Create, update, list and delete MongoDB records for authenticated scans of MongoDB instances running on Unix. Vulnerability and compliance scans are supported (using VM, PC).
- Technologies supported: MongoDB 3.x
- Unix authentication is required for compliance scans using the PC app. Make sure the IP addresses you define in your MongoDB records are also defined in Unix records.
- We strongly recommend you create one or more dedicated user accounts to be used solely by the Qualys Cloud Platform to authenticate to MongoDB instances.
Requirement - You must configure authentication credentials on target hosts.
System created authentication records supported - You can allow the system to create MongoDB authentication records for auto discovered instances and scan them. This is supported for Unix installations only. To enable this feature, you must first create MongoDB System Record Templates using the is_template input parameter and specifying login credentials.
How it works - During scanning we'll authenticate to one or more instances on a single host using all MongoDB records in your account. For compliance scans, you can scan multiple MongoDB instances on a single host and port combination.
Download Qualys User Guide - MongoDB Authentication (.pdf)
|
Parameter |
Required/Optional |
Data Type |
Description |
|---|---|---|---|
|
action={action} |
Required | String |
Specify create, update, delete (using POST) or list (using GET or POST). See List Auth Records for type |
|
echo_request={0|1} |
Optional | Integer |
Specify 1 to view (echo) input parameters in the XML output. By default these are not included. |
|
title={value} |
Required to create record | String |
A title for the record. The title must be unique. Maximum 255 characters (ascii). |
|
comments={value} |
Optional to create or update record | String |
User defined comments. Maximum of 1999 characters. |
|
is_template={0|1} |
Optional for create request, not valid for update request | Integer |
By default, a new record is a regular MongoDB record. Specify 1 to create a MongoDB system record template. You must also specify login credentials, which are described below. See System created MongoDB authentication records |
|
status={0|1} |
Optional | Integer |
The record status, active or inactive. By default, a new record is set to active (1). Set to 0 for inactive record or 1 for active record. (This parameter applies to system created and user created MongoDB records. It cannot be specified for MongoDB system record templates.) |
|
save_as_user_auth={0|1} |
Optional for update request, not valid for create request | Integer |
Specify 1 to update a system created record and save it as a user created record. If another MongoDB record already exists with the same IP address and target configuration then an error will be returned. (This parameter applies only to system created MongoDB records. It cannot be specified for user created MongoDB records and it cannot be specified for MongoDB system record templates.) |
|
database_name={value} |
Required for create request | String |
The username of the account to be used for authentication to the database. If password is specified this is the username of a MongoDB account. If login_type=vault is specified, this is the username of a vault account. Maximum 255 characters (ascii). |
|
port={value} |
Required for create request | Integer |
The port where the database instance is running. Default is 27017. |
|
ssl_verify={0|1} |
Required if ssl_verify=1 | Integer |
A list of FQDNs for all host IP addresses on which a custom SSL certificate signed by a trusted root CA is installed. |
|
hosts={value} |
Required if ssl_verify=1 | Integer |
A list of FQDNs for all host IP addresses on which a custom SSL certificate signed by a trusted root CA is installed. |
|
Target Hosts |
|||
|
ips={value} |
Required to create record, optional to update record | Integer |
Add IP addresses of the hosts you want to scan using this record. Overwrites (replaces) the IP address(es) in the IP list for an existing authentication record. The IPs you specify are added, and any existing IPs are removed. You may enter a combination of IPs and IP ranges. |
|
add_ips={value} |
Optional to update record | Integer |
Add IP address(es) to the IP list for an existing authentication record. You may enter a combination of IPs and IP ranges. |
|
remove_ips={value} |
Optional to update record | Integer |
IPs to be removed from your record. You may enter a combination of IPs and ranges. Multiple entries are comma separated. |
|
network_id={value} |
Optional to create or update record, and valid when the networks feature is enabled | Integer |
The network ID for the record. |
| MongoDB | |||
| unix_conf_file={value} | Required for create request | Path | The full path to the MongoDB configuration file on your Unix assets (IP addresses). The file must be in the same location on all assets for this record. Maximum 255 characters (ascii). |
| database_name={value} | Required for create request | String Integer | The username of the account to be used for authentication to the database. If password is specified this is the username of a MongoDB account. If login_type=vault is specified, this is the username of a vault account. Maximum 255 characters (ascii). |
| port={value} | Required for create request | Integer | The port where the database instance is running. Default is 27017. |
