mongoaudit - a powerful MongoDB auditing and penetration test tool.

mongoaudit – a powerful MongoDB auditing and penetration test tool.

mongoaudit is a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing.
* It is widely known that there are quite a few holes in MongoDB’s default configuration settings. This fact, combined with abundant lazy system administrators and developers, has led to what the press has called the MongoDB apocalypse.
* mongoaudit not only detects misconfigurations, known vulnerabilities and bugs but also gives you advice on how to fix them, recommends best practices and teaches you how to DevOp like a pro!


Support Test:
+ MongoDB listens on a port different to default one
+ Server only accepts connections from whitelisted hosts / networks
+ MongoDB HTTP status interface is not accessible on port 28017
+ MongoDB is not exposing its version number
+ MongoDB version is newer than 2.4
+ TLS/SSL encryption is enabled
+ Authentication is enabled
+ SCRAM-SHA-1 authentication method is enabled
+ Server-side Javascript is forbidden
+ Roles granted to the user only permit CRUD operations *
+ The user has permissions over a single database *
+ Security bug CVE-2015-7882
+ Security bug CVE-2015-2705
+ Security bug CVE-2014-8964
+ Security bug CVE-2015-1609
+ Security bug CVE-2014-3971
+ Security bug CVE-2014-2917
+ Security bug CVE-2013-4650
+ Security bug CVE-2013-3969
+ Security bug CVE-2012-6619
+ Security bug CVE-2013-1892
+ Security bug CVE-2013-2132