Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-37159

Log redaction should not be applied to the internal commands

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 3.2.17, 3.6.10
    • Component/s: Diagnostics, Logging
    • Server Security

      At present, log redaction, if enabled will obfuscate the context of internal commands such as serverStatus, repSetRequestVotes and others:

      "example"
      2018-09-06T00:24:40.439+0000 I COMMAND  [conn251824] command admin.$cmd command: serverStatus { serverStatus: "###", advisoryHostFQDNs: "###", locks: "###", recordStats: "###", oplog: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:30747 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 257800 } } } protocol:op_query 258ms
      2018-09-06T00:24:41.916+0000 I COMMAND  [conn251838] command local.oplog.rs command: serverStatus { serverStatus: "###", oplog: "###", tcmalloc: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:31169 locks:{ Global: { acquireCount: { r: 4 }, acquireWaitCount: { r: 2 }, timeAcquiringMicros: { r: 112077 } }, Database: { acquireCount: { r: 1 } }, oplog: { acquireCount: { r: 1 } } } protocol:op_query 145ms
      
      2018-09-06T00:27:12.325+0000 I COMMAND  [conn258969] command local.replset.election command: replSetRequestVotes { replSetRequestVotes: "###", setName: "###", dryRun: "###", term: "###", candidateIndex: "###", configVersion: "###", lastCommittedOp: { ts: "###", t: "###" }, $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:63 locks:{ Global: { acquireCount: { r: 3, w: 1 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 15506 } }, Database: { acquireCount: { r: 1, W: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_msg 2155ms
      
      2018-09-06T00:26:04.124+0000 I COMMAND  [conn13513] command local.oplog.rs command: collStats { collstats: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:7095 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 226736 } }, Database: { acquireCount: { r: 1 } }, oplog: { acquireCount: { r: 1 } } } protocol:op_query 227ms
      
      2018-09-06T00:07:16.791+0000 I COMMAND  [conn15543] command admin.system.users command: saslStart { saslStart: "###", mechanism: "###", payload: "###", $db: "###" } numYields:0 reslen:155 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 1360894 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_query 1364ms
      
      2018-09-06T00:07:18.315+0000 I COMMAND  [conn15543] command admin.system.users command: saslContinue { saslContinue: "###", conversationId: "###", mechanism: "###", payload: "###", $db: "###" } numYields:0 reslen:78 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 1370885 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_query 1371ms
      
      2018-09-06T00:08:44.730+0000 I COMMAND  [conn15543] command admin.$cmd command: listDatabases { listDatabases: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:281 locks:{ Global: { acquireCount: { r: 10 }, acquireWaitCount: { r: 2 }, timeAcquiringMicros: { r: 2710522 } }, Database: { acquireCount: { r: 4 } } } protocol:op_query 2711ms
      
      2018-09-06T00:22:41.772+0000 I COMMAND  [conn14] command admin.$cmd command: replSetHeartbeat { replSetHeartbeat: "###", configVersion: "###", from: "###", fromId: "###", term: "###", $replData: "###", $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:406 locks:{} protocol:op_msg 588ms
      
      2018-09-06T00:21:09.058+0000 I COMMAND  [conn460078] command admin.$cmd command: replSetUpdatePosition { replSetUpdatePosition: "###", optimes: [ { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" } ], $replData: { term: "###", lastOpCommitted: { ts: "###", t: "###" }, lastOpVisible: { ts: "###", t: "###" }, configVersion: "###", replicaSetId: "###", primaryIndex: "###", syncSourceIndex: "###" }, $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:228 locks:{} protocol:op_msg 2550ms
      

      These log messages could not possibly contain PII data and therefore should not be redacted. Needless to say, that obfuscating these logs messages makes diagnostics harder.

            Assignee:
            backlog-server-security [DO NOT USE] Backlog - Security Team
            Reporter:
            dmitry.ryabtsev@mongodb.com Dmitry Ryabtsev
            Votes:
            0 Vote for this issue
            Watchers:
            16 Start watching this issue

              Created:
              Updated: