-
Type:
Task
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Query Optimization
-
None
-
None
-
None
-
None
-
None
-
None
-
None
At present, BinData 6 values are not automatically redacted in audit logs , including HMAC keys for query stats . Some questions to consider:
- Is redacting BinData6 values in the audit logs desirable, or should audit logs contain BinData6 values in the clear?
- If we should redact BinData6 values in the audit logs, should it be an opt-in feature (as is currently implemented) or a default behavior (where all BinData6 values are automatically redacted)?
- If it should be an opt-in feature, what should this look like? Currently, I've only implemented it for array fields with sensitive field names, but this can be easily extended to object fields, etc.
https://github.com/10gen/mongo-enterprise-modules/pull/1292
EDIT: Query stats HMAC keys now use the newly-introduced BinDataType 8: Sensitive.