[SERVER-40569] Auditing "(NONE)" when address family is AF_UNSPEC Created: 10/Apr/19  Updated: 29/Oct/23  Resolved: 04/Dec/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 3.6.12
Fix Version/s: 4.9.0

Type: Improvement Priority: Major - P3
Reporter: aditya Assignee: Shreyas Kalyan
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Documented
is documented by DOCS-14320 Investigate changes in SERVER-40569: ... Closed
Backwards Compatibility: Fully Compatible
Sprint: Security 2020-11-30, Security 2020-12-14
Participants:

 Description   

When address family is AF_UNSPEC, we audit log ip: "(NONE)". It may be possible to treat this differently.

original description

When auditing is set on Mongodb, the log has local and remote IP which is always localhost as in:

Apr 10 11:17:27 CentOS50G tag1 { "atype" : "authCheck", "ts" : { "$date" : "2019-04-10T11:17:19.306-0700" }, "local" : { "ip" : "(NONE)", "port" : 0 }, "remote" : { "ip" : "(NONE)", "port" : 0 }, "users" : [], "roles" : [], "param" : { "command" : "listIndexes", "ns" : "config.system.sessions", "args" : { "listIndexes" : "system.sessions", "cursor" : {}, "$db" : "config" } }, "result" : 0 }

 Here eventhough Mongo server is CentOS50G the local ip is either NONE or 127.0.0.1 



 Comments   
Comment by Githook User [ 04/Dec/20 ]

Author:

{'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}

Message: SERVER-40569 Auditing '(NONE)' when address family is AF_UNSPEC
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/523e1fbdd742fe8d1cb0cdc53c8b6dba3d3eb52f

Comment by aditya [ 18/Apr/19 ]

Thanks @Eric Sedor.

 

Whats about giving actual IP, instead of giving localhost or loopback in audit log when operation is done from the mongo server itself ? It would be helpful while auditing log.

Comment by Eric Sedor [ 18/Apr/19 ]

Thanks for your report aditya123; we are passing this to an appropriate team to determine if this can be handled differently.

Comment by aditya [ 15/Apr/19 ]

mongod.conf:

# mongod.conf
 
# for documentation of all options, see:
 
#   http://docs.mongodb.org/manual/reference/configuration-options/# where to write logging data.
 
systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log# Where and how to store data.
storage:
  dbPath: /var/lib/mongo
  journal:
    enabled: true
#  engine:
#  mmapv1:
#  wiredTiger:# how the process runs
processManagement:
  fork: true  # fork and run in background
  pidFilePath: /var/run/mongodb/mongod.pid  # location of pidfile
  timeZoneInfo: /usr/share/zoneinfo
 
# network interfaces
net:
  port: 27017
  bindIp: 0.0.0.0  # Listen to local interface only, comment to listen on all interfaces.
 
#security:security:
  authorization: enabled
 
auditLog:
  destination: file
  format: JSON
  path: /var/lib/mongo/auditLog.json
setParameter: { auditAuthorizationSuccess: true }
 

Comment by Eric Sedor [ 15/Apr/19 ]

aditya123 sorry to have been unclear. Can you also provide the command line and/or mongod.conf file used to run the mongod server?

Comment by aditya [ 12/Apr/19 ]

db version v3.6.12

MongoDB shell version v3.6.12
connecting to: mongodb://127.0.0.1:27017/?gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("9f1fe5c3-c5e4-4c97-aab2-30d366f05887") }
MongoDB server version: 3.6.12
MongoDB Enterprise > 

Comment by Eric Sedor [ 12/Apr/19 ]

Hello, can you please provide the MongoDB version and the command line options used to run mongod?

Generated at Thu Feb 08 04:55:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.