Guide: MongoDB Security

MongoDB Auditing: A Practical Guide

What Is MongoDB Auditing?

MongoDB is an open source, NoSQL database management system that enables storage and retrieval of document-oriented data. Organizations can use MongoDB for ad hoc queries, indexing, load balancing, aggregation, and server-side JavaScript execution.

MongoDB also provides security features such as authentication, access control, and encryption. Among these MongoDB security features, the database platform provides an auditing mechanism that writes every database event to a journal. MongoDB can be set up with an auditing guarantee, meaning that all database operations are guaranteed to be audited. This enables inspection of historic database activities for security, compliance, and troubleshooting purposes.

In this article:

The Importance of Database Auditing

Database auditing is one of the key components organizations must set up to ensure compliance with industry standards and regulations. For example, the EU General Data Protection Regulation (GDPR) sets data protection rules that must be integrated into applications, products, and services from the ground up, starting from the database.

 

Any system component that can access data might be compromised, leading to a data breach. Database auditing ensures that there is a clear audit trail of any activity on the database, especially sensitive operations such as changing user permissions, accessing sensitive data tables or fields, and deleting data. When a breach occurs, auditing makes it possible to trace back the breach to specific users and database operations. 

 

Related content: Read our guide to MongoDB monitoring

MongoDB Audit Guarantees

MongoDB’s auditing system records each audit event using an in-memory audit event buffer, periodically writing the buffer to disk. Suppose MongoDB collects multiple events from a given connection to the disk. In that case, it arranges them in order—the system ensures that all previous events related to the connection have been recorded before writing a new event.

 

MongoDB always writes audit event entries that correspond to operations affecting the database’s state first. Only then can the system write to the journal for the entry. For example, if an event modifies data in the database, MongoDB writes it to disk before adding the operation to the journal.

 

MongoDB must have journaling enabled to enable audit guarantees.

How to Configure Auditing in MongoDB

Specify the –auditDestination option to enable auditing  in MongoDB. Set the configuration by specifying the output destination for audit events.

Syslog output

Under the –auditDestination setting, specify syslog to output audit events in JSON to the system log. It should look like this:

mongod --dbpath data/db --auditDestination syslog

It is possible to add more options to the configuration. For example, specifying the –bind_ip lets clients connect to the deployment. Before binding to different IP addresses, it is recommended to enable security measures such as access control to prevent unauthorized access.

 

The syslog might have a message limit that truncates the audit messages. The auditing system cannot detect this truncation, so it may be necessary to specify the following configuration options:

storage:
   dbPath: DATA/db
auditLog:
   destination: syslog

Console output

Under the –auditDestination setting, specify console to enable the printing of audit events to stdout (standard output). It should look like this:

mongod --dbpath data/db --auditDestination console

It is possible to add more options to the configuration. For example, specifying the –bind_ip will allow clients to connect to the deployment and support running deployment members on multiple hosts. Before binding to different IP addresses, it is recommended to enable security measures such as access control to prevent unauthorized access.

 

It may be necessary to specify the following configuration options:

storage:
   dbPath: DATA/db
auditLog:
   destination: console

JSON output

There are several specifications for enabling the auditing system to print events to file using the JSON format:

--auditDestination 
--auditFormat
 --auditPath

The configuration might look like this:

mongod --dbpath data/db --auditDestination file --auditFormat JSON --auditPath data/db/auditLog.json

This configuration enables the writing of audit events to file using the data/db/auditLog.json relative pathname.

 

An additional option is to rotate the audit file using the logRotate command—this may be independently or in combination with the server log. Use the systemLog.logRotate option to configure the specifics of rotation. Alternatively, use the –logRotate option in the command line. 

 

Additional configuration options may include:

storage:
   dbPath: DATA/db
auditLog:
   destination: file
   format: JSON
   path: DATA/db/auditLog.json

BSON output

The following specifications enable the auditing system to write audit events to file in the BSON format:

--auditDestination
--auditFormat 
--auditPath

The configuration might look like this:

mongod --dbpath data/db --auditDestination file --auditFormat BSON --auditPath data/db/auditLog.bson

This configuration enables audits and records events to a BSON file using the data/db/auditLog.bson relative pathname.

 

The server log file and audit file are rotated at the same time. Use the systemLog.logRotate option to configure the specifics of rotation. The –logRotate command-line configuration is also an option.

 

Additional configuration options may include:

storage:
   dbPath: DATA/db
auditLog:
   destination: file
   format: BSON
   path: DATA/db/auditLog.bson

For example, the bsondump data/db/auditLog.bson configuration will convert audit logs to a readable format using bsondump, outputting the result.

MongoDB Security with Satori

To learn more about how Satori helps secure your cloud data, go here. MongoDB support is coming soon, and we’d love to understand your needs.