Rule ID
SV-279376r1179479_rule
Version
V1R1
CCIs
Organizations are required to use a central log management system, so, under normal conditions, the audit space allocated to the database management system (DBMS) on its own server will not be an issue. However, space will still be required on the DBMS server for audit records in transit, and, under abnormal conditions, this could fill up. Since a requirement exists to halt processing upon audit failure, a service outage would result. If support personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity expansion. The appropriate support staff include, at a minimum, the information system security officer (ISSO) and the database administrator (DBA)/system administrator (SA).
Verify auditing is enabled in the mongodb configuration file (default location /etc/mongod.conf) and view the "auditlog.path" to identify the storage volume. Verify OS or other organization approved third-party monitoring software is installed. Verify the required alert in the monitoring software is set to send when storage volume holding the auditLog file utilization reaches 75 percent. If appropriate support staff are not notified immediately upon storage volume utilization reaching 75 percent, this is a finding.
View the mongodb configuration file (default location /etc/mongod.conf) and view the "auditlog.path" to identify the storage volume. Install OS or other organization-approved third-party monitoring software. Configure the required alert in the monitoring software to send an alert when storage volume holding the auditLog file utilization reaches 75 percent.