Database Manual / Self-Managed Deployments / Security

Security Checklist for Self-Managed Deployments自我管理部署的安全检查表

This document provides a list of security measures that you should implement to protect your MongoDB installation. The list is not meant to be exhaustive.本文档提供了您应该实施的安全措施列表,以保护MongoDB安装。这份清单并不详尽。

Pre-production Checklist/Considerations预生产检查表/注意事项

Enable Access Control and Enforce Authentication启用访问控制并强制身份验证

Tip

Configure Role-Based Access Control配置基于角色的访问控制

  • Create a user administrator first, then create additional users. Create a unique MongoDB user for each person/application that accesses the system.首先创建用户管理员,然后创建其他用户。为访问系统的每个人/应用程序创建一个唯一的MongoDB用户。

  • Follow the principle of least privilege. Create roles that define the exact access rights required by a set of users. Then create users and assign them only the roles they need to perform their operations. A user can be a person or a client application.遵循最小权限原则。创建定义一组用户所需确切访问权限的角色。然后创建用户,并仅为他们分配执行操作所需的角色。用户可以是个人或客户端应用程序。

    Note

    A user can have privileges across different databases. If a user requires privileges on multiple databases, create a single user with roles that grant applicable database privileges instead of creating the user multiple times in different databases.用户可以跨不同的数据库拥有权限。如果用户需要多个数据库的权限,请创建一个具有授予适用数据库权限的角色的单个用户,而不是在不同的数据库中多次创建该用户。

Tip

Encrypt Communication (TLS/SSL)加密通信(TLS/SSL)

  • Configure MongoDB to use TLS/SSL for all incoming and outgoing connections. Use TLS/SSL to encrypt communication between mongod and mongos components of a MongoDB deployment as well as between all applications and MongoDB.将MongoDB配置为对所有传入和传出连接使用TLS/SSL。使用TLS/SSL加密MongoDB部署的mongodmongos组件之间以及所有应用程序和MongoDB之间的通信。

    MongoDB uses the native TLS/SSL OS libraries:MongoDB使用本机TLS/SSL操作系统库:

    Platform平台TLS/SSL LibraryTLS/SSL库
    WindowsSecure Channel (Schannel)安全通道(Schannel)
    Linux/BSDOpenSSL
    macOSSecure Transport安全传输

Tip

Configure mongod and mongos for TLS/SSL on Self-Managed Deployments.在自我管理部署上配置mongodmongos的TLS/SSL。

Encrypt and Protect Data加密和保护数据

  • You can encrypt data in the storage layer with the WiredTiger storage engine's native Encryption at Rest.您可以使用WiredTiger存储引擎的本地静态加密对存储层中的数据进行加密。
  • If you are not using WiredTiger's encryption at rest, MongoDB data should be encrypted on each host using file-system, device, or physical encryption (for example dm-crypt). You should also protect MongoDB data using file-system permissions. MongoDB data includes data files, configuration files, auditing logs, and key files.如果您不使用WiredTiger的静态加密,则应在每个主机上使用文件系统、设备或物理加密(例如dm-crypt)对MongoDB数据进行加密。您还应该使用文件系统权限保护MongoDB数据。MongoDB数据包括数据文件、配置文件、审计日志和键文件。
  • You can use Queryable Encryption or Client-Side Field Level Encryption to encrypt fields in documents application-side prior to transmitting data over the wire to the server.在通过线路将数据传输到服务器之前,您可以使用可查询加密客户端字段级加密来加密文档应用程序端的字段。
  • Collect logs to a central log store. These logs contain database authentication attempts including source IP addresses.将日志集合到中央日志存储区。这些日志包含数据库身份验证尝试,包括源IP地址。

Limit Network Exposure限制网络曝光

  • Ensure that MongoDB runs in a trusted network environment and configure firewall or security groups to control inbound and outbound traffic for your MongoDB instances.确保MongoDB在受信任的网络环境中运行,并配置防火墙或安全组来控制MongoDB实例的入站和出站流量。
  • Disable direct SSH root access.禁用直接SSH根访问。
  • Allow only trusted clients to access the network interfaces and ports on which MongoDB instances are available.只允许受信任的客户端访问MongoDB实例可用的网络接口和端口。

Tip

Audit System Activity审计系统活动

  • Track access and changes to database configurations and data. MongoDB Enterprise includes a system auditing facility that can record system events (including user operations and connection events) on a MongoDB instance. 跟踪数据库配置和数据的访问和更改。MongoDB企业版包括一个系统审计工具,可以记录MongoDB实例上的系统事件(包括用户操作和连接事件)。These audit records permit forensic analysis and allow administrators to exercise proper controls. You can set up filters to record only specific events, such as authentication events.这些审计记录允许进行取证分析,并允许管理员进行适当的控制。您可以设置筛选器,仅记录特定事件,如身份验证事件。

