diff --git a/source/administration/security-checklist.txt b/source/administration/security-checklist.txt index 63665f4e737..b77c8518137 100644 --- a/source/administration/security-checklist.txt +++ b/source/administration/security-checklist.txt @@ -6,9 +6,9 @@ Security Checklist .. |arrow| unicode:: U+27A4 -*Last updated: 2020-03-25* +*Last updated: 2021-09-29* -This documents provides a list of security measures that you should +This document provides a list of security measures that you should implement to protect your MongoDB installation. The list is not meant to be exhaustive. @@ -20,46 +20,54 @@ Pre-production Checklist/Considerations |arrow| Enable Access Control and Enforce Authentication ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Enable access control and specify the authentication mechanism. - You can use MongoDB's SCRAM or x.509 authentication mechanism or - integrate with your existing Kerberos/LDAP infrastructure. Authentication - requires that all clients and servers provide valid credentials - before they can connect to the system. +- Enable access control and specify an authentication mechanism. - | + MongoDB Community supports a number of :ref:`authentication mechanisms + ` that clients can use to verify + their identity: - See also: + - :ref:`authentication-scram` (*Default*) + - :ref:`x.509 Certificate Authentication `. - - :doc:`/core/authentication` - - :doc:`/tutorial/enable-authentication` + In addition to the preceding mechanisms, MongoDB Atlas and MongoDB + Enterprise support the following mechanisms: + + - :ref:`LDAP proxy authentication `, and + - :ref:`Kerberos authentication `. + + These mechanisms allow MongoDB to integrate into your + existing authentication system. + +.. seealso:: + + - :doc:`/core/authentication` + - :doc:`/tutorial/enable-authentication` .. _security-checklist-role-based-access-control: |arrow| Configure Role-Based Access Control ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Create a user administrator **first**, then create additional - users. Create a unique MongoDB user for each person/application - that accesses the system. - +- Create a :ref:`user administrator ` **first**, then + create additional users. Create a unique MongoDB user for each + person/application that accesses the system. + - Follow the principle of least privilege. Create roles that define the exact access rights required by a set of users. Then create users and assign them only the roles they need to perform their operations. A user can be a person or a client application. .. note:: - + A user can have privileges across different databases. If a user requires privileges on multiple databases, create a single user with roles that grant applicable database privileges instead of creating the user multiple times in different databases. - | - - See also: +.. seealso:: - - :doc:`/core/authorization` - - :doc:`/tutorial/manage-users-and-roles` + - :doc:`/core/authorization` + - :doc:`/tutorial/manage-users-and-roles` |arrow| Encrypt Communication (TLS/SSL) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -72,33 +80,29 @@ Pre-production Checklist/Considerations .. include:: /includes/fact-tls-libraries.rst - .. note:: - - .. include:: /includes/fact-tls-1.0.rst +.. seealso:: - | - - See also: :doc:`/tutorial/configure-ssl`. - -.. |binary| replace:: MongoDB + :doc:`/tutorial/configure-ssl`. |arrow| Encrypt and Protect Data ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Starting with MongoDB Enterprise 3.2, you can encrypt data in - the storage layer with the WiredTiger storage engine's native - :doc:`/core/security-encryption-at-rest`. +- You can encrypt data in the storage layer with the WiredTiger storage + engine's native :doc:`/core/security-encryption-at-rest`. - If you are not using WiredTiger's encryption at rest, MongoDB data should be encrypted on each host using file-system, device, - or physical encryption (e.g. dm-crypt). Protect MongoDB data - using file-system permissions. MongoDB data includes data files, - configuration files, auditing logs, and key files. - -- Collect logs to a central log store. These logs contain DB - authentication attempts including source IP address. - - + or physical encryption (for example dm-crypt). You should also protect + MongoDB data using file-system permissions. MongoDB data includes data + files, configuration files, auditing logs, and key files. + +- You can use :doc:`/core/security-client-side-encryption` to encrypt + fields in documents application-side prior to transmitting data over + the wire to the server. + +- Collect logs to a central log store. These logs contain database + authentication attempts including source IP addresses. + |arrow| Limit Network