Security Checklist安全检查列表

Last updated: 2021-09-29

~~This document provides a list of security measures that you should implement to protect your MongoDB installation.~~ 本文档提供了保护MongoDB安装的安全措施列表。~~The list is not meant to be exhaustive.~~这份清单并非详尽无遗。

Pre-production Checklist/Considerations生产前检查表/注意事项

➤ Enable Access Control and Enforce Authentication启用访问控制并强制执行身份验证

~~Enable access control and specify an authentication mechanism.~~启用访问控制并指定身份验证机制。

~~MongoDB Community supports a number of authentication mechanisms that clients can use to verify their identity:~~MongoDB社区支持许多身份验证机制，客户端可以使用这些机制来验证其身份：
- SCRAM (Default)
- x.509 ~~Certificate Authentication~~证书认证.。
~~In addition to the preceding mechanisms, MongoDB Atlas and MongoDB Enterprise support the following mechanisms:~~除上述机制外，MongoDB Atlas和MongoDB Enterprise还支持以下机制：
- ~~LDAP proxy authentication~~LDAP代理身份验证~~, and~~以及
- ~~Kerberos authentication~~Kerberos认证.。
~~These mechanisms allow MongoDB to integrate into your existing authentication system.~~这些机制允许MongoDB集成到现有的身份验证系统中。

~~Tip~~提示

~~See also:~~ 参阅：

➤ Configure Role-Based Access Control配置基于角色的访问控制

~~Create a user administrator first, then create additional users. Create a unique MongoDB user for each person/application that accesses the system.~~首先创建用户管理员，然后创建其他用户。为访问系统的每个人/应用程序创建唯一的MongoDB用户。
~~Follow the principle of least privilege.~~ 遵循最低权限原则。~~Create roles that define the exact access rights required by a set of users.~~ 创建定义一组用户所需的确切访问权限的角色。~~Then create users and assign them only the roles they need to perform their operations.~~ 然后创建用户并仅为其分配执行操作所需的角色。~~A user can be a person or a client application.~~用户可以是个人或客户端应用程序。

~~Note~~注意

~~A user can have privileges across different databases.~~ 用户可以拥有跨不同数据库的权限。~~If a user requires privileges on multiple databases, create a single user with roles that grant applicable database privileges instead of creating the user multiple times in different databases.~~如果用户需要对多个数据库的权限，请创建具有授予适用数据库权限的角色的单个用户，而不是在不同的数据库中多次创建该用户。

~~Tip~~提示

~~See also:~~ 参阅：

➤ Encrypt Communication (TLS/SSL)加密通信（TLS/SSL）

~~Configure MongoDB to use TLS/SSL for all incoming and outgoing connections.~~ 将MongoDB配置为对所有传入和传出连接使用TLS/SSL。~~Use TLS/SSL to encrypt communication between mongod and mongos components of a MongoDB deployment as well as between all applications and MongoDB.~~使用TLS/SSL加密MongoDB部署的mongod和mongos组件之间以及所有应用程序和MongoDB之间的通信。

~~MongoDB uses the native TLS/SSL OS libraries:~~MongoDB使用本机TLS/SSL操作系统库：

Platform TLS/SSL Library

Windows Secure Channel (Schannel)

Linux/BSD OpenSSL

macOS Secure Transport

Platform	TLS/SSL Library
Windows	Secure Channel (Schannel)
Linux/BSD	OpenSSL
macOS	Secure Transport

~~Tip~~提示

~~See also:~~ 参阅：

~~Configure mongod and mongos for TLS/SSL~~为TLS/SSL配置mongod和mongos

➤ Encrypt and Protect Data加密和保护数据

~~You can encrypt data in the storage layer with the WiredTiger storage engine's native Encryption at Rest.~~您可以使用WiredTiger存储引擎的本机静态加密来加密存储层中的数据。
~~If you are not using WiredTiger's encryption at rest, MongoDB data should be encrypted on each host using file-system, device, or physical encryption (for example dm-crypt).~~ 如果您不使用WiredTiger的静态加密，则应使用文件系统、设备或物理加密（例如dm crypt）在每个主机上加密MongoDB数据。~~You should also protect MongoDB data using file-system permissions.~~ 您还应该使用文件系统权限来保护MongoDB数据。~~MongoDB data includes data files, configuration files, auditing logs, and key files.~~MongoDB数据包括数据文件、配置文件、审核日志和密钥文件。
~~You can use Client-Side Field Level Encryption to encrypt fields in documents application-side prior to transmitting data over the wire to the server.~~您可以使用客户端字段级加密来加密文档应用程序端的字段，然后再将数据通过有线传输到服务器。
~~Collect logs to a central log store.~~ 将日志集合到中央日志存储。~~These logs contain database authentication attempts including source IP addresses.~~这些日志包含数据库身份验证尝试，包括源IP地址。