| ssl_verify={0|1} | Required if ssl_verify=1 | Integer | A list of FQDNs for all host IP addresses on which a custom SSL certificate signed by a trusted root CA is installed. |
| hosts={value} | Required if ssl_verify=1 | Integer | A list of FQDNs for all host IP addresses on which a custom SSL certificate signed by a trusted root CA is installed. |
|
Login credentials |
|||
|
credential_type=local|external |
Optional | Boolean |
The credential type is local by default which means login credential type is local authentication. You need to set credential type to external for LDAP authentication option. |
|
cleartext=0|1 |
Optional | Integer |
You must set credential_type to external to use cleartext parameter. The default value for cleartext is 0. You must set this parameter to 1 for successful MongoDB authentication for LDAP. |
|
login_type={basic|vault|pkcert} |
Optional | Boolean |
The login type is basic by default. You can choose vault (for vault based authentication) or pkcert (for certificate based authentication). |
|
username={value} |
Required to create record when login_type=basic or login_type=vault | String |
The username of the MongoDB account to be used for authentication. Maximum 100 characters (ascii). |
|
password={value} |
Required to create record when login_type=basic | String |
The password of the MongoDB account to be used for authentication. Maximum 100 characters (ascii). |
| use_ad_hashicorp{0|1} | Optional | Boolean | Use to manage the utilization of Database Secrets Engine in HashiCorp authentication records. Specify 1 to use Database Secrets Engine in the authentication records. |
|
Vault |
|||
|
vault_type={value} |
Required to create record when login_type=vault | Integer |
The vault type to be used for authentication. |
|
vault_id={value} |
Required to create record when login_type=vault and you want to retrieve private key from vault | Integer |
The vault ID where you want to retrieve the private key from. Certain vaults support this capability. |
|
{vault parameters} |
Required to create record when login_type=vault | Integer |
Vault specific parameters required depend on the vault type you’ve selected. See Vault Parameters |
|
private_key_vault_id={value} |
Required to create record when login_type=vault and you want to retrieve passphrase from vault | Integer |
The vault ID where you want to retrieve the passphrase from. Certain vaults support this capability. |
|
passphrase_vault_id={value} |
Required to create record when login_type=vault and you want to retrieve passphrase from vault | Integer |
The vault ID where you want to retrieve the passphrase from. Certain vaults support this capability. |
|
private_key={value} |
Required to create record when login_type=pkcert | Integer |
The private key to be used for authentication. Certain vaults support this capability. |
|
passphrase={value} |
Required to create record when login_type=pkcert and passphrase_vault_id is not specified | Integer |
The private key passphrase value of an encrypted private key. Maximum 255 characters (ascii). Certain vaults support this capability. |
|
certificate={value} |
Optional to create or update record when login_type=pkcert | Integer |
The passphrase X.509 certificate content. |
|
require_cert={0|1} |
Optional | Integer |
Specify 1 to login with certificates/private keys along with login type Basic | vault. By default value will be 0 |
When we auto discover MongoDB instances, we’ll discover the target configuration for each instance but not the login credentials. We’ve introduced a new configuration called “MongoDB authentication record template” that you’ll use to provide MongoDB login credentials for system created records. You’ll create the system record template and then select it in the option profile used for discovery scans. The template is linked automatically to the system created records created as a result of the scan.
- We’ll auto discover MongoDB instances on each scanned host and create authentication records for those instances. We support auto discovery and system record creation for MongoDB instances running on Unix platforms. Make sure you have Unix authentication records in your account for hosts running MongoDB.
- When we create MongoDB authentication records for discovered instances, we’ll insert the credentials from the MongoDB system record template you selected in the option profile.
- You can easily rotate MongoDB passwords. Simply edit the credentials in the MongoDB system record template and all MongoDB records linked to the template will be updated to use the new credentials with no additional scan or action by you.
- You can edit individual MongoDB system created records and save them as user created. This allows you to change the credentials for individual records without changing the credentials for all records associated with a template.
Here’s the basic flow for MongoDB instance discovery and auto record creation. Note - We support auto discovery and system record creation for MongoDB instances running on Unix platforms. Make sure you have Unix authentication records in your account for hosts running MongoDB.
1) Create an MongoDB system record template and enter the login credentials you want to use for system created records.
2) Select the MongoDB system record template in the compliance option profile you want to use for discovery scans.
3) Launch your discovery scan. Your scan results will list the auto discovered instances.
4) List your MongoDB authentication records. For each system created record, you’ll see the template associated with the record.
