Guide: MongoDB Security

MongoDB Auditing: A Practical Guide

What Is MongoDB Auditing?

MongoDB is an open source, NoSQL database management system that enables storage and retrieval of document-oriented data. Organizations can use MongoDB for ad hoc queries, indexing, load balancing, aggregation, and server-side JavaScript execution.

MongoDB also provides security features such as authentication, access control, and encryption. Among these MongoDB security features, the database platform provides an auditing mechanism that writes every database event to a journal. MongoDB can be set up with an auditing guarantee, meaning that all database operations are guaranteed to be audited. This enables inspection of historic database activities for security, compliance, and troubleshooting purposes.

In this article:

The Importance of Database Auditing

Database auditing is one of the key components organizations must set up to ensure compliance with industry standards and regulations. For example, the EU General Data Protection Regulation (GDPR) sets data protection rules that must be integrated into applications, products, and services from the ground up, starting from the database.

Any system component that can access data might be compromised, leading to a data breach. Database auditing ensures that there is a clear audit trail of any activity on the database, especially sensitive operations such as changing user permissions, accessing sensitive data tables or fields, and deleting data. When a breach occurs, auditing makes it possible to trace back the breach to specific users and database operations. 

Related content: Read our guide on MongoDB monitoring and Securing data platforms keeps you away from data engineering

MongoDB Audit Guarantees

MongoDB’s auditing system records each audit event using an in-memory audit event buffer, periodically writing the buffer to disk. Suppose MongoDB collects multiple events from a given connection to the disk. In that case, it arranges them in order—the system ensures that all previous events related to the connection have been recorded before writing a new event.

 

MongoDB always writes audit event entries that correspond to operations affecting the database’s state first. Only then can the system write to the journal for the entry. For example, if an event modifies data in the database, MongoDB writes it to disk before adding the operation to the journal.

 

MongoDB must have journaling enabled to enable audit guarantees.

How to Configure Auditing in MongoDB

Specify the –auditDestination option to enable auditing  in MongoDB. Set the configuration by specifying the output destination for audit events.

Syslog output

Under the –auditDestination setting, specify syslog to output audit events in JSON to the system log. It should look like this:

mongod --dbpath data/db --auditDestination syslog

It is possible to add more options to the configuration. For example, specifying the –bind_ip lets clients connect to the deployment. Before binding to different IP addresses, it is recommended to enable security measures such as access control to prevent unauthorized access.

 

The syslog might have a message limit that truncates the audit messages. The auditing system cannot detect this truncation, so it may be necessary to specify the following configuration options:

storage:
   dbPath: DATA/db
auditLog:
   destination: syslog

Console output

Under the –auditDestination setting, specify console to enable the printing of audit events to stdout (standard output). It should look like this:

mongod --dbpath data/db --auditDestination console

It is possible to add more options to the configuration. For example, specifying the –bind_ip will allow clients to connect to the deployment and support running deployment members on multiple hosts. Before binding to different IP addresses, it is recommended to enable security measures such as access control to prevent unauthorized access.

 

It may be necessary to specify the following configuration options:

storage:
   dbPath: DATA/db
auditLog:
   destination: console

JSON output

There are several specifications for enabling the auditing system to print events to file using the JSON format:

--auditDestination 
--auditFormat
 --auditPath

The configuration might look like this:

mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json

This configuration enables the writing of audit events to file using the data/db/auditLog.json relative pathname.

 

An additional option is to rotate the audit file using the logRotate command—this may be independently or in combination with the server log. Use the systemLog.logRotate option to configure the specifics of rotation. Alternatively, use the –logRotate option in the command line. 

 

Additional configuration options may include:

storage:
   dbPath: DATA/db
auditLog:
   destination: file
   format: JSON
   path: DATA/db/auditLog.json

BSON output

The following specifications enable the auditing system to write audit events to file in the BSON format:

--auditDestination
--auditFormat 
--auditPath

The configuration might look like this:

mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson

This configuration enables audits and records events to a BSON file using the data/db/auditLog.bson relative pathname.

 

The server log file and audit file are rotated at the same time. Use the systemLog.logRotate option to configure the specifics of rotation. The –logRotate command-line configuration is also an option.

 

Additional configuration options may include:

storage:
   dbPath: DATA/db
auditLog:
   destination: file
   format: BSON
   path: DATA/db/auditLog.bson

For example, the bsondump data/db/auditLog.bson configuration will convert audit logs to a readable format using bsondump, outputting the result.

MongoDB Security with Satori

Satori’s data security platform provides comprehensive data auditing and monitoring. Complete data access audits and aggregated auditing of all query logs in a single location to store all logs. MongoDB. 

To learn more:

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information. The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.