OpenControls Logo

STIG Viewer

MongoDB must, for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-279349MD8X-00-003600SV-279349r1179508_ruleCCI-004062high
Description
The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on user ID and password may be used only when it is not possible to employ a PKI certificate, and requires authorizing official (AO) approval. In such cases, database passwords stored in clear text, using reversible encryption or using unsalted hashes, would be vulnerable to unauthorized disclosure. Database passwords must always be in the form of one-way, salted hashes when stored internally or externally to the DBMS.
STIGDate
MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide2026-02-20

Details

Check Text (C-279349r1179508_chk)

MongoDB supports the Salted Challenge Response Authentication Mechanism (SCRAM) as the default authentication mechanism for MongoDB. Run the following script for database in the MongoDB system: /// Connect to admin database db = db.getSiblingDB('admin'); // Get all users without SCRAM-SHA-256 const allUsers = db.system.users.find().toArray(); const usersToUpgrade = allUsers.filter(user => !user.credentials || !user.credentials["SCRAM-SHA-256"] ); print(`Found ${usersToUpgrade.length} users without SCRAM-SHA-256 authentication`); if (usersToUpgrade.length === 0) { print("All users already using SCRAM-SHA-256. No action needed."); quit(); } // Display users that need upgrading print("\nUsers needing upgrade to SCRAM-SHA-256:"); usersToUpgrade.forEach(user => { print(`- User: ${user.user}, Database: ${user.db}`); }); If any user found in a database using password authentication does not have "Using SCRAM-SHA-256: YES", this is a finding.

Fix Text (F-83807r1179451_fix)

For each user that does not have SCRAM-SHA-256, run the following command: use admin db.runCommand({'updateUser':'<their username>',pwd: passwordPrompt() , mechanisms:['SCRAM-SHA-256']})