Security Best Practices

Security

Check out the 7 best practices and security checklist for using MongoDB.

Authentication

• Application must support the ability to connect to a running MongoDB deployment that utilizes built-in authentication. Specifically, tools must provide the ability for users to specify a valid username and password to authenticate against MongoDB. For more information, refer to http://docs.mongodb.org/manual/core/access-control/#authentication.
• Application must support the ability to connect to a running MongoDB deployment that utilizes Kerberos (external) authentication. Specifically, tools must provide the ability for users to specify their Kerberos username and password to authenticate to the external authentication provider, via MongoDB. For more information, refer to http://docs.mongodb.org/manual/tutorial/control-access-to-mongodb-with-kerberos-authentication/.

Encryption

• Applications must support the ability to connect to a running MongoDB deployment that utilizes SSL to encrypt data in-transit between the application and the database. Tools must provide users the ability to connect with or without an SSL certificate. Users should be able to supply a CA or self-signed certificate and connect to the MongoDB deployment. For more information, refer to http://docs.mongodb.org/manual/tutorial/configure-ssl/.

Vulnerabilities

• Application should evaluate MongoDB deployments by examining the following on each instance (i) command-line parameters supplied to MongoDB, (ii) MongoDB configuration file, (iii) parameters from MongoDB startup (e.g. init.d) script. For more information, refer to:
  • http://docs.mongodb.org/manual/reference/command/getCmdLineOpts/#dbcmd.getCmdLineOpts
  • http://docs.mongodb.org/manual/reference/configuration-options/
• Application should warn the administrator if MongoDB deployment utilizes default port(s). For more information, refer to http://docs.mongodb.org/manual/reference/default-mongodb-port/
• Application should warn the administrator if running MongoDB deployment does not utilize cluster-wide authentication. For more information, refer to http://docs.mongodb.org/manual/tutorial/enable-authentication/
• Application should warn the administrator if MongoDB deployment does not utilize cluster authentication using keyFile or x.509 certificates. For more information, refer to http://docs.mongodb.org/manual/core/authentication/#authentication-between-mongodb-instances
• Application should warn the administrator if MongoDB is set to bypass authentication via the localhost exception. For more information, refer to http://docs.mongodb.org/manual/core/authentication/#localhost-exception
• Application should warn the administrator if MongoDB is set to bind to all available network interfaces. For more information, refer to: http://docs.mongodb.org/manual/reference/configuration-options/#bind_ip
• Application should warn the administrator if MongoDB is set to allow JSON with Padding. For more information, refer to http://docs.mongodb.org/manual/reference/configuration-options/#jsonp
• Application should warn the administrator if MongoDB’s HTTP interface is active. For more information, refer to http://docs.mongodb.org/manual/reference/configuration-options/#nohttpinterface
• Application should warn the administrator if MongoDB’s REST interface is active. For more information, refer to http://docs.mongodb.org/manual/reference/configuration-options/#rest
• Application should warn the administrator if MongoDB does not have SSL enabled. For more information, refer to http://docs.mongodb.org/manual/tutorial/configure-ssl/
• Application should warn the administrator if MongoDB is not using SSL certificate validation. For more information, refer to http://docs.mongodb.org/manual/tutorial/configure-ssl/#set-up-mongod-and-mongos-with-certificate-validation
• Application should inform the administrator if MongoDB is not configured to use SSL FIPS mode. For more information, refer to http://docs.mongodb.org/manual/tutorial/configure-ssl/#run-in-fips-mode
• Application should warn the administrator if MongoDB does not have proper resource limits set. For more information, refer to http://docs.mongodb.org/manual/reference/ulimit/#recommended-settings
• Application should warn the administrator if MongoDB is set to allow Javascript code execution via $where, group, and MapReduce functionality. For more information, refer to http://docs.mongodb.org/manual/core/server-side-javascript/
• Application should catalog and inform the administrator of all users that are able to execute Javascript expressions via the “eval” function. For more information, refer to http://docs.mongodb.org/manual/reference/user-privileges/#combined-access-operations
• Application should warn the user if MongoDB is configured to allow access via local UNIX sockets. For more information, refer to http://docs.mongodb.org/v2.4/reference/configuration-options/#nounixsocket
• Application should warn the administrator if MongoDB processes are running as the root user
• Application should warn the administrator if MongoDB data files are accessible beyond the user under which MongoDB processes are running
• Application should warn the administrator if Network Time Protocol (NTP) support is not enabled on all hosts running MongoDB processes. For more information, refer to http://docs.mongodb.org/manual/administration/production-notes/#recommended-configuration
• Application should warn the administrator if MongoDB is not set to use journaling. For more information, refer to http://docs.mongodb.org/manual/tutorial/manage-journaling/