➤ Limit Network Exposure限制网络暴露

~~Ensure that MongoDB runs in a trusted network environment and configure firewall or security groups to control inbound and outbound traffic for your MongoDB instances.~~确保MongoDB在受信任的网络环境中运行，并配置防火墙或安全组来控制MongoDB实例的入站和出站流量。
~~Disable direct SSH root access.~~禁用直接SSH根访问。
~~Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.~~仅允许受信任的客户端访问MongoDB实例可用的网络接口和端口。

~~Tip~~提示

~~See also:~~ 参阅：

~~Network and Configuration Hardening~~网络和配置强化
~~the net.bindIp configuration setting~~net.bindIp配置设置
~~the security.clusterIpSourceAllowlist configuration setting~~security.clusterIpSourceAllowlist配置设置
~~the authenticationRestrictions field to the db.createUser() command to specify a per-user IP allow list.~~db.createUser()命令的authenticationRestrictions字段用于指定每个用户的IP允许列表。

➤ Audit System Activity审计系统活动

~~Track access and changes to database configurations and data.~~ 跟踪对数据库配置和数据的访问和更改。~~MongoDB Enterprise includes a system auditing facility that can record system events (including user operations and connection events) on a MongoDB instance.~~ MongoDB Enterprise包括一个系统审计工具，可以记录MongoDB实例上的系统事件（包括用户操作和连接事件）。~~These audit records permit forensic analysis and allow administrators to exercise proper controls.~~ 这些审计记录允许进行法医分析，并允许管理员实施适当的控制。~~You can set up filters to record only specific events, such as authentication events.~~您可以设置筛选器以仅记录特定事件，例如身份验证事件。

~~Tip~~提示

~~See also:~~ 参阅：

➤ Run MongoDB with a Dedicated User使用专用用户运行MongoDB

~~Run MongoDB processes with a dedicated operating system user account.~~ 使用专用操作系统用户帐户运行MongoDB进程。~~Ensure that the account has permissions to access data but no unnecessary permissions.~~确保该帐户具有访问数据的权限，但没有不必要的权限。

~~Tip~~提示

~~See also:~~ 参阅：

~~Install MongoDB~~安装MongoDB

➤ Run MongoDB with Secure Configuration Options使用安全配置选项运行MongoDB

~~MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce, $where, $accumulator, and $function.~~ MongoDB支持为某些服务器端操作执行JavaScript代码：mapReduce、$where、$accumulator和$function。~~If you do not use these operations, disable server-side scripting by using the --noscripting option.~~如果不使用这些操作，请使用--noscripting选项禁用服务器端脚本。
~~Keep input validation enabled.~~ 保持输入验证处于启用状态。~~MongoDB enables input validation by default through the net.wireObjectCheck setting.~~ 默认情况下，MongoDB通过net.wireObjectCheck设置启用输入验证。~~This ensures that all documents stored by the mongod instance are valid BSON.~~这确保了mongod实例存储的所有文档都是有效的BSON。

~~Tip~~提示

~~See also:~~ 参阅：

~~Network and Configuration Hardening~~网络和配置强化

➤ Request a Security Technical Implementation Guide (where applicable)请求安全技术实施指南（如适用）

~~The Security Technical Implementation Guide (STIG) contains security guidelines for deployments within the United States Department of Defense.~~ 《安全技术实施指南》（STIG）包含美国国防部内部部署的安全指南。~~MongoDB Inc. provides its STIG, upon request.~~MongoDB股份有限公司应要求提供其STIG。

➤ Consider Security Standards Compliance考虑安全标准遵从性

For applications requiring HIPAA or PCI-DSS compliance, please refer to the MongoDB Security Reference Architecture to learn more about how you can use MongoDB's key security capabilities to build compliant application infrastructure.对于需要符合HIPAA或PCI-DSS的应用程序，请参阅MongoDB安全参考体系结构，以了解如何使用MongoDB的关键安全功能构建符合要求的应用程序基础设施。

Periodic/Ongoing Production Checks定期/持续生产检查

~~Periodically check for MongoDB Product CVE and upgrade your products .~~定期检查MongoDB产品CVE并升级您的产品。
~~Consult the MongoDB end of life dates and upgrade your MongoDB installation as needed.~~ 请参阅MongoDB生命周期结束日期，并根据需要升级您的MongoDB安装。~~In general, try to stay on the latest version.~~一般来说，尽量保持最新版本。
~~Ensure that your information security management system policies and procedures extend to your MongoDB installation, including performing the following:~~确保您的信息安全管理系统策略和过程扩展到您的MongoDB安装，包括执行以下操作：
- ~~Periodically apply patches to your machine.~~定期将修补程序应用到您的计算机。
- ~~Review policy/procedure changes, especially changes to your network rules to prevent inadvertent MongoDB exposure to the Internet.~~审查策略/程序更改，特别是网络规则的更改，以防止MongoDB无意中暴露在互联网上。
- ~~Review MongoDB database users and periodically rotate them.~~查看MongoDB数据库用户并定期轮换他们。

← Security Enable Access Control →