MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.
DISA Rule
SV-96561r1_rule
Vulnerability Number
V-81847
Group Title
SRG-APP-000089-DB-000064
Rule Version
MD3X-00-000040
Severity
CAT II
CCI(s)
- CCI-000130 - The information system generates audit records containing information that establishes what type of event occurred.
- CCI-000131 - The information system generates audit records containing information that establishes when an event occurred.
- CCI-000132 - The information system generates audit records containing information that establishes where the event occurred.
- CCI-000133 - The information system generates audit records containing information that establishes the source of the event.
- CCI-000134 - The information system generates audit records containing information that establishes the outcome of the event.
- CCI-000135 - The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.
- CCI-000140 - The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
- CCI-000166 - The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
- CCI-000171 - The information system allows organization-defined personnel or roles to select which auditable events are to be audited by specific components of the information system.
- CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
- CCI-001462 - The information system provides the capability for authorized users to capture/record and log content related to a user session.
- CCI-001464 - The information system initiates session audits at system start-up.
- CCI-001487 - The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.
- CCI-001814 - The Information system supports auditing of the enforcement actions.
- CCI-001844 - The information system provides centralized management and configuration of the content to be captured in audit records generated by organization-defined information system components.
- CCI-001851 - The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited.
- CCI-001858 - The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.
Weight
10
Fix Recommendation
If the "auditLog" setting was not present in the MongoDB configuration file (default location: '/etc/mongod.conf)' edit this file and add a configured "auditLog" setting:
auditLog:
destination: syslog
Stop/start (restart) the mongod or mongos instance using this configuration.
If the "auditLog" setting was present and contained a "filter:" parameter, ensure the "filter:" expression does not prevent the auditing of events that should be audited or remove the "filter:" parameter to enable auditing all events.
Check Contents
Check the MongoDB configuration file (default location: '/etc/mongod.conf)' for a key named 'auditLog:'.
Example shown below:
auditLog:
destination: syslog
If an "auditLog:" key is not present, this is a finding indicating that auditing is not turned on.
If the "auditLog:" key is present and contains a subkey of "filter:" with an associated filter value string, this is a finding.
The site auditing policy must be reviewed to determine if the "filter:" being applied meets the site auditing requirements. If not, then the filter being applied will need to be modified to comply.
Example show below:
auditLog:
destination: syslog
filter: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'
Vulnerability Number
V-81847
Documentable
False
Rule Version
MD3X-00-000040
Severity Override Guidance
Check the MongoDB configuration file (default location: '/etc/mongod.conf)' for a key named 'auditLog:'.
Example shown below:
auditLog:
destination: syslog
If an "auditLog:" key is not present, this is a finding indicating that auditing is not turned on.
If the "auditLog:" key is present and contains a subkey of "filter:" with an associated filter value string, this is a finding.
The site auditing policy must be reviewed to determine if the "filter:" being applied meets the site auditing requirements. If not, then the filter being applied will need to be modified to comply.
Example show below:
auditLog:
destination: syslog
filter: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'
Check Content Reference
M
Target Key
3265
Comments
STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020: