Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-36172

Audit logging for replSetConfigure actions

    • Type: Icon: Improvement Improvement
    • Resolution: Duplicate
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: Security
    • None

      Hi Security dev team!

      I was configuring auditing at my new workplace. The basic idea is:

      auditLog: 
         destination: file
         format: JSON
         path: /tmp/audit.json
         filter: '{atype: {$in: [
                     "authenticate", "authCheck", 
                     "renameCollection", "dropCollection", "dropDatabase", 
                     "createUser", "dropUser", "dropAllUsersFromDatabase", "updateuser", 
                     "grantRolesToUser", "revokeRolesFromUser", "createRole", "updateRole", 
                     "dropRole", "dropAllRolesFromDatabase", "grantRolesToRole", "revokeRolesFromRole", 
                     "grantPrivilegesToRole", "revokePrivilegesFromRole", 
                     "enableSharding", "shardCollection", "addShard", "removeShard", 
                     "shutdown", 
                     "applicationMessage"
                 ]}}'
      

      Whilst I was doing this I realized for the first time there is no auditing for replSetConfigure actions. So a Naughty DBA could for example execute start a node on their desktop or some useful computer, then rs.add('my_desktop_fqdn:27017'), sync, then 'rs.remove('my_desktop_fqdn:27017'), and they'd have a copy of the data directory without anything appearing in the audit log. It would be in the normal logs, but that's not as hard to cover up.

      I couldn't find any existing JIRA tickets that mention this, now that I'm logged in as a public user.

      Is there any reason that auditing replSetConfigure actions has been excluded? If not I'd like to request this as an enhancement. (Ideally backported to 3.6 too.)

      Cheers from Tokyo,

      Akira

            Assignee:
            backlog-server-platform DO NOT USE - Backlog - Platform Team
            Reporter:
            akira.kurogane@gmail.com 章 黒鉄
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: