Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-36172

Audit logging for replSetConfigure actions

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor - P4
    • Resolution: Duplicate
    • None
    • None
    • Security
    • None

    Description

      Hi Security dev team!

      I was configuring auditing at my new workplace. The basic idea is:

      auditLog:
         destination: file
         format: JSON
         path: /tmp/audit.json
         filter: '{atype: {$in: [
                     "authenticate", "authCheck", 
                     "renameCollection", "dropCollection", "dropDatabase", 
                     "createUser", "dropUser", "dropAllUsersFromDatabase", "updateuser", 
                     "grantRolesToUser", "revokeRolesFromUser", "createRole", "updateRole", 
                     "dropRole", "dropAllRolesFromDatabase", "grantRolesToRole", "revokeRolesFromRole", 
                     "grantPrivilegesToRole", "revokePrivilegesFromRole", 
                     "enableSharding", "shardCollection", "addShard", "removeShard", 
                     "shutdown", 
                     "applicationMessage"
                 ]}}'
      

      Whilst I was doing this I realized for the first time there is no auditing for replSetConfigure actions. So a Naughty DBA could for example execute start a node on their desktop or some useful computer, then rs.add('my_desktop_fqdn:27017'), sync, then 'rs.remove('my_desktop_fqdn:27017'), and they'd have a copy of the data directory without anything appearing in the audit log. It would be in the normal logs, but that's not as hard to cover up.

      I couldn't find any existing JIRA tickets that mention this, now that I'm logged in as a public user.

      Is there any reason that auditing replSetConfigure actions has been excluded? If not I'd like to request this as an enhancement. (Ideally backported to 3.6 too.)

      Cheers from Tokyo,

      Akira

      Attachments

        Issue Links

          Activity

            People

              backlog-server-platform DO NOT USE - Backlog - Platform Team
              akira.kurogane@gmail.com 章 黒鉄
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: