[SERVER-37159] Log redaction should not be applied to the internal commands - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Backlog
Priority: Major - P3
Resolution: Unresolved
Affects Version/s: 3.2.17, 3.6.10
Fix Version/s: None
Component/s: Diagnostics, Logging
Labels:
- move-sec

Assigned Teams:

Security

Description

At present, log redaction, if enabled will obfuscate the context of internal commands such as serverStatus, repSetRequestVotes and others:

"example"
Show all
2018-09-06T00:24:40.439+0000 I COMMAND [conn251824] command admin.$cmd command: serverStatus { serverStatus: "###", advisoryHostFQDNs: "###", locks: "###", recordStats: "###", oplog: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:30747 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 257800 } } } protocol:op_query 258ms
2018-09-06T00:24:41.916+0000 I COMMAND [conn251838] command local.oplog.rs command: serverStatus { serverStatus: "###", oplog: "###", tcmalloc: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:31169 locks:{ Global: { acquireCount: { r: 4 }, acquireWaitCount: { r: 2 }, timeAcquiringMicros: { r: 112077 } }, Database: { acquireCount: { r: 1 } }, oplog: { acquireCount: { r: 1 } } } protocol:op_query 145ms

2018-09-06T00:27:12.325+0000 I COMMAND [conn258969] command local.replset.election command: replSetRequestVotes { replSetRequestVotes: "###", setName: "###", dryRun: "###", term: "###", candidateIndex: "###", configVersion: "###", lastCommittedOp: { ts: "###", t: "###" }, $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:63 locks:{ Global: { acquireCount: { r: 3, w: 1 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 15506 } }, Database: { acquireCount: { r: 1, W: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_msg 2155ms

2018-09-06T00:26:04.124+0000 I COMMAND [conn13513] command local.oplog.rs command: collStats { collstats: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:7095 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 226736 } }, Database: { acquireCount: { r: 1 } }, oplog: { acquireCount: { r: 1 } } } protocol:op_query 227ms

2018-09-06T00:07:16.791+0000 I COMMAND [conn15543] command admin.system.users command: saslStart { saslStart: "###", mechanism: "###", payload: "###", $db: "###" } numYields:0 reslen:155 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 1360894 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_query 1364ms

2018-09-06T00:07:18.315+0000 I COMMAND [conn15543] command admin.system.users command: saslContinue { saslContinue: "###", conversationId: "###", mechanism: "###", payload: "###", $db: "###" } numYields:0 reslen:78 locks:{ Global: { acquireCount: { r: 2 }, acquireWaitCount: { r: 1 }, timeAcquiringMicros: { r: 1370885 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { r: 1 } } } protocol:op_query 1371ms

2018-09-06T00:08:44.730+0000 I COMMAND [conn15543] command admin.$cmd command: listDatabases { listDatabases: "###", $readPreference: { mode: "###" }, $db: "###" } numYields:0 reslen:281 locks:{ Global: { acquireCount: { r: 10 }, acquireWaitCount: { r: 2 }, timeAcquiringMicros: { r: 2710522 } }, Database: { acquireCount: { r: 4 } } } protocol:op_query 2711ms

2018-09-06T00:22:41.772+0000 I COMMAND [conn14] command admin.$cmd command: replSetHeartbeat { replSetHeartbeat: "###", configVersion: "###", from: "###", fromId: "###", term: "###", $replData: "###", $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:406 locks:{} protocol:op_msg 588ms

2018-09-06T00:21:09.058+0000 I COMMAND [conn460078] command admin.$cmd command: replSetUpdatePosition { replSetUpdatePosition: "###", optimes: [ { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" }, { durableOpTime: { ts: "###", t: "###" }, appliedOpTime: { ts: "###", t: "###" }, memberId: "###", cfgver: "###" } ], $replData: { term: "###", lastOpCommitted: { ts: "###", t: "###" }, lastOpVisible: { ts: "###", t: "###" }, configVersion: "###", replicaSetId: "###", primaryIndex: "###", syncSourceIndex: "###" }, $clusterTime: { clusterTime: "###", signature: { hash: "###", keyId: "###" } }, $db: "###" } numYields:0 reslen:228 locks:{} protocol:op_msg 2550ms

These log messages could not possibly contain PII data and therefore should not be redacted. Needless to say, that obfuscating these logs messages makes diagnostics harder.

Attachments

Issue Links

is duplicated by

SERVER-39898 Initial sync statistics should not be obfuscated by log redaction

Closed

is related to

SERVER-39898 Initial sync statistics should not be obfuscated by log redaction

Closed

Activity

People

Assignee:: Backlog - Security Team

Reporter:: Dmitry Ryabtsev

Participants:: Backlog - Security Team, Dmitry Ryabtsev

Votes:: 0 Vote for this issue

Watchers:: 14 Start watching this issue

Dates

Created:: Sep 17 2018 01:21:22 AM UTC

Updated:: Dec 06 2022 03:18:25 AM UTC