Rule ID
SV-279349r1179508_rule
Version
V1R1
CCIs
The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on user ID and password may be used only when it is not possible to employ a PKI certificate, and requires authorizing official (AO) approval. In such cases, database passwords stored in clear text, using reversible encryption or using unsalted hashes, would be vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes when stored internally or externally to the DBMS.
MongoDB supports the Salted Challenge Response Authentication Mechanism (SCRAM) as the default authentication mechanism for MongoDB.
Run the following script for database in the MongoDB system:
/// Connect to admin database
db = db.getSiblingDB('admin');
// Get all users without SCRAM-SHA-256
const allUsers = db.system.users.find().toArray();
const usersToUpgrade = allUsers.filter(user =>
!user.credentials || !user.credentials["SCRAM-SHA-256"]
);
print(`Found ${usersToUpgrade.length} users without SCRAM-SHA-256 authentication`);
if (usersToUpgrade.length === 0) {
print("All users already using SCRAM-SHA-256. No action needed.");
quit();
}
// Display users that need upgrading
print("\nUsers needing upgrade to SCRAM-SHA-256:");
usersToUpgrade.forEach(user => {
print(`- User: ${user.user}, Database: ${user.db}`);
});
If any user found in a database using password authentication does not have "Using SCRAM-SHA-256: YES", this is a finding.For each user that does not have SCRAM-SHA-256, run the following command:
use admin
db.runCommand({'updateUser':'<their username>',pwd: passwordPrompt() , mechanisms:['SCRAM-SHA-256']})