[SERVER-27184] Audit logs for connection opened and closed events Created: 25/Nov/16 Updated: 16/Oct/21 Resolved: 20/May/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Emilio Scalise | Assignee: | Salman Baset |
| Resolution: | Won't Do | Votes: | 1 |
| Labels: | Auditing, auditing, platforms-re-triaged, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Backport Requested: |
v3.4, v3.2
|
||||||||||||||||
| Participants: | |||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||
| Description |
|
MongoDB Audit feature doesn't allow to log the logout and connection opened/closed events. Some countries require by law for certain business fields to retain audit log for such events. |
| Comments |
| Comment by annunziata martiello [ 13/Mar/19 ] |
|
Hi, Do you have any update on this open issue? Best Regards, Tina |
| Comment by Matt Lord (Inactive) [ 11/Feb/19 ] |
|
Thank you, tinamartiello! That is very helpful. |
| Comment by annunziata martiello [ 08/Feb/19 ] |
|
Hi Matt, We have a national law, still valid: Measures and arrangements applying to the controllers of processing operations performed with the help of electronic tools in view of committing the task of system administrator Decision dated 27 November 2008, as published in Italy´s Official Journal no. 300 of 24 December 2008 and amended by a Decision of the Italian DPA dated 25 June 2009 as published in Italy´s Official Journal of 30 June 2009.
We must collect, preserve and keep in unalterable way, logs related to administrative's activity on rdbms with personal data.
In the specific, we must trace login, logout and failed login to rdbms with the purpose of check the activities of the administrators. The audit logs must include: username, IP address, timestamp, indication of the event (i.e. login/logout/login failed) and possibly the software used within the connection.
Here you can find more information regarding the law:
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1628774 Thank you very much, Best Regards, Tina |
| Comment by Matt Lord (Inactive) [ 01/Feb/19 ] |
|
Hi tinamartiello, Can you help me understand the specific legal requirements involved here? We tried to find something related in GDPR but could not find any specific requirements around this. Perhaps this is a localized law or regulation of some sort? Having more details would be very helpful in prioritizing this work. Thank you for the helpful input! Best Regards |
| Comment by annunziata martiello [ 22/Jan/19 ] |
|
Do you have any update on this feature? It's essential log connection logout for GDPR compliance. Thank you, Tina |