Security Checklist安全性检查列表

Last updated: 2020-03-25

This documents provides a list of security measures that you should implement to protect your MongoDB installation.本文档提供了为保护MongoDB安装而应实施的安全措施列表。The list is not meant to be exhaustive.这份清单并非详尽无遗。

Pre-production Checklist/Considerations生产前检查表/注意事项

Enable Access Control and Enforce Authentication启用访问控制和强制身份验证

 

Enable access control and specify the authentication mechanism.启用访问控制并指定身份验证机制。You can use MongoDB’s SCRAM or x.509 authentication mechanism or integrate with your existing Kerberos/LDAP infrastructure.您可以使用MongoDB的SCRAM或x.509身份验证机制,或者与现有的Kerberos/LDAP基础设施集成。Authentication requires that all clients and servers provide valid credentials before they can connect to the system.身份验证要求所有客户端和服务器在连接到系统之前提供有效的凭据。

See Authentication and Enable Access Control.请参阅身份验证启用访问控制

Configure Role-Based Access Control配置基于角色的访问控制

 

Create a user administrator first, then create additional users.首先创建用户管理员,然后创建其他用户。Create a unique MongoDB user for each person/application that accesses the system.为访问系统的每个人/应用程序创建一个唯一的MongoDB用户。


Follow the principle of least privilege.遵循最小特权原则。Create roles that define the exact access rights required by a set of users.创建定义一组用户所需的确切访问权限的角色。Then create users and assign them only the roles they need to perform their operations.然后创建用户并仅为其分配执行操作所需的角色。A user can be a person or a client application.用户可以是个人或客户端应用程序。

Tip

A user can have privileges across different databases.用户可以拥有跨不同数据库的权限。If a user requires privileges on multiple databases, create a single user with roles that grant applicable database privileges instead of creating the user multiple times in different databases.如果一个用户需要在多个数据库上的权限,请使用授予相应数据库权限的角色创建一个用户,而不是在不同的数据库中多次创建该用户。

See Role-Based Access Control and Manage Users and Roles.请参见基于角色的访问控制管理用户和角色

Encrypt Communication (TLS/SSL)加密通信(TLS/SSL)

 

Configure MongoDB to use TLS/SSL for all incoming and outgoing connections.将MongoDB配置为对所有传入和传出连接使用TLS/SSL。Use TLS/SSL to encrypt communication between mongod and mongos components of a MongoDB deployment as well as between all applications and MongoDB.使用TLS/SSL加密MongoDB部署的mongodmongos组件之间以及所有应用程序和MongoDB之间的通信。

Starting in version 4.0, MongoDB uses the native TLS/SSL OS libraries:从版本4.0开始,MongoDB使用本机TLS/SSL OS库:

Windows Secure Channel (Schannel)
Linux/BSD OpenSSL
macOS Secure Transport

Note

Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available.从4.0版开始,MongoDB在TLS1.1+可用的系统上禁用对TLS1.0加密的支持。For more details, see Disable TLS 1.0.有关详细信息,请参见禁用TLS 1.0

See Configure mongod and mongos for TLS/SSL.请参阅为TLS/SSL配置mongod和mongos

Encrypt and Protect Data加密和保护数据

  Starting with MongoDB Enterprise 3.2, you can encrypt data in the storage layer with the WiredTiger storage engine’s native Encryption at Rest.从MongoDB企业版3.2开始,您可以使用WiredTiger存储引擎的原生静态加密对存储层中的数据进行加密。
  If you are not using WiredTiger’s encryption at rest, MongoDB data should be encrypted on each host using file-system, device, or physical encryption (e.g. dm-crypt).如果您不使用WiredTiger的静态加密,MongoDB数据应该在每个主机上使用文件系统、设备或物理加密(例如dm-crypt)进行加密。Protect MongoDB data using file-system permissions.使用文件系统权限保护MongoDB数据。MongoDB data includes data files, configuration files, auditing logs, and key files.MongoDB数据包括数据文件、配置文件、审计日志和密钥文件。
  Collect logs to a central log store.将日志收集到中心日志存储区。These logs contain DB authentication attempts including source IP address.这些日志包含DB身份验证尝试,包括源IP地址。

Limit Network Exposure限制网络曝光

 

Ensure that MongoDB runs in a trusted network environment and configure firewall or security groups to control inbound and outbound traffic for your MongoDB instances.确保MongoDB在受信任的网络环境中运行,并配置防火墙或安全组来控制MongoDB实例的入站和出站流量。

Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.只允许受信任的客户端访问MongoDB实例所在的网络接口和端口。For instance, use IP whitelisting to allow access from trusted IP addresses (see )例如,使用IP白名单允许从受信任的IP地址进行访问(请参阅)

