[SERVER-59604] Audit log authcheck record has incorrect command for unauthenticated user Created: 26/Aug/21  Updated: 29/Oct/23  Resolved: 28/Oct/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 4.2.15, 4.4.8, 5.0.2
Fix Version/s: 5.2.0

Type: Bug Priority: Major - P3
Reporter: Spencer Brown Assignee: Erwin Pe
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

This issue reproduces on MongoDB Enterprise 4.2.15, 4.4.8, and 5.0.2.

To reproduce, start a standalone mongod with audit enabled, connect with the legacy mongo shell without authenticating, and attempt to run (for example) db.foo.findOne(). Then check the audit log, you should see an entry similar to the above. The command field should contain "find", not "Error".

Sprint: Security 2021-11-01
Participants:

 Description   

When an unauthenticated user attempts a command that requires authentication, an authcheck record may be generated in the audit log. The record looks like this:

{ "atype" : "authCheck", "ts" : { "$date" : "2021-08-26T07:47:14.112-05:00" }, "uuid" : { "$binary" : "puZTT2N5RYWlDirvcy9Blw==", "$type" : "04" }, "local" : { "ip" : "127.0.2.1", "port" : 27017 }, "remote" : { "ip" : "127.0.0.1", "port" : 39250 }, "users" : [], "roles" : [], "param" : { "command" : "Error", "ns" : "admin" }, "result" : 13 }

Note the param.command field is "Error" rather than the actual command.



 Comments   
Comment by Githook User [ 28/Oct/21 ]

Author:

{'name': 'Erwin Pe', 'email': 'erwin.pe@mongodb.com', 'username': 'erwee'}

Message: SERVER-59604 Audit log authcheck record has incorrect command for unauthenticated user
Branch: master
https://github.com/mongodb/mongo/commit/2fa18e5051b2c3487a9bc5fb8a38a96cdf52dbc0

Generated at Thu Feb 08 05:47:39 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.