Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-78961

Redact BinData 6 values in audit logs

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • Query Optimization
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      At present, BinData 6 values are not automatically redacted in audit logs , including HMAC keys for query stats . Some questions to consider:

      1. Is redacting BinData6 values in the audit logs desirable, or should audit logs contain BinData6 values in the clear?
      2. If we should redact BinData6 values in the audit logs, should it be an opt-in feature (as is currently implemented) or a default behavior (where all BinData6 values are automatically redacted)?
      3. If it should be an opt-in feature, what should this look like? Currently, I've only implemented it for array fields with sensitive field names, but this can be easily extended to object fields, etc.

      https://github.com/10gen/mongo-enterprise-modules/pull/1292

      EDIT: Query stats HMAC keys now use the newly-introduced BinDataType 8: Sensitive.

            Assignee:
            backlog-query-optimization [DO NOT USE] Backlog - Query Optimization
            Reporter:
            william.qian@mongodb.com William Qian
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              None
              None
              None
              None