TickYouOff
Sign in
Back
🔒

MongoDB 8.x STIG — Free Checklist (22 Items) | TickYouOff

Hard 22 items · 4 hours
testuser's avatar
testuser Published 4 weeks ago
Security

This checklist translates the MongoDB Enterprise Advanced 8.x STIG into practical, actionable steps for hardening database servers. It’s for system administrators, DBAs, and security engineers who manage MongoDB in DoD or enterprise environments and need to meet FIPS, authentication, encryption, and auditing requirements.

Source: https://ncp.nist.gov/checklist/1323

Progress
0 / 22
  1. Verify operating system is FIPS-compliant and cryptography-enabled — Confirm OS/FIPS module is validated and crypto is enabled per CMVP requirements.
  2. Install MongoDB Enterprise Advanced 8.x from official repositories — Use vendor packages or signed repos to ensure authenticity.
  3. Configure and validate FIPS-certified OpenSSL libraries for MongoDB — Ensure MongoDB links to FIPS 140-2/140-3 certified libraries where required.
  4. Enable MongoDB authentication (set security.authorization to 'enabled')
  5. Create administrative users with strong credentials — Use SCRAM or x.509; store admin credentials securely.
  6. Configure role-based access control for least privilege — Assign minimal roles and avoid granting root/admin unnecessarily.
  7. Bind MongoDB to required network interfaces
  8. Set bindIp to specific host IPs or interfaces — Avoid 0.0.0.0; restrict to necessary addresses.
  9. Disable remote connections if not required — Combine bind settings with firewall rules to block access.
  10. Enable TLS/SSL for client and internal node communications
  11. Install and validate TLS certificates from a trusted CA — Ensure CN/SAN match hostnames and certificate chain validates.
  12. Configure requireTLS and secure cipher suites — Disable weak ciphers and prefer TLS 1.2/1.3.
  13. Enable MongoDB audit logging and configure retention and forwarding — Log login, config changes, and admin actions; forward to SIEM.
  14. Review database user roles and enforce least privilege — Audit existing accounts and remove unnecessary privileges.
  15. Enable encryption at rest using the WiredTiger encrypted storage engine — Configure storageEngine.encryption to protect data files.
  16. Configure external key management (KMIP or cloud KMS) and rotate keys regularly — Integrate KMIP or KMS for key storage and enforce rotation policies.
  17. Disable HTTP status interface and other unused MongoDB features — Turn off deprecated or unnecessary endpoints to reduce attack surface.
  18. Configure host firewall and network segmentation for the database server — Limit access to DB ports and use VLANs or subnets where possible.
  19. Implement automated backups and regularly test point-in-time restores — Schedule backups, verify integrity, and perform restore drills.
  20. Configure monitoring, alerting, and review logs for suspicious activity — Set alerts for auth failures, configuration changes, and high usage.
  21. Harden file system permissions for data directories and MongoDB config files — Restrict ownership and access to dbpath, keyfiles, and mongod.conf.
  22. Keep MongoDB and the operating system up to date; apply security patches promptly — Track vendor advisories and schedule maintenance windows for updates.
Sign in to save
📝 My Notes