MongoDB must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to MongoDB.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-265910	SRG-APP-000133-DB-000179	MD7X-00-002600	SV-265910r1028793_rule	2024-09-27	1

Description
If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.

Description

If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.

ℹ️ Check
Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files occurs. Verify the list of files, directories, and database application objects (procedures, functions, and triggers) being monitored is complete. There are many possible options to monitor the database. The most common are making use of a monitoring tool or running a script periodically. If a monitoring tool is actively being used to monitor the database and there is proof of the tool being active, this is not a finding. Where monitoring is implemented by a scheduled or on-demand running of a Bash shell script to check the current SHA-256 checksum of the MongoDB files with the original SHA-256 Checksum after installation and configuration. Run the following shell script "check_mongodb_256sha_hashes.sh" from its containing Linux directory as a system administrator. $ ./check_mongodb_256sha_hashes.sh If the output is not the following, this is a finding: "No changes detected in the monitored files." The shell script file "check_mongodb_2456sha_hashes.sh" is as follows: # filename: check_mongodb_256sha_hashes.sh #!/bin/bash # Function to compute SHA-256 hash of the specified file file_hash() { sha256sum "$1" \| awk '{print $1}' } # Function to check the list of files for any changes based on their SHA-256 hashes check_files() { local changed=0 declare -A stored_hashes # Try to load last known hashes if [ -f file_hashes.txt ]; then while IFS=: read -r file hash; do stored_hashes["$file"]=$hash done < file_hashes.txt fi # Check each file's hash against stored hashes for file in "$@"; do if [ -f "$file" ]; then current_hash=$(file_hash "$file") if [[ "${stored_hashes[$file]}" != "$current_hash" ]]; then if [[ -n "${stored_hashes[$file]}" ]]; then echo "Change detected in $file" else echo "New file added or first time hashing: $file" fi changed=1 stored_hashes["$file"]=$current_hash fi else echo "Warning: $file does not exist." fi done # Save the updated hashes > file_hashes.txt for file in "${!stored_hashes[@]}"; do echo "$file:${stored_hashes[$file]}" >> file_hashes.txt done if [ "$changed" -eq 0 ]; then echo "No changes detected in the monitored files." fi } # List of files to monitor files_to_check=( "/etc/mongod.conf" "/usr/bin/mongod" "/usr/bin/mongos" "/usr/bin/mongosh" "/usr/bin/mongocryptd" "/usr/bin/mongodecrypt" "/usr/bin/mongodump" "/usr/bin/mongoexport" "/usr/bin/mongofiles" "/usr/bin/mongoimport" "/usr/bin/mongokerberos" "/usr/bin/mongoldap" "/usr/bin/mongorestore" "/usr/bin/mongostat" "/usr/bin/mongotop" ) # Invoke check_files function with the list of files check_files "${files_to_check[@]}"

ℹ️ Check

Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files occurs. Verify the list of files, directories, and database application objects (procedures, functions, and triggers) being monitored is complete. There are many possible options to monitor the database. The most common are making use of a monitoring tool or running a script periodically. If a monitoring tool is actively being used to monitor the database and there is proof of the tool being active, this is not a finding. Where monitoring is implemented by a scheduled or on-demand running of a Bash shell script to check the current SHA-256 checksum of the MongoDB files with the original SHA-256 Checksum after installation and configuration. Run the following shell script "check_mongodb_256sha_hashes.sh" from its containing Linux directory as a system administrator. $ ./check_mongodb_256sha_hashes.sh If the output is not the following, this is a finding: "No changes detected in the monitored files." The shell script file "check_mongodb_2456sha_hashes.sh" is as follows: # filename: check_mongodb_256sha_hashes.sh #!/bin/bash # Function to compute SHA-256 hash of the specified file file_hash() { sha256sum "$1" | awk '{print $1}' } # Function to check the list of files for any changes based on their SHA-256 hashes check_files() { local changed=0 declare -A stored_hashes # Try to load last known hashes if [ -f file_hashes.txt ]; then while IFS=: read -r file hash; do stored_hashes["$file"]=$hash done < file_hashes.txt fi # Check each file's hash against stored hashes for file in "$@"; do if [ -f "$file" ]; then current_hash=$(file_hash "$file") if [[ "${stored_hashes[$file]}" != "$current_hash" ]]; then if [[ -n "${stored_hashes[$file]}" ]]; then echo "Change detected in $file" else echo "New file added or first time hashing: $file" fi changed=1 stored_hashes["$file"]=$current_hash fi else echo "Warning: $file does not exist." fi done # Save the updated hashes > file_hashes.txt for file in "${!stored_hashes[@]}"; do echo "$file:${stored_hashes[$file]}" >> file_hashes.txt done if [ "$changed" -eq 0 ]; then echo "No changes detected in the monitored files." fi } # List of files to monitor files_to_check=( "/etc/mongod.conf" "/usr/bin/mongod" "/usr/bin/mongos" "/usr/bin/mongosh" "/usr/bin/mongocryptd" "/usr/bin/mongodecrypt" "/usr/bin/mongodump" "/usr/bin/mongoexport" "/usr/bin/mongofiles" "/usr/bin/mongoimport" "/usr/bin/mongokerberos" "/usr/bin/mongoldap" "/usr/bin/mongorestore" "/usr/bin/mongostat" "/usr/bin/mongotop" ) # Invoke check_files function with the list of files check_files "${files_to_check[@]}"

✔️ Fix
Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement. Examples of such products are Puppet, Chef, or Ansible. Alternately, scripts can also be written to inspect the database software libraries, related applications, and configuration files to detect changes and to take appropriate actions or notifications if changes are detected. Use file hashes or checksums for comparisons, as file dates may be manipulated by malicious users. For example, if the running of the monitoring shell script "check_mongodb_256sha_hashes.sh" shown in the "Check" returned the following: $ ./check_mongodb_256sha_hashes.sh "Change detected in /etc/mongod.conf" For each file in which a change has been detected, investigate the possible causes of the change for that file. In this case, inspect the "/etc/mongod.conf" file for changes in its content.

✔️ Fix

Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement. Examples of such products are Puppet, Chef, or Ansible. Alternately, scripts can also be written to inspect the database software libraries, related applications, and configuration files to detect changes and to take appropriate actions or notifications if changes are detected. Use file hashes or checksums for comparisons, as file dates may be manipulated by malicious users. For example, if the running of the monitoring shell script "check_mongodb_256sha_hashes.sh" shown in the "Check" returned the following: $ ./check_mongodb_256sha_hashes.sh "Change detected in /etc/mongod.conf" For each file in which a change has been detected, investigate the possible causes of the change for that file. In this case, inspect the "/etc/mongod.conf" file for changes in its content.