Detections
Analytics

MD4X-00-000100 - MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

MongoDB must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.

Satisfies: SRG-APP-000089-DB-000064, SRG-APP-000080-DB-000063, SRG-APP-000090-DB-000065, SRG-APP-000091-DB-000066, SRG-APP-000091-DB-000325, SRG-APP-000092-DB-000208, SRG-APP-000095-DB-000039, SRG-APP-000096-DB-000040, SRG-APP-000097-DB-000041, SRG-APP-000098-DB-000042, SRG-APP-000099-DB-000043, SRG-APP-000100-DB-000201, SRG-APP-000101-DB-000044, SRG-APP-000109-DB-000049, SRG-APP-000356-DB-000315, SRG-APP-000360-DB-000320, SRG-APP-000381-DB-000361, SRG-APP-000492-DB-000332, SRG-APP-000492-DB-000333, SRG-APP-000494-DB-000344, SRG-APP-000494-DB-000345, SRG-APP-000495-DB-000326, SRG-APP-000495-DB-000327, SRG-APP-000495-DB-000328, SRG-APP-000495-DB-000329, SRG-APP-000496-DB-000334, SRG-APP-000496-DB-000335, SRG-APP-000498-DB-000346, SRG-APP-000498-DB-000347, SRG-APP-000499-DB-000330, SRG-APP-000499-DB-000331, SRG-APP-000501-DB-000336, SRG-APP-000501-DB-000337, SRG-APP-000502-DB-000348, SRG-APP-000502-DB-000349, SRG-APP-000503-DB-000350, SRG-APP-000503-DB-000351, SRG-APP-000504-DB-000354, SRG-APP-000504-DB-000355, SRG-APP-000505-DB-000352, SRG-APP-000506-DB-000353, SRG-APP-000507-DB-000356, SRG-APP-000507-DB-000357, SRG-APP-000508-DB-000358, SRG-APP-000515-DB-000318

Solution

If the auditLog setting was not present in the %MongoDB configuration file% (default location: /etc/mongod.conf) edit this file and add a configured auditLog setting:

auditLog:
 destination: file
 format: BSON
 path: /var/log/mongodb/audit/auditLog.bson

Note: The '/var/log/mongodb/audit' directory will need to be created/present or the database will not start.

Alternately, the audit logs can be written to syslog with the following setting:
auditLog:
destination: syslog

This setting will record the following operations: schema (DDL), replica set and sharded cluster and authentication and authorization.

To capture all operations in the audit, enable the audit system to log authorization successes by adding the following line to the /etc/mongod.conf file:

setParameter:
 auditAuthorizationSuccess: true

Stop/start (restart) the mongod or mongos instance using this configuration.

If the auditLog setting was present and contained a filter parameter, ensure the filter expression does not prevent the auditing of events that should be audited or remove the filter parameter to enable auditing all events.

Documentation on configuring filters can be found here:

https://docs.mongodb.com/v4.4/tutorial/configure-audit-filters/

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MDB_Enterprise_Advanced_4-x_V1R1_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000130, CCI|CCI-000131, CCI|CCI-000132, CCI|CCI-000133, CCI|CCI-000134, CCI|CCI-000135, CCI|CCI-000140, CCI|CCI-000166, CCI|CCI-000171, CCI|CCI-000172, CCI|CCI-001464, CCI|CCI-001487, CCI|CCI-001814, CCI|CCI-001844, CCI|CCI-001851, CCI|CCI-001858, Rule-ID|SV-252134r817007_rule, STIG-ID|MD4X-00-000100, Vuln-ID|V-252134

Plugin: Unix

Control ID: d85313521dd8020b26be45650beccc36a6dbc0d8ddece303ac3d6f75b299c969