Tip

Run MongoDB with a Dedicated User使用专用用户运行MongoDB

  • Run MongoDB processes with a dedicated operating system user account. Ensure that the account has permissions to access data but no unnecessary permissions.使用专用操作系统用户帐户运行MongoDB进程。确保该帐户具有访问数据的权限,但没有不必要的权限。

Tip

Install 安装MongoDB

Run MongoDB with Secure Configuration Options使用安全配置选项运行MongoDB

  • MongoDB supports the execution of JavaScript code for certain server-side operations: mapReduce, $where, $accumulator, and $function. MongoDB支持执行某些服务器端操作的JavaScript代码:mapReduce、$where$accumulator$functionIf you do not use these operations, disable server-side scripting by using the --noscripting option.如果不使用这些操作,请使用--noscripting选项禁用服务器端脚本。
  • Keep input validation enabled. MongoDB enables input validation by default through the net.wireObjectCheck setting. 保持输入验证启用。默认情况下,MongoDB通过net.wireObjectCheck设置启用输入验证。This ensures that all documents stored by the mongod instance are valid BSON.这确保了mongod实例存储的所有文档都是有效的BSON。

Request a Security Technical Implementation Guide (where applicable)申请安全技术实施指南(如适用)

  • The Security Technical Implementation Guide (STIG) contains security guidelines for deployments within the United States Department of Defense. 《安全技术实施指南》(STIG)包含美国国防部内部署的安全指南。MongoDB Inc. provides its STIG, upon request.MongoDB股份有限公司应要求提供STIG。

Consider Security Standards Compliance考虑安全标准合规性

  • For applications requiring HIPAA or PCI-DSS compliance, please refer to the MongoDB Security Reference Architecture to learn more about how you can use MongoDB's key security capabilities to build compliant application infrastructure.对于需要HIPAA或PCI-DSS合规性的应用程序,请参阅MongoDB安全参考架构,以了解如何使用MongoDB的关键安全功能来构建合规的应用程序基础设施的更多信息。

Antivirus and Endpoint Detection and Response Scanning防病毒和端点检测及响应扫描

If you use an antivirus (AV) scanner or an endpoint detection and response (EDR) scanner, configure your scanner to exclude the database storage path and the database log path from the scan.如果使用防病毒(AV)扫描程序或端点检测和响应(EDR)扫描程序,请将扫描程序配置为从扫描中排除数据库存储路径数据库日志路径

The data files in the database storage path are compressed. Additionally, if you use the encrypted storage engine, the data files are also encrypted. The I/O and CPU costs to scan these files may significantly decrease performance without providing any security benefits.数据库存储路径中的数据文件被压缩。此外,如果使用加密存储引擎,数据文件也会被加密。扫描这些文件的I/O和CPU成本可能会显著降低性能,而不会提供任何安全优势。

If you don't exclude the directories in your database storage path and database log path, the scanner could quarantine or delete important files. Missing or quarantined files can corrupt your database and crash your MongoDB instance.如果不排除数据库存储路径和数据库日志路径中的目录,扫描程序可能会隔离或删除重要文件。丢失或隔离的文件可能会损坏数据库并导致MongoDB实例崩溃。

Periodic/Ongoing Production Checks定期/持续生产检查

  • Periodically check for MongoDB Product CVE and upgrade your products .定期检查MongoDB产品CVE并升级产品。
  • Consult the MongoDB end of life dates and upgrade your MongoDB installation as needed. In general, try to stay on the latest version.咨询MongoDB的生命周期结束日期,并根据需要升级MongoDB安装。一般来说,尽量使用最新版本。

  • Ensure that your information security management system policies and procedures extend to your MongoDB installation, including performing the following:确保信息安全管理系统策略和程序扩展到MongoDB安装,包括执行以下操作:

    • Periodically apply patches to your machine.定期为机器安装补丁。
    • Review policy/procedure changes, especially changes to your network rules to prevent inadvertent MongoDB exposure to the Internet.审查政策/程序更改,特别是网络规则的更改,以防止MongoDB无意中暴露在互联网上。
    • Review MongoDB database users and periodically rotate them.审查MongoDB数据库用户并定期轮换。
  • If you're using Queryable Encryption, compact the metadata collections as directed in Scheduling Metadata Compaction to reduce storage space.如果您使用的是可查询加密,请按照调度元数据压缩中的指示压缩元数据集合以减少存储空间。

Report Suspected Security Bugs报告可疑的安全漏洞

If you suspect that you have identified a security bug in any MongoDB products, please report the issue through the MongoDB Bug Submission Form.如果您怀疑您在任何MongoDB产品中发现了安全漏洞,请通过MongoDB漏洞提交表报告该问题。