Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-60230

MongoDB aduit filter for drop collection can be bypassed

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 4.4.1
    • Component/s: None
    • ALL
    • Hide

      1. Specify the filter in mongodB cofiguration file.
      filter: '{ atype:

      { $in: [ "createCollection", "dropCollection" ] }

      }'

      2.Open a session, watch for any audit log change:
      tail -f auditLog.bson

      3.Open another session and login as root
      mongo admin -u admin -p 123456

      4. Add a new database test
      MongoDB Enterprise > use test
      switched to db test

      5. Create a collection, as you can see, the audit log will have the relevant entry.
      MongoDB Enterprise > db.t1.insert({name:'david'})
      WriteResult({ "nInserted" : 1 })

      6. Drop a collection, the audit filter also works well.
      db.t1.drop()
      true

      7. Create the collection again
      MongoDB Enterprise > db.t1.insert({name:'david'})
      WriteResult({ "nInserted" : 1 })

      8.Show Collections
      MongoDB Enterprise > show collections
      t1

      9. Drop database test
      MongoDB Enterprise > db.dropDatabase()

      { "dropped" : "test", "ok" : 1 }

      10.
      MongoDB Enterprise > db.getName()
      test

      11.Show Collections
      MongoDB Enterprise > show collections

      As you can see, after dropping the database, the collection is removed cascadingly without leave any audit entry.

      Show
      1. Specify the filter in mongodB cofiguration file. filter: '{ atype: { $in: [ "createCollection", "dropCollection" ] } }' 2.Open a session, watch for any audit log change: tail -f auditLog.bson 3.Open another session and login as root mongo admin -u admin -p 123456 4. Add a new database test MongoDB Enterprise > use test switched to db test 5. Create a collection, as you can see, the audit log will have the relevant entry. MongoDB Enterprise > db.t1.insert({name:'david'}) WriteResult({ "nInserted" : 1 }) 6. Drop a collection, the audit filter also works well. db.t1.drop() true 7. Create the collection again MongoDB Enterprise > db.t1.insert({name:'david'}) WriteResult({ "nInserted" : 1 }) 8.Show Collections MongoDB Enterprise > show collections t1 9. Drop database test MongoDB Enterprise > db.dropDatabase() { "dropped" : "test", "ok" : 1 } 10. MongoDB Enterprise > db.getName() test 11.Show Collections MongoDB Enterprise > show collections As you can see, after dropping the database, the collection is removed cascadingly without leave any audit entry.

      MongoDB server version: 4.4.1
      CentOS Linux release 7.6.1810 (Core)

       
      MongoDB audit filter is able to audit the createCollection and dropCollection actions.
      But with method db.dropDatabase, the attacker could bypass the audit filter by removing the current database.

            Assignee:
            eric.sedor@mongodb.com Eric Sedor
            Reporter:
            zhuqiangtj@gmail.com Zhu Eddie
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: