Feb 13, 2017
Tool Review: mongoaudit
For today’s post, I’m going to take a look at the tool mongoaudit, which came across my Twitter feed yesterday. It’s no secret my affinity for MongoDB and NoSQL compromises, so when I saw this auditing tool come along, I just had to check it out! Coupled with the recent onslaught on MongoDB instances, I wanted to see if this was something I’d recommend to DBAs trying to protect their data.
What is mongoaudit?
Mongoaudit is an automated command-line testing tool for MongoDB. It looks for bad security configurations, checks version information, and determines if the instance running is vulnerable to published CVEs. The tool also has a hell of a “GUI”...I’ll get to this in a second.
As far as testing MongoDB for vulnerabilities is concerned, I can’t say enough great things about this tool. It’s about time something came along that makes it easy for MongoDB DBAs to test and eventually protect their instances. You can find more information over at mongoaudit’s GitHub page here.
Running mongoaudit
Simple enough to install, mongoaudit only requires a few dependencies and then you’re up and running. I spawned a quick DigitalOcean droplet, installed MongoDB version 2.6.12, and was on my way.
Why version 2.6.12 you may ask? Here’s a screenshot from Shodan.io that’s about 20 minutes old as of the writing of this post:
2.6.12 is the oldest, but still Top 5, version of MongoDB out there. I wanted to test out this particular version and see just how vulnerable it may be.
Once I ran mongoaudit, I was greeted with a fairly interesting screen:
The authors have put in a nice screen asking for responsible use — applause for the effort. The authors also put a hell of a lot of time in CLI material design. So technically, this is still a CLI application; I think?
The next screen presents options to run either a basic or advanced test:
For my test instance, I cycled through both the Basic and Advanced options. The advanced test allows for testing of MongoDBs requiring authentication. As of the writing of this post, there are only a handful more tests done on the Advanced option, but both still look for the lowest hanging fruit that should be patched anyways.
The next screen asks for MongoDB server information, such as IP address and port, as well as credentials if you’re running the Advanced version. The tool then moves through a series of tests, each with a supporting screen such as:
When the tool is finished, the user is presented a Results overview:
I love this! I can either view my results immediately or get them emailed to me. Also, I get a quick high-level scorecard of my MongoDB instance. Here’s the output from the emailed report:
I only have one thing to say about the resulting report: The output is fantastic. As basic as it is, some report “writers” I’ve met in my time could learn a lesson or two. The data is succinct, an explanation of the vulnerability or security concern is provided, and if available, a link on implementation. The Gist above doesn’t do the email justice, as there are embedded links inside for recommendations on various tests.
A huge thanks to the tool authors at Stampery Inc. for putting together a great tool!!
Summary
All in all, I think this is a fantastic tool that was a long time coming. I can only hope that we can see similar tools for the range of NoSQL databases. Oftentimes, I encounter DBAs who are managing NoSQL databases and they have concerns around security, but very few resources outsider of manufacturer suggestions. Hopefully, tools like this help bridge that gap and bring some of these ongoing deficiencies to light.
Until tomorrow, Happy Forensicating!
