TickYouOff
Sign in
Back
🔒

MongoDB 7.x STIG Compliance Checklist

Medium 26 items · 1 day
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps administrators and security teams implement the DISA MongoDB 7.x STIG controls for MongoDB Enterprise Advanced. It covers host hardening, cryptography/FIPS requirements, authentication/authorization, encryption, auditing, and operational checks to maintain a compliant deployment.

Source: https://ncp.nist.gov/checklist/1267

Progress
0 / 26
  1. Verify MongoDB Enterprise Advanced 7.x is installed and up-to-date — Confirm version (7.x) and apply vendor security patches.
  2. Deploy MongoDB on a FIPS-compliant OS or enable FIPS mode — Use an OS with CMVP-validated modules or enable FIPS mode where required.
  3. Ensure MongoDB uses FIPS-certified OpenSSL libraries or OS FIPS crypto — Verify OpenSSL is FIPS 140-2/140-3 certified or provided by the OS.
  4. Harden and patch the host OS per relevant STIGs and remove unused services — Apply RHEL/host STIG controls and disable unnecessary packages and daemons.
  5. Restrict network exposure by binding mongod to specific IP addresses — Set net.bindIp in mongod.conf to only required interfaces.
  6. Configure firewall rules to restrict MongoDB ports to trusted hosts — Allow only management, application and replication peers as needed.
  7. Create a dedicated administrative user with least-privilege roles — Provision admin user(s) in the admin database; avoid shared/default accounts.
  8. Enable authentication — Activate MongoDB authentication to require credentials for connections.
  9. Enable role-based authorization and revoke default privileges — Assign least privilege roles and remove unneeded built-in privileges.
  10. Enforce SCRAM-SHA-256 and strong password policies — Use SCRAM-SHA-256, enforce complexity, rotation, and lockout policies.
  11. Configure TLS/SSL for client-server and intra-cluster communication — Encrypt in-transit traffic using TLS with approved ciphers.
  12. Obtain and install certificates from a trusted CA — Use certificates with proper SANs and full chains for hostnames.
  13. Verify certificate chains and disable weak ciphers/protocols — Disable TLS 1.0/1.1 and weak cipher suites; prefer FIPS-approved ciphers.
  14. Enable TLS in mongod configuration and restart the service — Set net.tls or net.ssl settings in mongod.conf and validate connections.
  15. Configure internal cluster authentication (keyfile or x.509) — Authenticate replica set and sharded members using keyfile or x.509 certs.
  16. Enable auditing and forward audit logs to SIEM — Capture access, auth, and config changes and send to centralized logging.
  17. Define audit filters to capture privileged actions — Focus audit events on admin, auth, and data-access operations.
  18. Rotate and retain audit logs per policy — Implement log rotation, secure storage, and retention to meet compliance.
  19. Enable encryption at rest and manage keys via an approved KMS — Use the Encrypted Storage Engine and store keys in KMIP or an approved KMS.
  20. Secure backups: encrypt backup data and restrict access — Encrypt backup archives and limit access to authorized personnel/systems.
  21. Restrict filesystem permissions for MongoDB data and config files — Set ownership and permissions so only the mongod user can access data files.
  22. Disable unused HTTP/REST endpoints and administrative web interfaces — Turn off REST/status interfaces and any unnecessary listeners.
  23. Monitor vendor advisories and apply security patches promptly — Subscribe to MongoDB advisories and patch systems for CVEs quickly.
  24. Perform regular vulnerability and STIG compliance scans — Run automated scanners and rectify findings on a regular cadence.
  25. Test disaster recovery by validating backup restores regularly — Perform full restores from backups to verify recovery procedures.
  26. Maintain incident response runbooks and practice log analysis — Document procedures and run tabletop exercises for common incidents.
Sign in to save
📝 My Notes