[SERVER-11028] shutdown on Audit failure Created: 03/Oct/13  Updated: 10/Jun/22  Resolved: 25/Nov/13

Status: Closed
Project: Core Server
Component/s: Logging, Security
Affects Version/s: None
Fix Version/s: 2.5.5

Type: Improvement Priority: Major - P3
Reporter: Will LaForest Assignee: Eric Milkie
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File mongod.log.gz    
Issue Links:
Depends
depends on SERVER-1891 Audit "DDL" operations Closed
Related
related to SERVER-22749 Better error logging for failures whe... Backlog
is related to SERVER-13746 mongod doesn't shut down when it can'... Closed
Participants:
Case:

 Description   

Assuming the completion of SERVER-1891.

We should make it possible to configure MongoDB to shutdown automatically should there be a failure in the auditing system. In many organizations that require auditing for legal or compliance reasons this is a requirements. An example is the DISA STIG:

Rule Title:  The DBMS must shutdown immediately in the event of an audit failure, unless an alternative audit capability exists.
 

STIG ID: SRG-APP-000107-DB-000169  

Severity: CAT II 
 
Discussion: 
It is critical, when a system is at risk of failing, to process audit logs as required, if the system were to continue processing without auditing enabled, actions can be taken on the system that cannot be tracked and recorded for later forensic analysis.

Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.  

In many system configurations, the disk space allocated to the auditing system is separate from the disks allocated for the operating system; therefore, this may not result in a system outage. This forces the application to detect and take actions.

A failure of database auditing will result in either the database continuing to function without auditing or in a complete halt to database operations. In this case the database must cease processing immediately in order to not allow unlogged transaction to occur.


 
Content: 
Review DBMS settings and vendor documentation to determine whether the system will shutdown in the event of an audit failure. If the system is not configured to shut down in the event of an audit failure, this is a finding.


 
Fix Text: 
Modify DBMS settings to immediately shutdown the database in the event of an audit failure.


 
CCI: CCI-001343
The information system invokes a system shutdown in the event of an audit failure, unless an alternative audit capability exists.

 
SRG-APP-000107-DB-000169



 Comments   
Comment by Eric Milkie [ 25/Nov/13 ]

Auditing now aborts the process if there is a [detectable] failure writing to the audit log.

Comment by Githook User [ 25/Nov/13 ]

Author:

{u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-11028 change audit code to abort on failure
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/7eae3fa52b0c73e74bd56e2faffb716db6e2d369

Comment by Githook User [ 25/Nov/13 ]

Author:

{u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-11028 new abortOnFailure property of log domains
Branch: master
https://github.com/mongodb/mongo/commit/7fdecdbe6901c23faf9febd1d52368218375877f

Comment by Eric Milkie [ 14/Nov/13 ]

If the server shuts down upon auditing failure, it follows that one could set up an alert when this happens. Server monitoring would be advisable whether you are using auditing or not, so I imagine that users will typically already have this working.

Comment by Mark Helmstetter [ 14/Nov/13 ]

There is another requirement in the DISA STIG that there is an "alert" when there is an audit processing failure. Is there some way that we can also satisfy this requirement? Send an SNMP trap? Attempt to log in the system log or mongodb log?

SRG-APP-000108-DB-000048
The DBMS must alert designated organizational officials in the event of an audit processing failure.

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include: software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. A failure of database auditing will result in either the database continuing to function without auditing or in a complete halt to database operations. When audit processing fails, appropriate personnel must be alerted immediately to avoid further downtime or unaudited transactions.

Generated at Thu Feb 08 03:24:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.