Exposure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -111,25 +115,19 @@ Pre-production Checklist/Considerations - Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available. - .. note:: - - .. include:: /includes/fact-default-bind-ip-change.rst +.. seealso:: - | + - :doc:`/core/security-hardening` - See also: + - the :setting:`net.bindIp` configuration setting - - :doc:`/core/security-hardening` + - the :setting:`security.clusterIpSourceAllowlist` configuration + setting - - the :setting:`net.bindIp` configuration setting - - - the :setting:`security.clusterIpSourceAllowlist` configuration - setting - - - the :ref:`authenticationRestrictions - ` field to the - :method:`db.createUser()` command to specify a per-user IP - allow list. + - the :ref:`authenticationRestrictions + ` field to the + :method:`db.createUser()` command to specify a per-user IP + allow list. |arrow| Audit System Activity @@ -137,21 +135,19 @@ Pre-production Checklist/Considerations - Track access and changes to database configurations and data. `MongoDB Enterprise - `_ + `_ includes a system auditing facility that can record - system events (e.g. user operations, connection events) on a + system events (including user operations and connection events) on a MongoDB instance. These audit records permit forensic analysis - and allow administrators to verify proper controls. You can set - up filters to record specific events, such as authentication + and allow administrators to exercise proper controls. You can set + up filters to record only specific events, such as authentication events. - | - - See also: +.. seealso:: - - :doc:`/core/auditing` + - :doc:`/core/auditing` - - :doc:`/tutorial/configure-auditing` + - :doc:`/tutorial/configure-auditing` |arrow| Run MongoDB with a Dedicated User ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -160,9 +156,9 @@ Pre-production Checklist/Considerations account. Ensure that the account has permissions to access data but no unnecessary permissions. - | +.. seealso:: - See also: :doc:`/installation` + :doc:`/installation` .. _security-checklist-javascript: @@ -173,17 +169,16 @@ Pre-production Checklist/Considerations server-side operations: :dbcommand:`mapReduce`, :query:`$where`, :group:`$accumulator`, and :expression:`$function`. If you do not use these operations, disable server-side scripting by using - the :option:`--noscripting ` option on the - command line. + the :option:`--noscripting ` option. - Keep input validation enabled. MongoDB enables input validation by default through the :setting:`net.wireObjectCheck` setting. This ensures that all documents stored by the :binary:`~bin.mongod` instance are valid :term:`BSON`. - | +.. seealso:: - See also: :doc:`/core/security-hardening` + :doc:`/core/security-hardening` |arrow| Request a Security Technical Implementation Guide (where applicable) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -191,9 +186,7 @@ Pre-production Checklist/Considerations - The Security Technical Implementation Guide (STIG) contains security guidelines for deployments within the United States Department of Defense. MongoDB Inc. provides its STIG, upon - request, for situations where it is required. Please `request a - copy `_ for - more information. + `request `_. |arrow| Consider Security Standards Compliance ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -201,7 +194,7 @@ Pre-production Checklist/Considerations - For applications requiring HIPAA or PCI-DSS compliance, please refer to the `MongoDB Security Reference Architecture `_ - to learn more about how you can use the key security + to learn more about how you can use MongoDB's key security capabilities to build compliant application infrastructure. @@ -213,15 +206,14 @@ Periodic/Ongoing Production Checks - Consult the `MongoDB end of life dates `_ and upgrade your - MongoDB installation. In general, try to stay on the latest + MongoDB installation as needed. In general, try to stay on the latest version. - Ensure that your information security management system policies and procedures extend to your MongoDB installation, including performing the following: - - Periodically apply patches to your machine and review - guidelines. + - Periodically apply patches to your machine. - Review policy/procedure changes, especially changes to your network rules to prevent inadvertent MongoDB exposure to the diff --git a/source/includes/fact-tls-libraries.rst b/source/includes/fact-tls-libraries.rst index cdaa2f17fa1..085a41ff0c8 100644 --- a/source/includes/fact-tls-libraries.rst +++ b/source/includes/fact-tls-libraries.rst @@ -1,4 +1,4 @@ -Starting in version 4.0, MongoDB uses the native TLS/SSL OS libraries: +MongoDB uses the native TLS/SSL OS libraries: .. list-table:: :header-rows: 1