[SERVER-17959] option to redact sensitive data from system logs Created: 09/Apr/15  Updated: 01/Feb/18  Resolved: 11/Jul/16

Status: Closed
Project: Core Server
Component/s: Logging, Security
Affects Version/s: None
Fix Version/s: 3.3.10

Type: New Feature Priority: Major - P3
Reporter: Andreas Nilsson Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Duplicate
duplicates SERVER-12671 Provide option to allow "masking" of ... Backlog
duplicates SERVER-17377 Allow removing attribute values from ... Closed
Related
related to SERVER-18946 I wish I can configure separately the... Open
Backwards Compatibility: Fully Compatible
Sprint: Security 7 08/10/15
Participants:

 Description   

Log redaction is a desired feature for PII data and as a complement to encryption at rest.

In its simplest form it could be implemented as a configuration option redactLogs orthogonal to the log level.

  • Preserve enough info in the redaction function so that CEs et al. can do useful analytics on the output. This includes for query shapes for instance. This could be achieved through hashing actual data in the queries.

Things that could/should be redacted:
1. query parameters (things other than field names and dollarsign operators).
2. hostnames/IP addresses
3. User names maybe?
4. Namespace names maybe?
5. Error messages in case error messages include any of the above.



 Comments   
Comment by Andreas Nilsson [ 09/Apr/15 ]

I think you're right, I didn't think much about it. Removing the audit log mention.

Comment by Eric Milkie [ 09/Apr/15 ]

I don't understand the auditing requirement. What's the point of auditing if it's not a complete picture of who changed what and when?
Auditing isn't typically used for analytics, I presume.

Generated at Thu Feb 08 03:46:07 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.