Security Checklist安全检查列表
This document provides a list of security measures that you should implement to protect your MongoDB installation. The list is not meant to be exhaustive.本文档提供了为保护MongoDB安装而应实施的安全措施列表。这份清单并非详尽无遗。
Pre-production Checklist/Considerations生产前检查表/注意事项
➤ Enable Access Control and Enforce Authentication启用访问控制并强制身份验证
Enable access control and specify an authentication mechanism.启用访问控制并指定身份验证机制。MongoDB Community supports a number of authentication mechanisms that clients can use to verify their identity:MongoDB社区支持许多身份验证机制,客户端可以使用这些机制来验证其身份:In addition to the preceding mechanisms, MongoDB Atlas and MongoDB Enterprise support the following mechanisms:除上述机制外,MongoDB Atlas和MongoDB Enterprise还支持以下机制:These mechanisms allow MongoDB to integrate into your existing authentication system.这些机制允许MongoDB集成到您现有的身份验证系统中。
See also: 另请参阅:
➤ Configure Role-Based Access Control配置基于角色的访问控制
Create a user administrator first, then create additional users. Create a unique MongoDB user for each person/application that accesses the system.首先创建一个用户管理员,然后创建其他用户。为每个访问系统的人/应用程序创建一个唯一的MongoDB用户。Follow the principle of least privilege. Create roles that define the exact access rights required by a set of users. Then create users and assign them only the roles they need to perform their operations. A user can be a person or a client application.遵循最低权限原则。创建定义一组用户所需的确切访问权限的角色。然后创建用户,并仅为他们分配执行操作所需的角色。用户可以是个人或客户端应用程序。NoteA user can have privileges across different databases. If a user requires privileges on multiple databases, create a single user with roles that grant applicable database privileges instead of creating the user multiple times in different databases.用户可以拥有跨不同数据库的权限。如果用户需要在多个数据库上拥有权限,请创建具有授予适用数据库权限的角色的单个用户,而不是在不同的数据库中多次创建该用户。
See also: 另请参阅:
➤ Encrypt Communication (TLS/SSL)加密通信(TLS/SSL)
Configure MongoDB to use TLS/SSL for all incoming and outgoing connections.将MongoDB配置为对所有传入和传出连接使用TLS/SSL。Use TLS/SSL to encrypt communication between使用TLS/SSL加密MongoDB部署的mongodandmongoscomponents of a MongoDB deployment as well as between all applications and MongoDB.mongod和mongos组件之间以及所有应用程序和MongoDB之间的通信。MongoDB uses the native TLS/SSL OS libraries:MongoDB使用本机TLS/SSL操作系统库:Platform平台TLS/SSL Library Windows Secure Channel (Schannel)安全通道(Schannel)Linux/BSD OpenSSL macOS Secure Transport安全传输
See also: 另请参阅:
Configure 为TLS/SSL配置mongod and mongos for TLS/SSL.mongod和mongos。
➤ Encrypt and Protect Data加密和保护数据
You can encrypt data in the storage layer with the WiredTiger storage engine's native Encryption at Rest.您可以使用WiredTiger存储引擎的本机静态加密加密存储层中的数据。If you are not using WiredTiger's encryption at rest, MongoDB data should be encrypted on each host using file-system, device, or physical encryption (for example dm-crypt).如果您在休息时没有使用WiredTiger的加密,则应使用文件系统、设备或物理加密(例如dm crypt)在每个主机上对MongoDB数据进行加密。You should also protect MongoDB data using file-system permissions. MongoDB data includes data files, configuration files, auditing logs, and key files.您还应该使用文件系统权限来保护MongoDB数据。MongoDB数据包括数据文件、配置文件、审核日志和关键文件。You can use Queryable Encryption or Client-Side Field Level Encryption to encrypt fields in documents application-side prior to transmitting data over the wire to the server.在通过有线将数据传输到服务器之前,您可以使用可查询加密或客户端字段级加密来加密文档应用程序端的字段。Collect logs to a central log store. These logs contain database authentication attempts including source IP addresses.将日志集合到中央日志存储。这些日志包含数据库身份验证尝试,包括源IP地址。
➤ Limit Network Exposure限制网络风险
Ensure that MongoDB runs in a trusted network environment and configure firewall or security groups to control inbound and outbound traffic for your MongoDB instances.确保MongoDB在可信的网络环境中运行,并配置防火墙或安全组来控制MongoDB实例的入站和出站流量。Disable direct SSH root access.禁用直接SSH根访问。Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.只允许受信任的客户端访问MongoDB实例可用的网络接口和端口。
See also: 另请参阅:
Network and Configuration Hardening网络和配置强化thenet.bindIpconfiguration setting配置设置thesecurity.clusterIpSourceAllowlistconfiguration setting配置设置the authenticationRestrictions field to thedb.createUser()command to specify a per-user IP allow list.db.createUser()命令的authenticationRestrictions字段指定每个用户的IP允许列表。
