MongoDB Security Audit: mongoaudit

ID N0WHERE:159714
Type n0where
Reporter N0where
Modified 2017-02-16T06:05:56


MongoDB Security Audit

mongoaudit is a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing. It is widely known that there are quite a few holes in MongoDB’s default configuration settings. This fact, combined with abundant lazy system administrators and developers, has led to what the press has called the _ MongoDB apocalypse _ . mongoaudit not only detects misconfigurations, known vulnerabilities and bugs but also gives you advice on how to fix them, recommends best practices and teaches you how to DevOp like a pro!

Among other tests, it checks if:

  • MongoDB listens on a port different to default one
  • MongoDB HTTP status interface is disabled
  • TLS/SSL encryption is enabled
  • Authentication is enabled
  • SCRAM-SHA-1 authentication method is enabled
  • Server-side Javascript is forbidden
  • Roles granted to the user only permit CRUD operations
  • The user has permissions over a single database
  • The server is vulnerable to a dozen of different known security bugs

Installing with pip

This is the recommended installation method in case you have python and pip .

pip install mongoaudit

Alternative installer

Use this if and only if python and pip are not available on your platform.

curl -s | bash

_ works on Mac OS X, GNU/Linux and Bash for Windows 10 _

_ If you are serious about security you should always use the PIP installer or, better yet, follow best security practices: clone this repository, check the source code and only then run it with python mongoaudit . _

MongoDB Security Audit: mongoaudit

Supported tests

_ Tests marked with an asterisk ( * ) require valid authentication credentials. _

MongoDB Security Audit: mongoaudit