5.1 Ensure that system activity is audited

Information

Track access and changes to database configurations and data. MongoDB Enterprise includes a system auditing facility that can record system events (e.g. user operations, connection events) on a MongoDB instance. These audit records permit forensic analysis and allow administrators to verify proper controls.

Rationale:

System level logs can be handy while troubleshooting an operational problem or handling a security incident.

Solution

Set the value of auditLog.destination to the appropriate value from the following options:
syslog
To enable auditing and print audit events to syslog

mongod --dbpath data/db --auditDestination syslog

console
To enable auditing and print audit events to standard output (i.e., stdout)

mongod --dbpath data/db --auditDestination console

Json File
To enable auditing and print audit events to a file in JSON format. Printing audit events to file in JSON format degrades server performance more than printing to a file in BSON format.

mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json

Bson File
To enable auditing and print audit events to a file in BSON binary format

mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson

Default Value:

Not configured

See Also

https://workbench.cisecurity.org/files/3463

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-12, CSCv7|6.2, CSCv7|6.3

Plugin: Windows

Control ID: 2228f0a76ea43f05d5fd46721abb4d008b958d69a074d06b816a2b40a05bb212