Auditing Best Practices

Auditing tools/applications that provide support for MongoDB should conform to the following Best Practices for certification against MongoDB Enterprise.

Download the best practices checklist and submit it with your application to expedite the certification process.

Please note that all certification categories require compliance with security best practices.


Deployment

Tools should support MongoDB deployments that are hosted on Windows or Linux platforms.


Management

Tools should provide a centralized mechanism or infrastructure to manage audit policies, controls, and configuration.


Functionality

  • Tools should have the ability to audit any and all MongoDB operations in a simple or complex deployment topology.
  • Audit policies should provide granular controls to capture or filter specific options as desired by the system administrator.
  • Tools should have the ability to generate reports based on auditing activity or a specified period of time.
  • Tools should have the ability to create custom alerts and/or remediation actions based on audited activities.
  • Tools should have the ability to alert administrators when unauthorized access or operations are detected.

Performance

  • Tools should deploy a passive interface for capturing audit activity so as not to interfere with normal MongoDB operations.
  • Tools should not significantly impact the performance or operation of a MongoDB deployment. Performance overhead metrics must be submitted as part of the certification application. Performance test should consist of a simple client-server test using the instructions found in the appendix below. Note: measurements are for internal validation only and will not be shared externally.

Appendix

To measure performance, please conduct the following tests in an environment of your choice (bare metal, virtualized, cloud). The tests consist of ascertaining and initial baseline given the testing environment and then conducting the same tests with your software enabled.

  • 2 nodes will be required - one running MongoDB, the other to generate the workload
  • The MongoDB setup should be very minimal, simply download and run it with the default settings. Or you can use our packaging for yum or apt based distros. See here for complete instructions: http://docs.mongodb.org/manual/administration/install-on-linux/.
  • For load generation, use the MongoDB fork of YCSB: http://github.com/achille/YCSB
  • Create a new workload file and incorporate the following parameters (those not noted can remain at their defaults):
    • readproportion=0.5
    • updateproportion=0.5
    • scanproportion=0
    • insertproportion=0
    • requestdistribution=zipfian
    • recordcount=[ greater than system memory assuming 1KB records ]
    • operationcount = [ have of system memory assuming 1KB records ]
  • Execute the workload first with the “load” phase and next with the “run” phase:
    • Load:
      $ bin/ycsb load mongodb -s -P yourWorkloadFile -p mongodb.url=mongodb://hostname:port -threads [two per core] 
    • Run:
      $ bin/ycsb run mongodb -s -P yourWorkloadFile -p mongodb.url=mongodb://hostname:port -threads [two per core] 
  • Capture the output of both phases for each test, baseline and with your software and include with certification application.