[SERVER-12551] Audit DML/CRUD operations Created: 30/Jan/14  Updated: 27/Oct/15  Resolved: 12/Sep/14

Status: Closed
Project: Core Server
Component/s: Logging, Security
Affects Version/s: None
Fix Version/s: 2.6.5, 2.7.7

Type: New Feature Priority: Major - P3
Reporter: Rob Young (Inactive) Assignee: Amalia Hawkins
Resolution: Done Votes: 2
Labels: Auditing
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
is related to SERVER-12512 Add role-based, selective audit logging. Closed
is related to DOCS-4329 Document DML/CRUD audit functionality Closed
is related to SERVER-11918 Support writing "access granted" mess... Closed
Tested
Backport Completed:
Participants:

 Description   

For auditing and regulatory compliance most organizations require that all user-based Data Manipulation Language ("DML") and/or Create, Read, Update and Delete ("CRUD") operations performed against production databases be logged. This request extends the MongoDB auditing framework, introduced in version 2.6, to include logging of all user queries and DML/CRUD operations including:

  • query/read - any operation that returns data
  • insert – any operation that adds data to a database
  • update – any operation that changes data on a database
  • delete – any operation that removes data from a database

Requirements for logging of these operations include:
same format, data elements, output options used for DDL and system level auditing
capture complete query, command with variable substitution (non-masked values)
return result of query, command (success, failure, row count, rows affected, etc)
provide option to log to a separate file for manageability
option to log queried or returned data – feasibility TBD

With this enhancement, we should also extend the current auditing functionality to provide high-level configuration options that allow users to set the “verbosity” of audit logging for a given server. Options to include:

  • system – enables the logging of only DDL or system level operations (2.6 implementation)
  • queries – enables the logging of only DML/CRUD operations
  • all - (default) enables the logging of all operations


 Comments   
Comment by Jonathan Abrahams [ 03/Oct/14 ]

DML - Data Manipulation Language

Comment by Githook User [ 12/Sep/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-12551: Rename the CRUD auditing flag from auditAuthzSuccess to
auditAuthorizationSuccess.
Branch: v2.6
https://github.com/10gen/mongo-enterprise-modules/commit/637e2287a76168cad6175baa83c301ddc0180ba1

Comment by Amalia Hawkins [ 12/Sep/14 ]

Documentation changes are needed to extensively document this new feature. The parameter in question is auditAuthorizationSuccess and is set using setParameter. It defaults to off.

Comment by Githook User [ 12/Sep/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-12551: Rename the CRUD auditing flag from auditAuthzSuccess to
auditAuthorizationSuccess.
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/79f3fcad74583deec55cf5dafa8b402e4e9af06b

Comment by Githook User [ 27/Feb/14 ]

Author:

{u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-12551 experimental switch to turn on access-granted (authz success) auditing
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/5d45e7d87ab30aa6b67aa8fffc10c5934964d4f1

Generated at Thu Feb 08 03:28:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.