Loading...

XML

Word

Printable

JSON

Type: Improvement
Resolution: Unresolved
Priority: Major - P3
Fix Version/s: None
Affects Version/s: 3.2.17, 3.6.10
Component/s: Diagnostics, Logging
Labels:
- move-sec

Assigned Teams:

Server Security
Case:
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

At present, log redaction, if enabled will obfuscate the context of internal commands such as serverStatus, repSetRequestVotes and others:

"example"

2018-09-06T00:24:40.439+0000 I COMMAND  [conn251824] command admin.$cmd command: serverStatus { serverStatus: "###", advisoryHostFQDNs: "###", locks: "###", recordStats: "###", oplog: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:30747 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 257800 } } } protocol:op_query 258ms
2018-09-06T00:24:41.916+0000 I COMMAND  [conn251838] command local.oplog.rs command: serverStatus { serverStatus: "###", oplog: "###", tcmalloc: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:31169 locks:{ Global: { acquireCount: { r: 4 }, acquireWaitCount: { r: 2 }, timeAcquiringMicros: { r: 112077 } }, Database: { acquireCount: { r: 1 } }, oplog: { acquireCount: { r: 1 } } } protocol:op_query 145ms

2018-09-06T00:27:12.325+0000 I COMMAND  [conn258969] command local.replset.election command: replSetRequestVotes { replSetRequestVotes: "###", setName: "###", dryRun: "###", term: "###", candidateIndex: "###", configVersion: "###", lastCommittedOp: { ts: "###", t: "###" }, $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:63 locks:{ Global: { acquireCount: { r: 3, w: 1 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 15506 } }, Database: { acquireCount: { r: 1, W: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_msg 2155ms

2018-09-06T00:26:04.124+0000 I COMMAND  [conn13513] command local.oplog.rs command: collStats { collstats: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:7095 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 226736 } }, Database: { acquireCount: { r: 1 } }, oplog: { acquireCount: { r: 1 } } } protocol:op_query 227ms

2018-09-06T00:07:16.791+0000 I COMMAND  [conn15543] command admin.system.users command: saslStart { saslStart: "###", mechanism: "###", payload: "###", $db: "###" } numYields:0 reslen:155 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 1360894 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_query 1364ms

2018-09-06T00:07:18.315+0000 I COMMAND  [conn15543] command admin.system.users command: saslContinue { saslContinue: "###", conversationId: "###", mechanism: "###", payload: "###", $db: "###" } numYields:0 reslen:78 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 1370885 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_query 1371ms

2018-09-06T00:08:44.730+0000 I COMMAND  [conn15543] command admin.$cmd command: listDatabases { listDatabases: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:281 locks:{ Global: { acquireCount: { r: 10 }, acquireWaitCount: { r: 2 }, timeAcquiringMicros: { r: 2710522 } }, Database: { acquireCount: { r: 4 } } } protocol:op_query 2711ms

2018-09-06T00:22:41.772+0000 I COMMAND  [conn14] command admin.$cmd command: replSetHeartbeat { replSetHeartbeat: "###", configVersion: "###", from: "###", fromId: "###", term: "###", $replData: "###", $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:406 locks:{} protocol:op_msg 588ms

2018-09-06T00:21:09.058+0000 I COMMAND  [conn460078] command admin.$cmd command: replSetUpdatePosition { replSetUpdatePosition: "###", optimes: [ { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" } ], $replData: { term: "###", lastOpCommitted: { ts: "###", t: "###" }, lastOpVisible: { ts: "###", t: "###" }, configVersion: "###", replicaSetId: "###", primaryIndex: "###", syncSourceIndex: "###" }, $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:228 locks:{} protocol:op_msg 2550ms

These log messages could not possibly contain PII data and therefore should not be redacted. Needless to say, that obfuscating these logs messages makes diagnostics harder.

is duplicated by

SERVER-39898 Initial sync statistics should not be obfuscated by log redaction

Closed

is related to

SERVER-39898 Initial sync statistics should not be obfuscated by log redaction

Closed

links to

FF-I-9271

Assignee:: [DO NOT USE] Backlog - Security Team
Reporter:: Dmitry Ryabtsev
Participants:: [DO NOT USE] Backlog - Security Team, Dmitry Ryabtsev
Votes:: 1 Vote for this issue
Watchers:: 16 Start watching this issue

Created:: Sep 17 2018 01:21:22 AM UTC
Updated:: Feb 12 2025 08:18:58 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates