Check: MD3X-00-000040
MongoDB Enterprise Advanced 3.x STIG:
MD3X-00-000040
(in versions v2 r2 through v1 r1)
Title
MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components. (Cat II impact)
Discussion
MongoDB must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components. Satisfies: SRG-APP-000089-DB-000064, SRG-APP-000080-DB-000063, SRG-APP-000090-DB-000065, SRG-APP-000091-DB-000066, SRG-APP-000091-DB-000325, SRG-APP-000092-DB-000208, SRG-APP-000093-DB-000052, SRG-APP-000095-DB-000039, SRG-APP-000096-DB-000040, SRG-APP-000097-DB-000041, SRG-APP-000098-DB-000042, SRG-APP-000099-DB-000043, SRG-APP-000100-DB-000201, SRG-APP-000101-DB-000044, SRG-APP-000109-DB-000049, SRG-APP-000356-DB-000315, SRG-APP-000360-DB-000320, SRG-APP-000381-DB-000361, SRG-APP-000492-DB-000332, SRG-APP-000492-DB-000333, SRG-APP-000494-DB-000344, SRG-APP-000494-DB-000345, SRG-APP-000495-DB-000326, SRG-APP-000495-DB-000327, SRG-APP-000495-DB-000328, SRG-APP-000495-DB-000329, SRG-APP-000496-DB-000334, SRG-APP-000496-DB-000335, SRG-APP-000498-DB-000346, SRG-APP-000498-DB-000347, SRG-APP-000499-DB-000330, SRG-APP-000499-DB-000331, SRG-APP-000501-DB-000336, SRG-APP-000501-DB-000337, SRG-APP-000502-DB-000348, SRG-APP-000502-DB-000349, SRG-APP-000503-DB-000350, SRG-APP-000503-DB-000351, SRG-APP-000504-DB-000354, SRG-APP-000504-DB-000355, SRG-APP-000505-DB-000352, SRG-APP-000506-DB-000353, SRG-APP-000507-DB-000356, SRG-APP-000507-DB-000357, SRG-APP-000508-DB-000358, SRG-APP-000515-DB-000318
Check Content
Check the MongoDB configuration file (default location: '/etc/mongod.conf)' for a key named 'auditLog:'. Example shown below: auditLog: destination: syslog If an "auditLog:" key is not present, this is a finding indicating that auditing is not turned on. If the "auditLog:" key is present and contains a subkey of "filter:" with an associated filter value string, this is a finding. The site auditing policy must be reviewed to determine if the "filter:" being applied meets the site auditing requirements. If not, then the filter being applied will need to be modified to comply. Example show below: auditLog: destination: syslog filter: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'
Fix Text
If the "auditLog" setting was not present in the MongoDB configuration file (default location: '/etc/mongod.conf)' edit this file and add a configured "auditLog" setting: auditLog: destination: syslog Stop/start (restart) the mongod or mongos instance using this configuration. If the "auditLog" setting was present and contained a "filter:" parameter, ensure the "filter:" expression does not prevent the auditing of events that should be audited or remove the "filter:" parameter to enable auditing all events.
Additional Identifiers
Rule ID: SV-221160r879559_rule
Vulnerability ID: V-221160
Group Title: SRG-APP-000089-DB-000064
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
| CCI-000131 |
The information system generates audit records containing information that establishes when an event occurred. |
| CCI-000132 |
The information system generates audit records containing information that establishes where the event occurred. |
| CCI-000133 |
The information system generates audit records containing information that establishes the source of the event. |
| CCI-000134 |
The information system generates audit records containing information that establishes the outcome of the event. |
| CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
| CCI-000140 |
The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). |
| CCI-000166 |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
| CCI-000171 |
The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system. |
| CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
| CCI-001462 |
The information system provides the capability for authorized users to capture/record and log content related to a user session. |
| CCI-001464 |
The information system initiates session audits at system start-up. |
| CCI-001487 |
The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event. |
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |
| CCI-001844 |
The information system provides centralized management and configuration of the content to be captured in audit records generated by organization-defined information system components. |
| CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
| CCI-001858 |
The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur. |
Controls
| Number | Title |
|---|---|
| AU-3 |
Content Of Audit Records |
| AU-3 (1) |
Additional Audit Information |
| AU-3 (2) |
Centralized Management Of Planned Audit Record Content |
| AU-4 (1) |
Transfer To Alternate Storage |
| AU-5 |
Response To Audit Processing Failures |
| AU-5 (2) |
Real-Time Alerts |
| AU-10 |
Non-Repudiation |
| AU-12 |
Audit Generation |
| AU-14 (1) |
System Start-Up |
| AU-14 (2) |
Capture/Record And Log Content |
| CM-5 (1) |
Automated Access Enforcement / Auditing |