MongoDB must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-279412 | SRG-APP-000915-DB-000310 | MD8X-00-014100 | SV-279412r1179403_rule | 2026-02-20 | 1 |
Description
A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.
ℹ️ Check
Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named "net.tls.CAFile".
Example shown below:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
ocsp:
enabled: true
responderURL: <your organization's OCSP responder URL>
Run the following command on the file indicated by this key:
stat /etc/ssl/caToValidateClientCertificates.pem
If the output does not show file permissions of "-rw-------", this is a finding.
✔️ Fix
Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named "net.tls.CAFile".
Example shown below:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
ocsp:
enabled: true
responderURL: <your organization's OCSP responder URL>
Run the following commands on the file indicated by this key:
chmod 600 /etc/ssl/caToValidateClientCertificates.pem