MongoDB must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279412 | MD8X-00-014100 | SV-279412r1179403_rule | CCI-004910 | medium |
| Description | ||||
| A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys. | ||||
| STIG | Date | |||
| MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide | 2026-02-20 | |||
Details
Check Text (C-279412r1179403_chk)
Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named "net.tls.CAFile".
Example shown below:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
ocsp:
enabled: true
responderURL: <your organization's OCSP responder URL>
Run the following command on the file indicated by this key:
stat /etc/ssl/caToValidateClientCertificates.pem
If the output does not show file permissions of "-rw-------", this is a finding.
Fix Text (F-83870r1179402_fix)
Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named "net.tls.CAFile".
Example shown below:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
ocsp:
enabled: true
responderURL: <your organization's OCSP responder URL>
Run the following commands on the file indicated by this key:
chmod 600 /etc/ssl/caToValidateClientCertificates.pem