DOCSP-14355 at rest encryption of audit logs (#220)

Co-authored-by: jason-price-mongodb <[email protected]>

Author: jason-price-mongodb

conf.py

@@ -76,7 +76,7 @@ def has(self, *args):
 ])
 
 source_constants = {
-    'version-dev': '5.2',   # Current development branch
+    'version-dev': '5.3',   # Current development branch
     'package-name-org': 'mongodb-org',
     'package-name-enterprise': 'mongodb-enterprise',
     'version': version,

snooty.toml

@@ -205,7 +205,7 @@ package-name-org = "mongodb-org"
 package-name-enterprise = "mongodb-enterprise"
 version = "5.0"
 release = "5.0.5"
-version-dev = "5.2"
+version-dev = "5.3"
 pgp-version = "{+version+}"
 rsa-key = "4B7C549A058F8B6B"
 pgp-fingerprint = "E162F504A20CDF15827F718D4B7C549A058F8B6B"

source/core/security-encryption-at-rest.txt

@@ -111,21 +111,49 @@ transport encryption.
 
 For details, see :ref:`rotate-encryption-keys`.
 
-Logging
-~~~~~~~
+Audit Log
+~~~~~~~~~
 
-.. versionadded:: 3.4 Available in MongoDB Enterprise only
+Available in MongoDB Enterprise only.
 
-The log file is not encrypted as a part of MongoDB's encrypted storage engine.
-A :binary:`~bin.mongod` running with :ref:`logging <monitoring-standard-loggging>`
-may output potentially sensitive information to log files as a part of normal
-operations, depending on the configured :ref:`log verbosity
-<log-messages-configure-verbosity>`.
+.. _security-encryption-at-rest-audit-log:
 
-MongoDB 3.4 Enterprise provides the :setting:`security.redactClientLogData`
-setting to prevent potentially sensitive information from entering the
-:binary:`~bin.mongod` process log. :setting:`~security.redactClientLogData`
-reduces detail in the log and may complicate log diagnostics.
+Use KMIP Server to Manage Keys for Encrypting the MongoDB Audit Log
+```````````````````````````````````````````````````````````````````
+
+Starting in MongoDB 5.3 Enterprise, you can use an external Key
+Management Interoperability Protocol (KMIP) server to securely manage
+the keys for encrypting the MongoDB audit log.
+
+To use a KMIP server with audit log encryption, configure these settings
+and parameters:
+
+- :setting:`auditLog.auditEncryptionKeyIdentifier` setting
+- :setting:`auditLog.compressionMode` setting
+- :parameter:`auditEncryptionHeaderMetadataFile` parameter
+- :parameter:`auditEncryptKeyWithKMIPGet` parameter
+
+For testing audit log encryption, you can also use the
+:setting:`auditLog.localAuditKeyFile` setting.
+
+Unencrypted Audit Log and Process Log
+`````````````````````````````````````
+
+This section applies if you are not using an external Key Management
+Interoperability Protocol (KMIP) server to manage keys for encrypting
+the audit log as shown in the previous section.
+
+The audit log file is not encrypted as a part of MongoDB's encrypted
+storage engine. A :binary:`~bin.mongod` running with :ref:`logging
+<monitoring-standard-loggging>` may output potentially sensitive
+information to log files as a part of normal operations, depending on
+the configured :ref:`log verbosity <log-messages-configure-verbosity>`.
+
+Use the :setting:`security.redactClientLogData` setting to prevent
+potentially sensitive information from entering the
+:binary:`~bin.mongod` process log.
+:setting:`~security.redactClientLogData` reduces detail in the log and
+may complicate log diagnostics.
 
 See the :ref:`log redaction <monitoring-log-redaction>` manual entry for
 more information.

source/includes/audit-compression-mode-option.rst

@@ -0,0 +1,23 @@
+.. versionadded:: 5.3
+
+Specifies the compression mode for :ref:`audit log encryption
+<security-encryption-at-rest-audit-log>`. You must also enable audit log
+encryption using either |audit-encryption-key-identifier-option| or
+|audit-local-keyfile-option|.
+
+|audit-compression-mode-option| can be set to one of these values:
+   
+.. list-table::
+   :header-rows: 1
+   :widths: 15 50
+   
+   * - Value
+     - Description
+   
+   * - ``zstd``
+     - Use the :term:`zstd` algorithm to compress the audit log.
+      
+   * - ``none`` *(default)*
+     - Do not compress the audit log.
+
+.. include:: /includes/note-audit-in-enterprise.rst

source/includes/audit-encryption-key-identifier-option.rst

@@ -0,0 +1,10 @@
+.. versionadded:: 5.3
+
+Specifies the unique identifier of the Key Management
+Interoperability Protocol (KMIP) key for :ref:`audit log encryption
+<security-encryption-at-rest-audit-log>`.
+
+You cannot use |audit-encryption-key-identifier-option| and
+|audit-local-keyfile-option| together.
+
+.. include:: /includes/note-audit-in-enterprise.rst

source/includes/audit-local-key-file-option.rst

@@ -0,0 +1,16 @@
+.. versionadded:: 5.3
+
+Specifies the path and file name for a local audit key file for
+:ref:`audit log encryption <security-encryption-at-rest-audit-log>`.
+
+.. note::
+
+   Only use |audit-local-keyfile-option| for testing because the key is
+   not secured. To secure the key, use
+   |audit-encryption-key-identifier-option| and an external Key
+   Management Interoperability Protocol (KMIP) server.
+   
+You cannot use |audit-local-keyfile-option| and
+|audit-encryption-key-identifier-option| together.
+
+.. include:: /includes/note-audit-in-enterprise.rst

source/includes/note-audit-in-enterprise.rst

@@ -0,0 +1,6 @@
+.. note::
+   
+   Available only in `MongoDB Enterprise
+   <http://www.mongodb.com/products/mongodb-enterprise-advanced?tck=docs_server>`_.
+   MongoDB Enterprise and Atlas have different configuration
+   requirements.