Note

Starting with MongoDB 3.6, MongoDB binaries, mongod and mongos, bind to localhost by default.从MongoDB 3.6开始,MongoDB二进制文件、mongodmongos默认绑定到localhostFrom MongoDB versions 2.6 to 3.4, only the binaries from the official MongoDB RPM (Red Hat, CentOS, Fedora Linux, and derivatives) and DEB (Debian, Ubuntu, and derivatives) packages would bind to localhost by default.从MongoDB版本2.6到3.4,默认情况下,只有来自官方MongoDB RPM(Red Hat、CentOS、Fedora Linux和衍生工具)和DEB(Debian、Ubuntu和衍生工具)包的二进制文件才会绑定到localhostTo learn more about this change, see Localhost Binding Compatibility Changes.要了解有关此更改的更多信息,请参阅本地主机绑定兼容性变化

See:参阅:

  Disable direct SSH root access.禁用直接SSH根访问。

Audit System Activity审核系统活动

 

Track access and changes to database configurations and data.跟踪对数据库配置和数据的访问和更改。MongoDB Enterprise includes a system auditing facility that can record system events (e.g. user operations, connection events) on a MongoDB instance.MongoDB企业版包括一个系统审计工具,可以记录MongoDB实例上的系统事件(例如用户操作、连接事件)。These audit records permit forensic analysis and allow administrators to verify proper controls.这些审计记录允许法医分析,并允许管理员验证适当的控制。You can set up filters to record specific events, such as authentication events.您可以设置筛选器来记录特定事件,例如身份验证事件。

See Auditing and Configure Auditing.

Run MongoDB with a Dedicated User使用专用用户运行MongoDB

 

Run MongoDB processes with a dedicated operating system user account.使用专用操作系统用户帐户运行MongoDB进程。Ensure that the account has permissions to access data but no unnecessary permissions.确保帐户具有访问数据的权限,但没有不必要的权限。

See Install MongoDB for more information on running MongoDB.有关运行MongoDB的更多信息,请参阅安装MongoDB

Run MongoDB with Secure Configuration Options使用安全配置选项运行MongoDB

  MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce, $where, $accumulator, and $function.MongoDB支持对某些服务器端操作执行JavaScript代码:mapReduce$where$accumulator$functionIf you do not use these operations, disable server-side scripting by using the --noscripting option on the command line.如果不使用这些操作,请使用命令行上的--noscripting选项禁用服务器端脚本。
  Keep input validation enabled.保持输入验证处于启用状态。MongoDB enables input validation by default through the net.wireObjectCheck setting.MongoDB默认情况下通过net.wireObjectCheck设置。This ensures that all documents stored by the mongod instance are valid BSON.这确保了mongod实例存储的所有文档都是有效的BSON。

See请参阅

Network and Configuration Hardening.网络和配置强化

Request a Security Technical Implementation Guide (where applicable)申请安全技术实施指南(如适用)

  The Security Technical Implementation Guide (STIG) contains security guidelines for deployments within the United States Department of Defense.《安全技术实施指南》(STIG)包含美国国防部内部部署的安全指南。MongoDB Inc. provides its STIG, upon request, for situations where it is required.MongoDB Inc.应要求为需要的情况提供STIG。Please request a copy for more information.索取副本以获取更多信息。

Consider Security Standards Compliance考虑遵守安全标准

  For applications requiring HIPAA or PCI-DSS compliance, please refer to the MongoDB Security Reference Architecture to learn more about how you can use the key security capabilities to build compliant application infrastructure.对于需要符合HIPAA或PCI-DSS的应用程序,请参阅MongoDB安全参考体系结构,以了解有关如何使用关键安全功能构建符合要求的应用程序基础结构的更多信息。

Periodic/Ongoing Production Checks定期/持续生产检查

  Periodically check for MongoDB Product CVE and upgrade your products .定期检查MongoDB产品CVE并升级您的产品。
  Consult the MongoDB end of life dates and upgrade your MongoDB installation.请咨询MongoDB的终止日期并升级MongoDB安装。In general, try to stay on the latest version.一般来说,尽量保持最新版本。
 

Ensure that your information security management system policies and procedures extend to your MongoDB installation, including performing the following:确保信息安全管理系统策略和过程扩展到MongoDB安装,包括执行以下操作:

  • Periodically apply patches to your machine and review guidelines.定期将修补程序应用于您的机器并查看指导原则。
  • Review policy/procedure changes, especially changes to your network rules to prevent inadvertent MongoDB exposure to the Internet.检查策略/程序更改,特别是对网络规则的更改,以防止MongoDB无意中暴露在互联网上。
  • Review MongoDB database users and periodically rotate them.检查MongoDB数据库用户并定期轮换他们。