UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.


Overview

Finding ID Version Rule ID IA Controls Severity
V-252134 MD4X-00-000100 SV-252134r855500_rule Medium
Description
MongoDB must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components. Satisfies: SRG-APP-000089-DB-000064, SRG-APP-000080-DB-000063, SRG-APP-000090-DB-000065, SRG-APP-000091-DB-000066, SRG-APP-000091-DB-000325, SRG-APP-000092-DB-000208, SRG-APP-000095-DB-000039, SRG-APP-000096-DB-000040, SRG-APP-000097-DB-000041, SRG-APP-000098-DB-000042, SRG-APP-000099-DB-000043, SRG-APP-000100-DB-000201, SRG-APP-000101-DB-000044, SRG-APP-000109-DB-000049, SRG-APP-000356-DB-000315, SRG-APP-000360-DB-000320, SRG-APP-000381-DB-000361, SRG-APP-000492-DB-000332, SRG-APP-000492-DB-000333, SRG-APP-000494-DB-000344, SRG-APP-000494-DB-000345, SRG-APP-000495-DB-000326, SRG-APP-000495-DB-000327, SRG-APP-000495-DB-000328, SRG-APP-000495-DB-000329, SRG-APP-000496-DB-000334, SRG-APP-000496-DB-000335, SRG-APP-000498-DB-000346, SRG-APP-000498-DB-000347, SRG-APP-000499-DB-000330, SRG-APP-000499-DB-000331, SRG-APP-000501-DB-000336, SRG-APP-000501-DB-000337, SRG-APP-000502-DB-000348, SRG-APP-000502-DB-000349, SRG-APP-000503-DB-000350, SRG-APP-000503-DB-000351, SRG-APP-000504-DB-000354, SRG-APP-000504-DB-000355, SRG-APP-000505-DB-000352, SRG-APP-000506-DB-000353, SRG-APP-000507-DB-000356, SRG-APP-000507-DB-000357, SRG-APP-000508-DB-000358, SRG-APP-000515-DB-000318
STIG Date
MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide 2022-09-12

Details

Check Text ( C-55590r855499_chk )
Check the MongoDB configuration file (default location: /etc/mongod.conf) for appropriate audit configuration keys.

Examples shown below:

auditLog:
destination: file
format: BSON
path: /var/log/mongodb/audit/auditLog.bson

-OR-

auditLog:
destination: syslog

If an auditLog key is not present, this is a finding.

If the MongoDB configuration file does not contain a setParameter option with auditAuthorizationSuccess: true, this is a finding.

Example:
setParameter:
auditAuthorizationSuccess: true

If the auditLog key is present and contains a filter subkey without an associated filter, this is a finding.

The site auditing policy must be reviewed to determine if the filter being applied meets the site auditing requirements. If not, then the filter being applied will need to be modified to comply.

Example filter shown below only audits createCollection and dropCollection:

auditLog:
destination: file
format: BSON
path: /var/log/mongodb/audit/auditLog.bson
filter: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }'
Fix Text (F-55540r813783_fix)
If the auditLog setting was not present in the %MongoDB configuration file% (default location: /etc/mongod.conf) edit this file and add a configured auditLog setting:

auditLog:
destination: file
format: BSON
path: /var/log/mongodb/audit/auditLog.bson

Note: The "/var/log/mongodb/audit" directory will need to be created/present or the database will not start.

Alternately, the audit logs can be written to syslog with the following setting:
auditLog:
destination: syslog

This setting will record the following operations: schema (DDL), replica set and sharded cluster and authentication and authorization.

To capture all operations in the audit, enable the audit system to log authorization successes by adding the following line to the /etc/mongod.conf file:

setParameter:
auditAuthorizationSuccess: true

Stop/start (restart) the mongod or mongos instance using this configuration.

If the auditLog setting was present and contained a filter parameter, ensure the filter expression does not prevent the auditing of events that should be audited or remove the filter parameter to enable auditing all events.

Documentation on configuring filters can be found here:

https://docs.mongodb.com/v4.4/tutorial/configure-audit-filters/