[SERVER-1891] Audit "DDL" operations Created: 05/Oct/10 Updated: 16/Nov/21 Resolved: 14/Nov/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Logging, Security |
| Affects Version/s: | 1.7.0 |
| Fix Version/s: | 2.5.4 |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Alvin Richards (Inactive) | Assignee: | Eric Milkie |
| Resolution: | Done | Votes: | 13 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||||||||||||||||||||||||||||||||||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
Problem: This would allow an organization to audit these changes, info the could be recorded would be Solution:
|
| Comments |
| Comment by Githook User [ 12/Dec/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by Githook User [ 12/Dec/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by Githook User [ 12/Dec/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by Githook User [ 12/Dec/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by Githook User [ 12/Dec/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 05/Nov/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 05/Nov/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 11/Oct/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 11/Oct/13 ] |
|
Author: {u'username': u'erh', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}Message: |
| Comment by auto [ 11/Oct/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 11/Oct/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 11/Oct/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 11/Oct/13 ] |
|
Author: {u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}Message: |
| Comment by auto [ 10/Oct/13 ] |
|
Author: {u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}Message: |
| Comment by auto [ 10/Oct/13 ] |
|
Author: {u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}Message: Revert " This reverts commit 91480e08d9a6dd41ad6118ee0bf5461a99cbdbc3. |
| Comment by auto [ 09/Oct/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 09/Oct/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 09/Oct/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 09/Oct/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 07/Oct/13 ] |
|
Author: {u'username': u'dannenberg', u'name': u'matt dannenberg', u'email': u'matt.dannenberg@10gen.com'}Message: |
| Comment by auto [ 26/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by auto [ 26/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by auto [ 26/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by auto [ 26/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: . |
| Comment by auto [ 26/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by auto [ 23/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: Logs success and failure of all authorization checks to the audit log, when auditing |
| Comment by auto [ 22/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: Command::redactForLogging(mutablebson::Document* cmdObj) transforms "cmdObj" |
| Comment by auto [ 19/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by auto [ 19/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by auto [ 19/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by auto [ 19/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by auto [ 17/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by auto [ 17/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by auto [ 17/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by auto [ 17/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by auto [ 17/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: This reverts commit 2e2a6fdffdba369a0594962267e5bc7bb47a3f3a and also fixes the build break that the |
| Comment by auto [ 10/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: Revert " This reverts commit d430713c403fa6b065337cf7e480ed70940631ab. |
| Comment by auto [ 10/Jul/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by Matt Veitas [ 27/Jun/13 ] |
|
I will second the comments made by Jason as this is the only thing holding us back from using Mongo in our environment that falls under HIPAA security regulations. |
| Comment by Jason Denizac [ 11/May/13 ] |
|
Was referred to this ticket by Alvin at MongoSF today. Audit logging, especially valid and invalid authentication attempts, is very important for healthcare industry (HIPAA) security regulations. Other aspects of compliance can be dealt with elsewhere in the system, eg on disk encryption, application-level content access logging, etc. But it's important also to log the connection between the application and the db. |
| Comment by David McLennan [ 05/Sep/12 ] |
|
Financial environments have similar auditing requirements - after reviewing the attached DoD document, sections DG0141, DG0142 & DG0145 are close to what we require. Essentially any auditing solution needs to: i) Audit all authentication actions with metadata (username, Source IP, DB, Success/Fail etc.) ii) Audit all security related configuration changes (new users, changed passwords, changed permissions) iii) The audit records need to be immutable (i.e. they cannot be modified or deleted by normal commands. Typically done by logging to a filesystem external to the instance or to the windows event log / Unix syslogd) iv) Audit all commands by "highly privileged" users. For current releases of MongoDB, I would expect this would boil down to logging all queries by any admin user. |
| Comment by Will LaForest [ 04/Jan/12 ] |
|
DISA STIG check list for DoD accreditation. |
| Comment by Will LaForest [ 04/Jan/12 ] |
|
Auditing will be required in order to get widespread of use in DoD. I have attached the DISA DBMS STIG Document which talks about the checks used to determine if a DBMS is in compliance. If you search for audit you can find the pertinent checks. |
| Comment by Alvin Richards (Inactive) [ 06/May/11 ] |
|
1) Need to log the user (through user authentication) who was logged in who performed the operation |