V-279336

Discussion

If audit data were to become compromised, competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which depend upon system architecture and design. Some commonly employed methods include ensuring log files enjoy the proper file system permissions using file system protections; restricting access; and backing up log data to ensure log data is retained. Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order to make access decisions regarding the deletion of audit data. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Deletion of database audit data could mask the theft of, or the unauthorized modification of, sensitive data stored in the database. Satisfies: SRG-APP-000120-DB-000061, SRG-APP-000118-DB-000059, SRG-APP-000119-DB-000060

Check Content

MongoDB must not permit access to its audit logs by unprivileged users. The official installation packages restrict which operating system users and groups may read or modify files. The audit log destination is not configured or created at installation time and must be manually done with appropriate ownership and permissions applied with the MongoDB user and MongoDB group.

Check the MongoDB configuration file (default location /etc/mongod.conf) for a key named "auditLog:" with "destination" set to "file". 

Example shown below:

auditLog:
   destination: file
   format: BSON
   path: <MongoDB auditLog directory>/auditLog.bson

If "auditLog" does not exist this is a finding.

If the auditLog.destination is "file" in the MongoDB configuration file (default location /etc/mongod.conf) then the following will check ownership and permissions of the MongoDB auditLog directory:

Verify User ownership, Group ownership, and permissions on the "<MongoDB auditLog directory>":

$ stat <MongoDB auditLog directory>

If the User owner is not "mongod", this is a finding.

If the Group owner is not "mongod", this is a finding.

If the directory is more permissive than "600", this is a finding.

To find the auditLog directory name, view and search for the entry in the MongoDB configuration file (default location /etc/mongod.conf) for auditLog.destination. If this parameter's value is "file", then use the directory portion of the auditLog.path setting as the MongoDB auditLog directory location.

Example:

auditLog:
   destination: file
   format: BSON
   path: /var/log/mongodb/audit/auditLog.bson

Given the example above, to find the auditLog directory ownership and permissions, run the following command:

> stat /var/log/mongodb/audit

The output will look similar to the following:

  File: '/var/log/mongodb/audit'
  Size: 48                Blocks: 0          IO Block: 4096   directory
Device: 808h/2056d        Inode: 245178      Links: 2
Access: (0600/drw-------)  Uid: (  997/  mongod)   Gid: (  996/  mongod)
Context: unconfined_u:object_r:mongod_log_t:s0
Access: 2020-03-16 12:51:16.816000000 -0400
Modify: 2020-03-16 12:50:48.722000000 -0400
Change: 2020-03-16 12:50:48.722000000 -0400
 Birth: -