HackMDMongoDB Security
ch3 Auditing and Best Practices
tags: MongoDB University M310
Describe auditing capabilities
Auditing is an enterprise feature in MongoDB.
Why do we audit our database
- Add Accountability
- Investigate Suspecious Activity
- Monitor Database Activities
Auditing Capabilities
- Schema (DDL)
- Replica Set and Sharded Cluster
- Authentication and Authorization
- CRUD Operations (DML)
Auditing output format
{
atype: <String>,
ts: {
"$date":: <timestamp>
},
local: {
ip: <String>, port: <int>
},
remote: {
ip: <String>, port: <int>
},
users: [
{ user: <String>, db: <String> }
],
roles: [
{ roles: <String>, db: <String> }
],
param: <document>,
result: <int>
}
- atype: action type
- ts: timestamp, time of the event
- local: ip addr and port number of running mongod instance
- remote: ip addr and port number of in coming connection associated with the event
- users: user and authentication database of user
- roles: the roles granted to the user
- param: detail of atype event
- reslt: error code
Configuring audit from command line
mongod --dbpath /data/db --logpath /data/db/mongo.log --fork auditDestination <args>
args can only be passed:
- syslog: depend on opSys
- console
- file: needs to more options(auditFormat, autditPath)
mongod --dbpath /data/db --logpath /data/db/mongo.log --fork --auditDestination file --auditFormat JSON --auditPath /data/db/auditLog.json
config file
systemLog:
destination: file
path: /data/db/mongo.log
storage:
dbpath: /data/db
auditLog:
destination: file
format: JSON
path: /data/db/auditLog.json
Definition of filters
By default only 3 catergories be audited
- Schema (DDL)
- Replica Set and Sharded Cluster
- Authentication and Authorization
Because once we audit CRUD operation, there will be too many log.
That makes us lose performance and hard to read the logs.
Audit filter
for example:
{ "atype": { "$in": { "createCollection", "dropCollection" } } }
Enabling the first audit filter
With command line
mongod --auditFilter <filterStr>
Add in config file
systemLog:
destination: file
path: /data/db/mongo.log
storage:
dbpath: /data/db
auditLog:
destination: file
format: JSON
path: /data/db/auditLog.json
filter: '{ "atype": { "$in": { "createCollection", "dropCollection" } } }'
DDL operations definition
- DDL (Data Definition Language)
make change of schema of a database.- createCollection
- createDatabase
- createIndex
- renameCollection
- dropCollection
- dropDatabase
- dropIndex
- DML (Data Manipulation Language)
manipulate the data within database
Most of auditing action are actually related to DDL rather than DML operations, EXCEPT 'authCheck'. Becuase for the most part, auditing within MongoDB is designed to monitor changes made to the configuration of database
Example of DDL audit filter
Simple example for createIndex operation in my-app database
{ "atype": "createIndex", "param.ns": { "ns": "/^my-app\./" } }
DML operations definition
- DML (Data Manipulation Language)
manipulate the data within database- authCheck
- CRUD
The action type of CRUD is authCheck!
This is because CRUD operations are passed as parameters to the authCheck event.
Every time that you try to create, read, update or destroy data within your database, authCheck is going to be the action type that's actually firing from an auditing perspective.
Enabling auditAuthorizationSuccess
To enable the auditing of DML operations, actually we want to do is enable the auditing of authorization success
systemLog:
destination: file
path: /data/db/mongo.log
storage:
dbpath: /data/db
auditLog:
destination: file
format: JSON
path: /data/db/auditLog.json
setParameter: { auditAuthorizationSuccess: true }
By setting auditAuthorizationSuccess to true we can effectively audit CRUD operations as an authCheck is required for all CRUD operations.
Log Redaction
MongoDB provides a further strengthening protection by redact data from the system log
Log Redaction Setup
To capture every signle CRUD instruction into our logs.
Set the slow ms value to -1.
db.setProfilingLevel(0, -1)
To enable redaction we have 3 different options.
- Pass redactClientLogData to mongod
mongod --redactClientLogData
- Set up in mongodb config file
storage:
dbPath: /data/redaction
systemLog:
destination: file
path: /data/redaction.log
security:
redactionClientLogData: true
- In mongodb shell
Once the server reboots, we need to make sure to set it up again
db.adminCommand({setParameter:1, redactionClientLogData: 1})
mongos | mongod
The flag should be set on Mongos and Mongod. make sure to redact the log message of all individual mongos and all individual mongod. Otherwise, might get a leak!
Security Checklists
- Enable Access Control and enforce Authentication
- Configure a Role Access Control
- Encrypt Communication
- Encrypt and Protect Data
- Limit Network Exposure
- Audit System Activity
- Run mongod With Dedicated User
- Run mongod With Secure Configuration Options
- Request a Security Technical Implementation Guide(STIG)
- Consider Security Standards Compliance
Enable Access Control and enforce Authentication
- SCRAM-SHA-1
- X.509 Certificates
- Require authenticaiton for all clients
- Enable authentication on each MongoDB server
Disable server-side scripting
mongod --noscripting
Security Reports
**Reporting a Vulnerability in MongoDB
- Submit a ticket on the SECURITY Project on our JIRA
- Send an email to security@mongodb.com
