---
# System prepended metadata
title: MongoDB Security
ch3 Auditing and Best Practices
tags: [MongoDB University M310]
---
# MongoDB Security
ch3 Auditing and Best Practices
###### tags: `MongoDB University M310`
## Describe auditing capabilities
Auditing is an **enterprise** feature in MongoDB.
Why do we audit our database
* Add Accountability
* Investigate Suspecious Activity
* Monitor Database Activities
Auditing Capabilities
* Schema (DDL)
* Replica Set and Sharded Cluster
* Authentication and Authorization
* CRUD Operations (DML)
## Auditing output format
```javascript=
{
atype: ,
ts: {
"$date"::
},
local: {
ip: , port:
},
remote: {
ip: , port:
},
users: [
{ user: , db: }
],
roles: [
{ roles: , db: }
],
param: ,
result:
}
```
* atype: action type
* ts: timestamp, time of the event
* local: ip addr and port number of running mongod instance
* remote: ip addr and port number of in coming connection associated with the event
* users: user and authentication database of user
* roles: the roles granted to the user
* param: detail of **atype** event
* reslt: error code
## Configuring audit from command line
```bash=
mongod --dbpath /data/db --logpath /data/db/mongo.log --fork auditDestination
```
**args can only be passed**:
* **syslog**: depend on opSys
* **console**
* **file**: needs to more options(auditFormat, autditPath)
```bash=
mongod --dbpath /data/db --logpath /data/db/mongo.log --fork --auditDestination file --auditFormat JSON --auditPath /data/db/auditLog.json
```
#### config file
```yaml=
systemLog:
destination: file
path: /data/db/mongo.log
storage:
dbpath: /data/db
auditLog:
destination: file
format: JSON
path: /data/db/auditLog.json
```
## Definition of filters
By default only 3 catergories be audited
* Schema (DDL)
* Replica Set and Sharded Cluster
* Authentication and Authorization
Because once we audit CRUD operation, there will be too many log.
That makes us lose performance and hard to read the logs.
### Audit filter
for example:
```json=
{ "atype": { "$in": { "createCollection", "dropCollection" } } }
```
## Enabling the first audit filter
With command line
```bash=
mongod --auditFilter
```
Add in config file
```yaml=
systemLog:
destination: file
path: /data/db/mongo.log
storage:
dbpath: /data/db
auditLog:
destination: file
format: JSON
path: /data/db/auditLog.json
filter: '{ "atype": { "$in": { "createCollection", "dropCollection" } } }'
```
## DDL operations definition
* DDL (Data Definition Language)
**make change of schema of a database.**
* createCollection
* createDatabase
* createIndex
* renameCollection
* dropCollection
* dropDatabase
* dropIndex
* DML (Data Manipulation Language)
**manipulate the data within database**
:::info
**Most of auditing action are actually related to DDL rather than DML operations, EXCEPT 'authCheck'.** Becuase for the most part, auditing within MongoDB is designed to monitor changes made to the configuration of database
:::
## Example of DDL audit filter
Simple example for **createIndex** operation in **my-app** database
```json=
{ "atype": "createIndex", "param.ns": { "ns": "/^my-app\./" } }
```
## DML operations definition
* DML (Data Manipulation Language)
**manipulate the data within database**
* authCheck
* CRUD
:::info
The action type of **CRUD** is **authCheck**!
This is because CRUD operations are passed as parameters to the authCheck event.
Every time that you try to create, read, update or destroy data within your database, authCheck is going to be the action type that's actually firing from an auditing perspective.
:::
## Enabling auditAuthorizationSuccess
To enable the auditing of DML operations, actually we want to do is enable the auditing of **authorization success**
```yaml=
systemLog:
destination: file
path: /data/db/mongo.log
storage:
dbpath: /data/db
auditLog:
destination: file
format: JSON
path: /data/db/auditLog.json
setParameter: { auditAuthorizationSuccess: true }
```
:::info
By setting auditAuthorizationSuccess to true we can effectively audit CRUD operations as an authCheck is required for all CRUD operations.
:::
## Log Redaction
MongoDB provides a further strengthening protection by redact data from the system log
## Log Redaction Setup
:::warning
To capture every signle CRUD instruction into our logs.
Set the slow ms value to -1.
``` javascript
db.setProfilingLevel(0, -1)
```
:::
#### To enable redaction we have 3 different options.
1. Pass **redactClientLogData** to mongod
```bash=
mongod --redactClientLogData
```
2. Set up in mongodb config file
```yaml=
storage:
dbPath: /data/redaction
systemLog:
destination: file
path: /data/redaction.log
security:
redactionClientLogData: true
```
3. In mongodb shell
Once the server reboots, we need to make sure to set it up again
```javascript
db.adminCommand({setParameter:1, redactionClientLogData: 1})
```
:::danger
mongos | mongod
The flag should be set on Mongos and Mongod. make sure to redact the log message of all individual mongos and all individual mongod. Otherwise, might get a leak!
:::
## Security Checklists
* Enable Access Control and enforce Authentication
* Configure a Role Access Control
* Encrypt Communication
* Encrypt and Protect Data
* Limit Network Exposure
* Audit System Activity
* Run mongod With Dedicated User
* Run mongod With Secure Configuration Options
* Request a Security Technical Implementation Guide(STIG)
* Consider Security Standards Compliance
#### Enable Access Control and enforce Authentication
* SCRAM-SHA-1
* X.509 Certificates
* Require authenticaiton for all clients
* Enable authentication on each MongoDB server
**Disable server-side scripting**
```bash=
mongod --noscripting
```
## Security Reports
**Reporting a Vulnerability in MongoDB
* Submit a ticket on the SECURITY Project on our JIRA
* Send an email to security@mongodb.com