➤ Audit System Activity审核系统活动
Track access and changes to database configurations and data.跟踪对数据库配置和数据的访问和更改。MongoDB Enterprise
includes a system auditing facility that can record system events (including user operations and connection events) on a MongoDB instance. These audit records permit forensic analysis and allow administrators to exercise proper controls.包括一个系统审计工具,可以记录MongoDB实例上的系统事件(包括用户操作和连接事件)。这些审计记录允许进行取证分析,并允许管理员进行适当的控制。You can set up filters to record only specific events, such as authentication events.您可以设置筛选器以仅记录特定事件,例如身份验证事件。
See also: 另请参阅:
➤ Run MongoDB with a Dedicated User使用专用用户运行MongoDB
Run MongoDB processes with a dedicated operating system user account. Ensure that the account has permissions to access data but no unnecessary permissions.使用专用操作系统用户帐户运行MongoDB进程。请确保帐户具有访问数据的权限,但没有不必要的权限。
See also: 另请参阅:
➤ Run MongoDB with Secure Configuration Options使用安全配置选项运行MongoDB
MongoDB supports the execution of JavaScript code for certain server-side operations:MongoDB支持为某些服务器端操作执行JavaScript代码:mapReduce,$where,$accumulator, and$function. If you do not use these operations, disable server-side scripting by using the--noscriptingoption.Keep input validation enabled. MongoDB enables input validation by default through the保持启用输入验证。MongoDB默认情况下通过net.wireObjectChecksetting.net.wireObjectCheck设置启用输入验证。This ensures that all documents stored by the这样可以确保mongodinstance are valid BSON.mongod实例存储的所有文档都是有效的BSON。
➤ Request a Security Technical Implementation Guide (where applicable)请求安全技术实施指南(如适用)
➤ Consider Security Standards Compliance考虑安全标准合规性
For applications requiring HIPAA or PCI-DSS compliance, please refer to the MongoDB Security Reference Architecture对于需要HIPAA或PCI-DSS合规性的应用程序,请参阅MongoDB安全参考体系结构 to learn more about how you can use MongoDB's key security capabilities to build compliant application infrastructure.,了解如何使用MongoDB的关键安全功能来构建合规的应用程序基础设施的更多信息。
Antivirus and Endpoint Detection and Response Scanning防病毒和端点检测及响应扫描
If you use an antivirus (AV) scanner or an endpoint detection and response (EDR) scanner, configure your scanner to exclude the 如果使用防病毒(AV)扫描仪或端点检测和响应(EDR)扫描仪,请将扫描仪配置为从扫描中排除数据库存储路径和数据库日志路径。database storage path and the database log path from the scan.
The data files in the 数据库存储路径中的数据文件被压缩。此外,如果使用加密存储引擎,数据文件也会被加密。扫描这些文件的I/O和CPU成本可能会显著降低性能,但不会带来任何安全优势。database storage path are compressed. Additionally, if you use the encrypted storage engine, the data files are also encrypted. The I/O and CPU costs to scan these files may significantly decrease performance without providing any security benefits.
If you don't exclude the directories in your 如果不排除数据库存储路径和数据库日志路径中的目录,扫描仪可能会隔离或删除重要文件。丢失或隔离的文件可能会损坏数据库并使MongoDB实例崩溃。database storage path and database log path, the scanner could quarantine or delete important files. Missing or quarantined files can corrupt your database and crash your MongoDB instance.
Periodic/Ongoing Production Checks定期/持续生产检查
Periodically check for MongoDB Product CVE定期检查MongoDB产品CVE and upgrade your products .并升级您的产品。Consult the MongoDB end of life dates请咨询MongoDB的终止日期 and upgrade your MongoDB installation as needed. In general, try to stay on the latest version.,并根据需要升级您的MongoDB安装。一般来说,尽量保持最新版本。Ensure that your information security management system policies and procedures extend to your MongoDB installation, including performing the following:确保您的信息安全管理系统策略和过程扩展到MongoDB安装,包括执行以下操作:Periodically apply patches to your machine.定期在您的机器上应用修补程序。Review policy/procedure changes, especially changes to your network rules to prevent inadvertent MongoDB exposure to the Internet.审查政策/程序的更改,特别是对网络规则的更改,以防止MongoDB无意中暴露在互联网上。Review MongoDB database users and periodically rotate them.审查MongoDB数据库用户并定期轮换他们。
Report Suspected Security Bugs报告可疑的安全漏洞
If you suspect that you have identified a security bug in any MongoDB products, please report the issue through the MongoDB Bug Submission Form如果您怀疑您在任何MongoDB产品中发现了安全漏洞,请通过MongoDB漏洞提交表.报告该问题。