Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Risk items identified with mongodb with kvstore

anglewwb35
Explorer
‎01-09-2025 02:26 AM

We have deployed splunk enterprise on huawei cloud. After conducting baseline checking, we have discovered several risk items targeting mongodb with the following:
Rule:Use a Secure TLS Version
Rule:Disable Listening on the Unix Socket
Rule:Set the Background Startup Mode
Rule:Disable the HTTP Status Interface
Rule:Configure bind_ip
Rule:Disable Internal Command Test
Rule:Do Not Omit Server Name Verification
Rule:Enable the Log Appending Mode
Rule:Restrict the Permission on the Home Directory of MongoDB
Rule:Restrict the Permission on the Bin Directory of MongoDB
Rule:Check the FIPS Mode Option

I have checked if there is any related documentation but I cannot find any of them. I am wondering if I should create a mongodb.conf for it. Thanksss

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎01-22-2025 10:27 PM

@anglewwb35- Just FYI, Splunk include MongoDB within its installation to run KVstore service for lookups.

Now I don't recommend to make any specific changes, except if maybe block kvstore port from outside the local machine via local firewall or cloud firewall. (be careful in blocking port when using SH Cluster.)

* Default KVstore Port - 8191

 

I hope this helps!!! Kindly upvote!!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2025 11:08 PM

1. As @VatsalJagani already pointed out - mongodb is an integral part of Splunk distribution and Splunk relies on it to work properly. Therefore changing its configuration is not recommended and you're very likely to cause problems if you're changing things without deep understanding of their impact for the whole environment.

2. Baseline checks, vulnerability scans and such are just tools to help you assess the state of the system, not do the job for you. They alone are not sufficient grounds for telling you what is OK and what is not. Running them blindly and following their "recommendations" without understanding the results of performed tests and their context is not a good practice.

0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎01-22-2025 10:27 PM

@anglewwb35- Just FYI, Splunk include MongoDB within its installation to run KVstore service for lookups.

Now I don't recommend to make any specific changes, except if maybe block kvstore port from outside the local machine via local firewall or cloud firewall. (be careful in blocking port when using SH Cluster.)

* Default KVstore Port - 8191

 

I hope this helps!!! Kindly upvote!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...