V-265910

Discussion

If the system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. Accordingly, only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Unmanaged changes that occur to the database software libraries or configuration can lead to unauthorized or compromised installations.

Check Content

Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files occurs.

Verify the list of files, directories, and database application objects (procedures, functions, and triggers) being monitored is complete.

There are many possible options to monitor the database. The most common are making use of a monitoring tool or running a script periodically.

If a monitoring tool is actively being used to monitor the database and there is proof of the tool being active, this is not a finding.

Where monitoring is implemented by a scheduled or on-demand running of a Bash shell script to check the current SHA-256 checksum of the MongoDB files with the original SHA-256 Checksum after installation and configuration.

Run the following shell script "check_mongodb_256sha_hashes.sh" from its containing Linux directory as a system administrator.

$ ./check_mongodb_256sha_hashes.sh

If the output is not the following, this is a finding:

"No changes detected in the monitored files."

The shell script file "check_mongodb_2456sha_hashes.sh" is as follows:

# filename: check_mongodb_256sha_hashes.sh
#!/bin/bash

# Function to compute SHA-256 hash of the specified file
file_hash() {
    sha256sum "$1" | awk '{print $1}'
}

# Function to check the list of files for any changes based on their SHA-256 hashes
check_files() {
    local changed=0
    declare -A stored_hashes

    # Try to load last known hashes
    if [ -f file_hashes.txt ]; then
        while IFS=: read -r file hash; do
            stored_hashes["$file"]=$hash
        done < file_hashes.txt
    fi

    # Check each file's hash against stored hashes
    for file in "$@"; do
        if [ -f "$file" ]; then
            current_hash=$(file_hash "$file")
            if [[ "${stored_hashes[$file]}" != "$current_hash" ]]; then
                if [[ -n "${stored_hashes[$file]}" ]]; then
                    echo "Change detected in $file"
                else
                    echo "New file added or first time hashing: $file"
                fi
                changed=1
                stored_hashes["$file"]=$current_hash
            fi
        else
            echo "Warning: $file does not exist."
        fi
    done

    # Save the updated hashes
    > file_hashes.txt
    for file in "${!stored_hashes[@]}"; do
        echo "$file:${stored_hashes[$file]}" >> file_hashes.txt
    done

    if [ "$changed" -eq 0 ]; then
        echo "No changes detected in the monitored files."
    fi
}

# List of files to monitor
files_to_check=(
    "/etc/mongod.conf"
    "/usr/bin/mongod"
    "/usr/bin/mongos"
    "/usr/bin/mongosh"
    "/usr/bin/mongocryptd"
    "/usr/bin/mongodecrypt"
    "/usr/bin/mongodump"
    "/usr/bin/mongoexport"
    "/usr/bin/mongofiles"
    "/usr/bin/mongoimport"
    "/usr/bin/mongokerberos"
    "/usr/bin/mongoldap"
    "/usr/bin/mongorestore"
    "/usr/bin/mongostat"
    "/usr/bin/mongotop"
)

# Invoke check_files function with the list of files
check_files "${files_to_check[@]}"