From IT Security I got the CIS (Center of Internet Security) benchmark: CIS_MongoDB_5_Benchmark_v1.0.0_PDF.pdf (CIS MongoDB Benchmarks) with the question whether MongoDB Atlas meets this Benchmark. Unfortunately there exists no dedicated MongoDB Atlas Benchmark and therefore while I could answer most questions with yes there still exist some open questions that require access to the underlying server configuration and maybe someone in this community can answer these questions:
2.1 Ensure Authentication is configured
cat /etc/mongod.conf | grep “authorization”
The value for authorization must be set to enabled.
2.2 Ensure that MongoDB does not bypass authentication via the localhost exception
cat /etc/mongod.conf |grep “enableLocalhostAuthBypass”
The value for enableLocalhostAuthBypass must be false.
3.3 Ensure that MongoDB is run using a non-privileged, dedicated service account
Run the following command to get listing of all mongo instances, the PID number, and the PID owner.
ps -ef | grep -E “mongos|mongod”
- Create a dedicated user for performing MongoDB database activity.
- Set the Database data files, the keyfile, and the SSL private key files to only be readable by the mongod/mongos user.
- Set the log files to only be writable by the mongod/mongos user and readable only by root.
4.4 Ensure Federal Information Processing Standard (FIPS) is enabled
On Ubuntu: To verify that the server uses FIPS Mode (net.tls.FIPSMode value set to true), run following commands:
mongod --config /etc/mongod.conf
net: tls: FIPSMode: true
Or To verify FIPS mode is running, check the server log file for a message that FIPS is active:
FIPS 140-2 mode activated
5.1 Ensure that system activity is audited
To verify that system activity is being audited for MongoDB, run the following command to confirm the auditLog.destination value is set correctly: On Ubuntu:
cat /etc/mongod.conf |grep –A4 “auditLog” | grep “destination”
5.3 Ensure that logging captures as much information as possible
To verify that the SystemLog: quiet=false option is disabled (value of false), run the following command: On Ubuntu:
cat /etc/mongod.conf |grep “quiet”
5.4 Ensure that new entries are appended to the end of the log file
To verify that new log entries will be appended to the end of the log file after a restart (systemLog: logAppend: true value set to true), run the following command: On Ubuntu:
cat /etc/mongod.conf | grep “logAppend”
6.1 Ensure that MongoDB uses a non-default port
To verify the port number used by MongoDB, execute the following command and ensure that the port number is not 27017: On Ubuntu:
cat /etc/mongod.conf |grep “port”
6.2 Ensure that operating system resource limits are set for MongoDB
To verify the resource limits set for MongoDB, run the following commands. Extract the process ID for MongoDB:
ps -ef | grep mongod
7.1 Ensure appropriate key file permissions are set
Find the location of certificate/keyfile using the following commands: On Ubuntu:
cat /etc/mongod.conf | grep “keyFile:” cat /etc/mongod.conf | grep “PEMKeyFile:” cat /etc/mongod.conf | grep “CAFile:”
7.2 Ensure appropriate database file permissions are set.
Find out the database location using the following command: On Ubuntu:
cat /etc/mongod.conf |grep “dbpath” or cat /etc/mongod.conf | grep “dbPath”