart activity, including indications of a compromise that triggered the restart.", "remediation": "Set `systemLog.logAppend: true` in /etc/mongod.conf.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE 'logAppend:[[:space:]]*true' /etc/mongod.conf 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "d5ae78930462b550fd95d8a40bc385ae", "name": "6.1 — Ensure that MongoDB uses a non-default port", "description": "Running on a port other than the well-known 27017 reduces noise from opportunistic scanners.", "rational": "Custom ports are not a security control on their own but lower the rate of automated probing.", "remediation": "Set `net.port: ` in /etc/mongod.conf and update firewall rules accordingly.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -hiE '^[[:space:]]+port:' /etc/mongod.conf 2>/dev/null | awk '{print $2}'", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "27017" } ], "applicability": [] }, { "external_id": "ecd7051d25a0bdfbeb486fa43b1de5af", "name": "7.1 — Ensure appropriate key file permissions are set", "description": "The keyfile used for intra-cluster authentication must be readable only by the mongod user.", "rational": "World- or group-readable key files let any local user impersonate cluster members.", "remediation": "Run: `chmod 600 /etc/mongod.keyfile && chown mongodb:mongodb /etc/mongod.keyfile`.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "for f in /etc/mongod.keyfile /var/lib/mongo/mongod.keyfile; do [ -f \"$f\" ] && stat -c '%a' \"$f\"; done | head -1", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "600" } ], "applicability": [] } ] }