source/reference/configuration-file-settings-command-line-options-mapping.txt

@@ -17,6 +17,13 @@ and :binary:`~bin.mongos` command-line options.
    * - Configuration File Setting
      - ``mongod`` and ``mongos`` Command-Line Options
 
+   * - :setting:`auditLog.auditEncryptionKeyIdentifier`
+     - | :option:`mongod --auditEncryptionKeyUID`
+       | :option:`mongos --auditEncryptionKeyUID`
+
+   * - :setting:`auditLog.compressionMode`
+     - | :option:`mongod --auditCompressionMode`
+       | :option:`mongos --auditCompressionMode`
 
    * - :setting:`auditLog.destination`
      - | :option:`mongod --auditDestination`
@@ -30,6 +37,10 @@ and :binary:`~bin.mongos` command-line options.
      - | :option:`mongod --auditFormat`
        | :option:`mongos --auditFormat`
 
+   * - :setting:`auditLog.localAuditKeyFile`
+     - | :option:`mongod --auditLocalKeyFile`
+       | :option:`mongos --auditLocalKeyFile`
+
    * - :setting:`auditLog.path`
      - | :option:`mongod --auditPath`
        | :option:`mongos --auditPath`

source/reference/configuration-options.txt

@@ -4311,6 +4311,24 @@ LDAP Parameters
       path: <string>
       filter: <string>
 
+.. |audit-compression-mode-option| replace:: :setting:`auditLog.compressionMode`
+.. |audit-encryption-key-identifier-option| replace:: :setting:`auditLog.auditEncryptionKeyIdentifier`
+.. |audit-local-keyfile-option| replace:: :setting:`auditLog.localAuditKeyFile`
+
+.. setting:: auditLog.auditEncryptionKeyIdentifier
+
+   *Type*: string
+
+   .. include:: /includes/audit-encryption-key-identifier-option.rst
+
+.. setting:: auditLog.compressionMode
+
+   *Type*: string
+
+   .. |option-1| replace:: :setting:`auditLog.compressionMode`
+
+   .. include:: /includes/audit-compression-mode-option.rst
+
 .. setting:: auditLog.destination
 
    *Type*: string
@@ -4408,6 +4426,12 @@ LDAP Parameters
 
    .. include:: /includes/note-audit-in-enterprise-only.rst
 
+.. setting:: auditLog.localAuditKeyFile
+
+   *Type*: string
+
+   .. include:: /includes/audit-local-key-file-option.rst
+
 .. setting:: auditLog.path
 
    *Type*: string

source/reference/parameters.txt

@@ -4154,6 +4154,58 @@ Auditing Parameters
       Using the default value of 300 seconds, non-config nodes may lag up
       to 5 minutes behind a setAuditConfig command.
 
+.. parameter:: auditEncryptionHeaderMetadataFile
+
+   .. versionadded:: 5.3
+
+   *Type*: string
+
+   .. include:: /includes/note-audit-in-enterprise.rst
+
+   |both|
+
+   Path and file name for logging metadata audit headers for :ref:`audit
+   log encryption <security-encryption-at-rest-audit-log>`. A header is
+   placed at the top of each audit log file and contains metadata for
+   decrypting the audit log. The headers are also stored in the
+   :doc:`audit log </core/auditing>`.
+
+   You can only set :parameter:`auditEncryptionHeaderMetadataFile`
+   during startup in the :setting:`configuration file <setParameter>` or
+   with the ``--setParameter`` option on the command line. For example,
+   the following sets the path and file for
+   :parameter:`auditEncryptionHeaderMetadataFile`:
+
+   .. code-block:: bash
+
+      mongod --setParameter auditEncryptionHeaderMetadataFile=/auditFiles/auditHeadersMetadataFile.log
+
+.. parameter:: auditEncryptKeyWithKMIPGet
+
+   .. versionadded:: 5.3
+
+   *Type*: boolean
+
+   *Default*: false
+
+   .. include:: /includes/note-audit-in-enterprise.rst
+
+   |both|
+
+   Enables :ref:`audit log encryption
+   <security-encryption-at-rest-audit-log>` for Key Management
+   Interoperability Protocol (KMIP) servers that only support KMIP
+   protocol version 1.0 or 1.1.
+
+   You can only set :parameter:`auditEncryptKeyWithKMIPGet` during
+   startup in the :setting:`configuration file <setParameter>` or with
+   the ``--setParameter`` option on the command line. For example, the
+   following sets :parameter:`auditEncryptKeyWithKMIPGet` to ``true``:
+
+   .. code-block:: bash
+
+      mongod --setParameter auditEncryptKeyWithKMIPGet=true
+
 Transaction Parameters
 ~~~~~~~~~~~~~~~~~~~~~~