[SERVER-36172] Audit logging for replSetConfigure actions Created: 18/Jul/18  Updated: 15/Nov/21  Resolved: 18/Jul/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor - P4
Reporter: 章 黒鉄 Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-20845 re-add replSetReconfig to auditing suite Closed
Participants:

 Description   

Hi Security dev team!

I was configuring auditing at my new workplace. The basic idea is:

auditLog:
   destination: file
   format: JSON
   path: /tmp/audit.json
   filter: '{atype: {$in: [
               "authenticate", "authCheck", 
               "renameCollection", "dropCollection", "dropDatabase", 
               "createUser", "dropUser", "dropAllUsersFromDatabase", "updateuser", 
               "grantRolesToUser", "revokeRolesFromUser", "createRole", "updateRole", 
               "dropRole", "dropAllRolesFromDatabase", "grantRolesToRole", "revokeRolesFromRole", 
               "grantPrivilegesToRole", "revokePrivilegesFromRole", 
               "enableSharding", "shardCollection", "addShard", "removeShard", 
               "shutdown", 
               "applicationMessage"
           ]}}'

Whilst I was doing this I realized for the first time there is no auditing for replSetConfigure actions. So a Naughty DBA could for example execute start a node on their desktop or some useful computer, then rs.add('my_desktop_fqdn:27017'), sync, then 'rs.remove('my_desktop_fqdn:27017'), and they'd have a copy of the data directory without anything appearing in the audit log. It would be in the normal logs, but that's not as hard to cover up.

I couldn't find any existing JIRA tickets that mention this, now that I'm logged in as a public user.

Is there any reason that auditing replSetConfigure actions has been excluded? If not I'd like to request this as an enhancement. (Ideally backported to 3.6 too.)

Cheers from Tokyo,

Akira



 Comments   
Comment by 章 黒鉄 [ 18/Jul/18 ]

(The command name is actually "replSetReconfig")

Ah. I was thinking the audit module "System events" were basically named after the priviliges actions (doc page) which is why I thought the currently non-existent audit action for this would be tied to "replSetConfigure". Command names make sense too though.

Anyhow I'll whack this request into SERVER-20845.

Comment by Eric Milkie [ 18/Jul/18 ]

I believe this is SERVER-20845 (The command name is actually "replSetReconfig")

Comment by 章 黒鉄 [ 18/Jul/18 ]

Hi Ramon. Sorry to ping you in the middle of your night!

Yep, enjoying Tokyo, and please let the platform team know I appreciate their help. No time crunch for this on my side b.t.w.

Cheers,

Akira

Comment by Ramon Fernandez Marina [ 18/Jul/18 ]

Hi akira!!

I can't find a SERVER ticket that mentions this so I'm sending this to the Platform team for evaluation.

Best of luck on your Tokyo adventure!

Cheers,
Ramón.

Generated at Thu Feb 08 04:42:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.