Hi @Stennie_X ,
Thank you for your feedback.
Regarding: MongoDB Atlas meets higher standards of security than the CIS benchmark, including regular independent third party verification for compliance with multiple international security and privacy standards .
How do you know/compare (without knowing the configuration details)? Maybe one could argument that the underlying server configuration is same for all Atlas Clusters and is believed to be secure because it has been hardened and penetration tested in different standards and certifications by independent third-parties …
Yes I’ve read the white paper (and most of the other atlas documentation) some time ago and I’ve seen the discussion on FIPS. (And yes maybe I need to contact Sales and/or Support to get exact answers respective configuration details.)
FIPS: I don’t understand why FIPS cannot be enabled respective what “FIPS Compatible” means. The only thing I found is “https://www.mongodb.com/docs/manual/tutorial/configure-fips/”: " Starting in MongoDB 5.1, instances running in FIPS mode have the SCRAM-SHA-1 authentication mechanism disabled by default." VS “BadValue: SCRAM-SHA-256 authentication is disabled”: " Currently, Atlas does not support SCRAM-SHA-256 , but does support SCRAM-SHA-1 ." …
Trying to match my questions to your answers:
2.1 Ensure Authentication is configured
2.2 Ensure that MongoDB does not bypass authentication via the localhost exception
• 2.1, 2.2: Authentication, TLS, and IP Access Lists are always enabled
I guess 2.1 is true based on the security white paper “For the MongoDB Atlas Cluster, authentication is automatically enabled by default via SCRAM to help ensure a secure system out of the box.” And I’ve seen no switch to disable authentication.
Regarding 2.2 I’m not sure when support accesses the server via SSH whether it can bypass authentication via the localhost exception
3.3 Ensure that MongoDB is run using a non-privileged, dedicated service account
• 3.3: Each cluster is deployed within a VPC configuration that allows no inbound access by details.
This does not answer the question …
5.1 Ensure that system activity is audited
• 5.1: System activity is audited and there are further options for database auditing
I guess you’ve checked in the configuration and/or in the documentation – can you maybe add the reference?
5.4 Ensure that new entries are appended to the end of the log file
• 5.4: All logs (including infrastructure, UI, mongod, …) have documented log retention policies
Do you know the log retention? I guess this indirectly answers the question i.e. you could not guarantee log retention if append to the end of log file would be set to false …
Thank you and kind regards
Raoul