How to enable unauthorized attempts at CRUD operations

M310: MongoDB Security, chapter Chapter 3: Auditing and Best Practices describes how to enable auditing CRUD operations by adding config file entry…

setParameter: { auditAuthorizationSuccess: true }

I assume this means log any CRUD operation where authentication was successful. But what about the opposite, where someone attempted to perform an operation where they are not authorized? How do we log that?

Hi Barron_43628,

You have access to Chapter 3 ? Those lessons weren’t supposed to start until Dec 11 according to the Syllabus.

David

Working on NHTTv2 and m310 concurrently. I don’t have access to chapter 3 yet.

NHTTv2 does not have a community forum and it seems this is a good question to have available to the community.

Now I’ve got even more questions ! What’s is NHTTv2 community ? I would refer them to the MongoDB documentation or to sign up for classes with MongoDB University !

Chapter 3: Auditing and Best Practices describes how to enable auditing CRUD operations by adding config file entry…

setParameter: { auditAuthorizationSuccess: true }

MongoDB audits CRUD commands that result is “not unauthorized”. (obviously that means that you’ll need to enabled authorization along with auditing)

Action Type(atype)  authCheck
Result:

`0` - Success

`13` - Unauthorized to perform the operation.

By default, the auditing system logs only the authorization failures. To enable the system to log authorization successes, use the auditAuthorizationSuccess parameter

We’ll discuss auditing in detail in Chapter 3 along with corresponding Lab assignments.

In the meantime you can always try it out on your own

https://docs.mongodb.com/manual/core/auditing/

Hope that helps,

David

Hi David,

Perfect answer. I configured to audit but did not include configuration for successful authcheck. I see what you mean - the authcheck where error is not zero do in fact show up. Very helpful answer. Thank you very much. On past projects using relational database applications my customers have requested this feature, so this is nice to have out of the box with MongoDB. Thank you for the help!

Best Regards,

Barron