MongoDB
Description
The MongoDB connector connects to the host via SSH and uses mongosh to enumerate database users and their assigned roles from the admin database. It parses the JSON output from db.getSiblingDB('admin').getUsers() to discover all MongoDB users, their database context, and role assignments, classifying administrative roles such as root, dbAdmin, and clusterAdmin as privileged.
System Type Classification
| Field | Value |
|---|---|
| System Type | Infrastructure |
| Default Scan Priority | 200 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| SSH | 22 TCP | SSH access to the MongoDB host |
What OrbisID Discovers
| Data | Source |
|---|---|
| MongoDB users | db.getSiblingDB('admin').getUsers() via mongosh |
| Role assignments | roles array per user document |
| Database context | db field per user |
| Privileged roles | root, dbAdmin, userAdmin, clusterAdmin and variants |
Connection Requirements
Required Permissions
The SSH credential must have access to a user that can run mongosh with MongoDB admin credentials.
Minimum permissions:
- SSH login access to the MongoDB server
- MongoDB user with
readAnyDatabase+listUserson theadmindatabase
Credential Mapping
| OrbisID Field | Value |
|---|---|
credential.username | SSH username (also used as the MongoDB admin user) |
credential.password | SSH password (also used as the MongoDB admin password) |
system.hostname | MongoDB server hostname or IP |
system.sshPort | SSH port (default 22) |
system.mongoPort | MongoDB port (default 27017) |
Network Requirements
The OrbisID server must have SSH access to the MongoDB host on port 22. MongoDB does not need to be directly accessible from the OrbisID server.
Configuration Steps
- Ensure
mongoshis installed on the MongoDB host - Create a dedicated MongoDB scanner account:
db.getSiblingDB('admin').createUser({
user: "orbisid-scanner",
pwd: "<password>",
roles: [{ role: "readAnyDatabase", db: "admin" },
{ role: "userAdminAnyDatabase", db: "admin" }]
}) - Create a Credential in OrbisID:
- Username: SSH username (with same MongoDB credentials)
- Password: SSH / MongoDB password
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., MongoDB – Production Cluster) |
| OS Type | Mongodb |
| System Type | Infrastructure |
| Hostname | MongoDB server hostname or IP |
| Credential | The SSH + MongoDB credential |
- Click Test Connection
- Click Save
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
Authentication failed | Invalid SSH credentials | Verify SSH username and password |
| No users returned | MongoDB auth failure in mongosh | Verify the MongoDB credentials match the SSH user |
mongosh: command not found | mongosh not installed | Install mongosh on the MongoDB host |
| Empty output | Insufficient MongoDB permissions | Grant listUsers on the admin database |