Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-37159

Log redaction should not be applied to the internal commands

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Backlog
    • Major - P3
    • Resolution: Unresolved
    • 3.2.17, 3.6.10
    • None
    • Diagnostics, Logging
    • Security

    Description

      At present, log redaction, if enabled will obfuscate the context of internal commands such as serverStatus, repSetRequestVotes and others:

      "example"

      Show all

      2018-09-06T00:24:40.439+0000 I COMMAND  [conn251824] command admin.$cmd command: serverStatus { serverStatus: "###", advisoryHostFQDNs: "###", locks: "###", recordStats: "###", oplog: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:30747 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 257800 } } } protocol:op_query 258ms
      2018-09-06T00:24:41.916+0000 I COMMAND  [conn251838] command local.oplog.rs command: serverStatus { serverStatus: "###", oplog: "###", tcmalloc: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:31169 locks:{ Global: { acquireCount: { r: 4 }, acquireWaitCount: { r: 2 }, timeAcquiringMicros: { r: 112077 } }, Database: { acquireCount: { r: 1 } }, oplog: { acquireCount: { r: 1 } } } protocol:op_query 145ms
       
      2018-09-06T00:27:12.325+0000 I COMMAND  [conn258969] command local.replset.election command: replSetRequestVotes { replSetRequestVotes: "###", setName: "###", dryRun: "###", term: "###", candidateIndex: "###", configVersion: "###", lastCommittedOp: { ts: "###", t: "###" }, $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:63 locks:{ Global: { acquireCount: { r: 3, w: 1 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 15506 } }, Database: { acquireCount: { r: 1, W: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_msg 2155ms
       
      2018-09-06T00:26:04.124+0000 I COMMAND  [conn13513] command local.oplog.rs command: collStats { collstats: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:7095 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 226736 } }, Database: { acquireCount: { r: 1 } }, oplog: { acquireCount: { r: 1 } } } protocol:op_query 227ms
       
      2018-09-06T00:07:16.791+0000 I COMMAND  [conn15543] command admin.system.users command: saslStart { saslStart: "###", mechanism: "###", payload: "###", $db: "###" } numYields:0 reslen:155 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 1360894 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_query 1364ms
       
      2018-09-06T00:07:18.315+0000 I COMMAND  [conn15543] command admin.system.users command: saslContinue { saslContinue: "###", conversationId: "###", mechanism: "###", payload: "###", $db: "###" } numYields:0 reslen:78 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 1370885 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_query 1371ms
       
      2018-09-06T00:08:44.730+0000 I COMMAND  [conn15543] command admin.$cmd command: listDatabases { listDatabases: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:281 locks:{ Global: { acquireCount: { r: 10 }, acquireWaitCount: { r: 2 }, timeAcquiringMicros: { r: 2710522 } }, Database: { acquireCount: { r: 4 } } } protocol:op_query 2711ms
       
      2018-09-06T00:22:41.772+0000 I COMMAND  [conn14] command admin.$cmd command: replSetHeartbeat { replSetHeartbeat: "###", configVersion: "###", from: "###", fromId: "###", term: "###", $replData: "###", $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:406 locks:{} protocol:op_msg 588ms
       
      2018-09-06T00:21:09.058+0000 I COMMAND  [conn460078] command admin.$cmd command: replSetUpdatePosition { replSetUpdatePosition: "###", optimes: [ { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" } ], $replData: { term: "###", lastOpCommitted: { ts: "###", t: "###" }, lastOpVisible: { ts: "###", t: "###" }, configVersion: "###", replicaSetId: "###", primaryIndex: "###", syncSourceIndex: "###" }, $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:228 locks:{} protocol:op_msg 2550ms
      

      These log messages could not possibly contain PII data and therefore should not be redacted. Needless to say, that obfuscating these logs messages makes diagnostics harder.

      Attachments

        Issue Links

          Activity

            People

              backlog-server-security Backlog - Security Team
              dmitry.ryabtsev@mongodb.com Dmitry Ryabtsev
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

              Dates

                Created:
                Updated: