Access to database files must be limited to relevant processes and to authorized, administrative users.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279364 | MD8X-00-005400 | SV-279364r1179259_rule | CCI-001090 | medium |
| Description | ||||
| Applications, including database management systems (DBMSs), must prevent unauthorized and unintended information transfer via shared system resources. Permitting only DBMS processes and authorized, administrative users to have access to the files where the database resides helps ensure that those files are not shared inappropriately and are not open to backdoor access and manipulation. Satisfies: SRG-APP-000243-DB-000374, SRG-APP-000243-DB-000373 | ||||
| STIG | Date | |||
| MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide | 2026-02-20 | |||
Details
Check Text (C-279364r1179259_chk)
By default, the MongoDB official installation packages restrict user and group ownership and read/write permissions on the underlying data files and critical configuration files from other operating system users.
In addition, process and memory isolation is used by default. System administrators should also consider if whole database encryption would be an effective control on an application basis.
Run the following commands to verify proper permissions for the following database files or directories:
$ stat /etc/mongod.conf
If the owner and group are not both "mongod", this is a finding.
If the file permissions are more permissive than "600", this is a finding.
$ stat /var/lib/mongo
If the owner and group are not both "mongod", this is a finding.
If the file permissions are more permissive than "755", this is a finding.
$ ls -l /var/lib/mongo
If the owner and group of any file or sub-directory is not "mongod", this is a finding.
If the permission of any file in the main directory (/var/lib/mongo) or sub-directory of (/var/lib/mongo) is more permissive than "600", this is a finding.
If the permission of any sub-directory of (/var/lib/mongo) is more permissive than "700", this is a finding.
Fix Text (F-83822r1179258_fix)
Correct the permission to the files and/or directories that are in violation.
MongoDB Configuration file (default location /etc/mongod.conf):
$ chown mongod:mongod /etc/mongod.conf
$ chmod 600 /etc/mongod.conf
MongoDB datafiles and directories (default location /var/lib/mongo):
$ chown -R mongod:mongod /var/lib/mongo
$ chmod 755 /var/lib/mongo
$ find /var/lib/mongo/* -type f | xargs chmod 600
$ find /var/lib/mongo/* -type d | xargs chmod 700