[SERVER-50394] mongod audit log attributes DDL operations to the __system user in a sharded environment - MongoDB

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: 4.0.20, 3.6.19
Fix Version/s: 4.2.10, 4.8.0, 4.4.2
Component/s: None
Labels:
None

Backwards Compatibility:
Minor Change
Operating System:
ALL
Backport Requested:

v4.4, v4.2, v4.0, v3.6
Sprint:
Security 2020-09-21
Case:
Linked BF Score:
50

Description

Seemingly related to ~~SERVER-11192~~, the __system user is audited as the initiator of DDL operations like createDatabase, dropDatabase, createCollection, dropCollection, createIndex, and dropIndex when those commands are run from a mongos in a sharded environment.

CRUD operations are correctly attributed.

A partial workaround is to use auditAuthorizationSuccess and an auditFilter focusing on DDL operations, on mongos nodes, to obtain authCheck audits from the mongos. But this is not applicable in all cases (ex: implicit collection creation)

Attachments

Issue Links

is related to

SERVER-11192 Audit system cannot ascribe DDL operations in a sharded cluster to an end user.

Closed

related to

SERVER-50990 createIndex audit with user name

Open

SERVER-50991 audit createIndex on empty collection

Open

SERVER-50994 Audit of dropCollection during dropDatabase

Open

SERVER-50993 Audit dropCollection for views

In Code Review

SERVER-50992 Include viewOn and pipeline in createCollection audit entry for views

Closed

(1 related to)

Activity

People

Assignee:: Sara Golemon

Reporter:: Eric Sedor

Participants:: Eric Sedor, Githook User, Sara Golemon

Votes:: 0 Vote for this issue

Watchers:: 17 Start watching this issue

Dates

Created:: Aug 19 2020 09:41:23 PM UTC

Updated:: Oct 06 2020 07:23:05 PM UTC

Resolved:: Sep 18 2020 03:54:43 PM UTC