API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: curl sample" -d "action=create&title=API-mongodb-basic-login&username=root&password=12345abc&ips=10.20.32.239&comments=mongo-basic-login&unix_conf_path=/etc/mongod3.conf&port=28020&ssl_verify=0&database_name=admin" "https://<qualys_base_url>/api/2.0/fo/auth/mongodb/"> file.xmlXML output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE BATCH_RETURN SYSTEM "https://<qualys_base_url>/api/2.0/batch_return.dtd">
<BATCH_RETURN>
<RESPONSE>
<DATETIME>2018-04-12T22:43:27Z</DATETIME>
<BATCH_LIST>
<BATCH>
<TEXT>Successfully Created</TEXT>
<ID_SET>
<ID>125709</ID>
</ID_SET>
</BATCH>
</BATCH_LIST>
</RESPONSE>
</BATCH_RETURN>API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl Sample" -d"action=create&title=API-mongo-basic-login-with-ssl-verify1_hosts&username=mongo-admin&password=test123&ips=10.20.32.239&comments=mongobasic-login-ssl_hosts&unix_conf_path=/opt/mongodb/&port=27018&ssl_verify=1&hosts=abc123.s2012r2.lab.acme.com],abc123.s2008r2.lab.acme.com""https://<qualys_base_url>/api/2.0/fo/auth/mongodb/" > file.xml
XML output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE BATCH_RETURN SYSTEM
"https://<qualys_base_url>/api/2.0/batch_return.dtd">
<BATCH_RETURN>
<RESPONSE>
<DATETIME>2018-03-12T22:45:06Z</DATETIME>
<BATCH_LIST>
<BATCH>
<TEXT>Successfully Created</TEXT>
<ID_SET>
<ID>125710</ID>
</ID_SET>
</BATCH>
</BATCH_LIST>
</RESPONSE>
</BATCH_RETURN>API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl Sample" -d "action=create&title=API-mongo-vault-CA_Access&ips=10.20.32.239&comments=mongo-CA-Access-vault_login&unix_conf_path=/opt/mongodb4.conf/&port=27010&login_type=vault&vault_type=CA AccessControl&vault_id=166657&end_point_name=name&end_point_type=type&end_point_container=container&username=abc_user" "https://<qualys_base_url>/api/2.0/fo/auth/mongodb/" > file.xmlXML output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE BATCH_RETURN SYSTEM "https://<qualys_base_url>/api/2.0/batch_return.dtd">
<BATCH_RETURN>
<RESPONSE>
<DATETIME>2018-03-12T20:11:47Z</DATETIME>
<BATCH_LIST>
<BATCH>
<TEXT>Successfully Created</TEXT>
<ID_SET>
<ID>125711</ID>
</ID_SET>
</BATCH>
</BATCH_LIST>
</RESPONSE>
</BATCH_RETURN>API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl" -X "POST" -d "action=create&title=Sample1&username=mlqa&password=12345abc&ips=10.20.32.107&comments=Creating through API v2.0&unix_conf_path=/etc/mongod3111.conf&port=28021&ssl_verify=0&database_name=admin&credential_type=external&cleartext=1"XML output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE BATCH_RETURN SYSTEM "https://<qualys_base_url>/api/2.0/batch_return.dtd">
<BATCH_RETURN>
<RESPONSE>
<DATETIME>2020-09-08T06:15:39Z</DATETIME>
<BATCH_LIST>
<BATCH>
<TEXT>Successfully Created</TEXT>
<ID_SET>
<ID>3052106</ID>
</ID_SET>
</BATCH>
</BATCH_LIST>
</RESPONSE>
</BATCH_RETURN>API request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: curl sample" -d"action=create&title=mongo_auth_basic_cert&username=joe_user&password=abc123&login_type=basic&ips=10.20.30.40&database_name=admin&port=27019&require_cert=1&unix_conf_path=/etc/mongod2.conf&ssl_verify=1&hosts=mlcent76mdb34.s2012r2.qualys.com'--header 'X-Requested-With: qweb' \--header 'Authorization: Basic YXdzX2FrOlF3ZWJANDYzMA==' \--header 'Content-Type: application/x-www-form-urlencoded' \--data-urlencode 'certificate=-----BEGIN CERTIFICATE-----MIIErDCCApSgAwIBAgIBIDANBgkqhkiG9w0BAQUFADCBljEbMBkGA1UEAwwSU2Nhbm5lciBRQSBSb290IENBMRMwEQYDVQQIDApDYWxpZm9ybmlhMQswCQYDVQQGEwJVUzEeMBwGCSqGSIb3DQEJARYPbWxxYUBxdWFseXMuY29tMRswGQYDVQQKDBJRdWFseXMgRW5naW5lZXJpbmcxGDAWBgNVBAsMD1NjYW5uZXIgUUEgVGVhbTAeFw0yMTA2MTQyMTEwMDBaFw0yNDA2MTMyMTEwMDBaMIGMMR4wHAYDVQQDDBVtbGNlbnQ3Nm1kYjM0X2NsaWVudDExEzARBgNVBAgMCkNhbGlmb3JuaWExCzAJBgNVBAYTAlVTMR4wHAYJKoZIhvcNAQkBFg9tbHFhQHF1YWx5cy5jb20xFDASBgNVBAoMC1F1YWx5cyBJbmMuMRIwEAYDVQQLDAlNTFFBIFRlYW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxPNX+jExoBJqbftSbOeMYdWgCP8o8YR+aqjS6ZqroX9i8dfFCsVc35ePxBDOUr5p/DivhvMWsBZsZp2qpSOAjj2vKQV4M7VNvR7h9mjQRpruLOPrCFFupWWy+zSCzRskiYWhRGd8V5XWvaJhNytneBLsUX6l+1SAwFC+eD/M2oA4VhipAK612sKTn7yUjYBTODjox+dumKpFTdoPfjaCO923K2fcMNrLUVYQNbibxygsQK6qFJnVlXJ1LCSVyTBJLuOWrgBATrvcMh9Wv5U0XFRp1u6t2pqnUqkzRsa5jtGR3GBfR3lUu1JUyo4Kx1QrDw2I3vkYFA/dVv2dTEUgBAgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggIBAL5MYQ8XinuSInZYQgywYFWlhZJJOSEqD4B4DqDfset4v/7OjDCDWYH8DeObWcHuJgHh1vADpHIYDjfJCPnAPBKgIquVz9QaLUgtV+u1fJDeHpxr6IACaizlV0IId6JmoSR+MR2LPig0mi7Du4r07vqUWBB8za4ZxDVtQNkcPI/k8/Sgj+kyr8hF4up8kniTMEaD/7eZ7MNmYR1BFygcZ/ieYRfdWVMlOvYDxVT20tCKV7OzI12wXy/J37xdm8BaIkkoJyKPBwP396c4BlIrC5bDvBGRH89VhNscWryhPz9lCrNvhegnqC0sxi7b4KOEMH3NtbETRZT8IhLkzHZTF+SqxUNkqjD1jdnM3cq0Ab3dTdB5Ul7B3IjwgtnNES6pxHaX//ycRvGo9v2rzJO8TCtsd0o21uaLXwJmqJ5qhFPziX92jYZqEWm3wSD2XMI8kolr4txNfzH9zwAcEGdtBqUlTJcrdOU8IUn3pqISqZkrwWpiBeS5eU/YbnkhSz2l6bX1x0qaQWv8h16YusvBMjfb2jBWHkED/osRFA7F5f11XBNipcTrie1iIDY758iDbFrwWaza/9cg0awluyOa560rkyhZTWxwoZkvUz/rnVE72UaXkwPxhWAHx3jzfcQca8GTIEVbzuDkg+jcwCoaRNI3IG3339PQE/eF50yiE1YM-----END CERTIFICATE-----' \--data-urlencode 'private_key=-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAsTzV/oxMaASam37UmznjGHVoAj/KPGEfmqo0umaq6F/YvHXxQrFXN+Xj8QQzlK+afw4r4bzFrAWbGadqqUjgI49rykFeDO1Tb0e4fZo0Eaa7izj6whRbqVlsvs0gs0bJImFoURnfFeV1r2iYTcrZ3gS7FF+pftUgMBQvng/zNqAOFYYqQCutdrCk5+8lI2AUzg46MfnbpiqRU3aD342gjvdtytn3DDay1FWEDW4m8coLECuqhSZ1ZVydSwklckwSS7jlq4AQE673DIfVr+VNFxUadburdqap1KpM0bGuY7RkdxgX0d5VLtSVMqOCsdUKw8NiN75GBQP3Vb9nUxFIAQIDAQABAoIBAQCKiPzTnKJUY9TdWgOg2Vxyz8Jej7HqBBiJ8iSI1pscS17D4ISWFrwPyzeiOiB/RctDKLaQGdeAoFkdckjizT21TfN5AiMbg53Fy4+fTZsJeQP6zKzkarlC480mTnwS5W9t2imJyuke2l5knyL9G2O0MIpyYFvB8aDZM84MhHcc6CuRme3+VS9kFaIC7wNoEzUrGZt8CE1QDZh9zKQsVLT5y7Hk+yiDLZ7BkgecFJ52J4xcYzIQhfrfIQp0UmCcKPslHrX3Xzens1GOAyCkRIRfaI+NIwygrzVtwPTdKNOz+E4K5bmwwNUCdBjZi4DGPxZvobktD6FI7pjApHcWZL2BAoGBAOxAvhc5H/66MexOdBhtNRkueMHVWgeAnHYlcGvTjumRqbhipJIcoVQHFcnFEXrP762dSo7QA2yg0SrhBD+U0iCkDKnzNQnDsXYftDSMNrhhEIznMUvXJWn17yrXtROsq4oFpvSdJ33fZQHEy8K6aCOGRbAsWjAjAfb98acQHxe5AoGBAMANTisS8ZZShhEfKussVbcJYuIHqyVvA2TV3OetMt8tMiToNVOsRukV6Hnf9DFXOdBhddxFbGFJiaFDduzjjig8m53FCmmOtqnOxL5lxckx2ajxxGKfdKpSOG0OzDbxEKjFuGX9VviOlpbt2JPuHF7qc850xf54z9QRu7OX+UaJAoGARKxFFScLv9WLsW7UnE0SRDGX9G/57XhbApS7avxh7E7lEK3LvJUJ6AzvLmlUPWi3+LVh+MVKWYcdheNGgtzVf5tv+u6xGheCPB3XGfcv6MR+NRb24160h2pvjPqKrh9g9YvTDgOoeRQ4nh0ARag9oSXkl+MsjBWA+rSyS6eKAjECgYEAiRR2KPSaj8tTekEe50F75OvEMsV6eXulloG37X2IhBfEZOeBuLmM264Rg3xA1j8GOyB1ecXrt/0/SWXYKvm5bCrmgFQ2PGXrJ4U4lRYbeKImVBpNLH/YTAHn2J/pT4X9eBm4psOPIlbUUeJu5hfdFDqQclqTQDGHVj1aFrRw7tECgYBEuc85ghJunoV7hENuolP19+ppaiyH98q4Mc6vpkoEItuoKjWfH1Yr98QtS58boBphSCNU4qL51dqnEAzCd0udYINxLawaosI3aaUOEGIUUa7IO7e7qUl8Y4pb3owl0zwdpnyEgdSpuCW8N1Gnsiiur2fJ1NeAaHCF4cG3Se7bfw==-----END RSA PRIVATE KEY-----'”\"https://<qualys_base_url>/api/2.0/fo/auth/mongodb/" >file.xmlXML output
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE BATCH_RETURN SYSTEM
"https://<qualys_base_url>/api/2.0/batch_return.dtd">
<BATCH_RETURN>
<RESPONSE>
<DATETIME>2022-06-23T11:15:21Z</DATETIME>
<BATCH_LIST>
<BATCH>
<TEXT>Successfully Created</TEXT>
<ID_SET>
<ID>6298437</ID>
</ID_SET>
</BATCH>
</BATCH_LIST>
</RESPONSE>
</BATCH_RETURNAPI request
curl -u "USERNAME:PASSWORD" -H "X-Requested-With: Curl Sample" -d "action=list&details=All" "https://<qualys base url>/api/2.0/fo/auth/mongodb/" > file.xml
XML output
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE AUTH_MONGODB_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/2.0/fo/auth/mongodb/auth_mongodb _list_output.dtd"> <AUTH_MONGODB_LIST_OUTPUT> <RESPONSE> <DATETIME>2017-09-12T22:42:45Z</DATETIME> <AUTH_MONGODB_LIST> <AUTH_MONGODB> <ID>125693</ID> <TITLE> <![CDATA[API-mongo-basic-login]]> </TITLE> <USERNAME> <![CDATA[mongo-admin-name]]> </USERNAME> <DATABASE> <![CDATA[db-admin-name]]> </DATABASE> <PORT>28020</PORT> <UNIX_CONFIGURATION_FILE> <![CDATA[/opt/mongodb/updated]]> </UNIX_CO NFIGURATION_FILE> <IP_SET> <IP>10.20.32.239</IP> </IP_SET> <LOGIN_TYPE> <![CDATA[basic]]> </LOGIN_TYPE> <NETWORK_ID>0</NETWORK_ID> <CREATED> <DATETIME>2017-09-12T20:22:09Z</DATETIME>
<platform API server>/api/2.0/batch_return.dtd
<platform API server>/api/2.0/fo/auth/mongodb/auth_mongodb_list_output.dtd