M042 MongoDB Security | ALL Chapters Quiz & Answer

• CRUD
• Aggregation
• Encryption
• Auditing
• Authorization

• How we know who a user is on a system.
• How we know what a user can do on a system.

• LTPA
• LDAP
• Kerberos
• RSA tokens
• SCRAM-SHA-1

• MONGODB-CR is deprecated as of MongoDB 3.0.
• Kerberos is an authentication and authorization protocol.
• X.509 can be used to authenticate members of a sharded cluster.
• SCRAM-SHA-1 is a certificate-based authentication mechanism.
• A copy of a user’s LDAP credentials are stored in MongoDB.

• The localhost exception allows you to run show dbs.
• The localhost exception allows you to create one user per
  database.
• The localhost exception is only applicable when connected to MongoDB
  via the localhost network interface.

• passing a –auth option to mongos
• passing a –auth option to each mongod and to mongos
• passing a –auth option to each mongod
• enabling internal authentication between members using keyfiles
• enabling internal authentication between members using X.509
  certificates

• True
• False

• It obtains a certificate from the client when the TLS connection is
  established.

• The subject of the certificate must match the name of the user in the
  $external database.

• The certificate must be signed by the certificate authority file passed
  to the mongod.

• Transform user credentials
• Provide user credentials to authorization server
• Validate user credentials for authentication purposes
• Query the LDAP server to validate user credentials
• Validate the mongod for authorized hostname and port

• One regular expression / substitution pair
• String enclosing a regular expression and optional substitution
  string
• JSON object defining an array of regular expressions / substitution
  pairs
• String value defining a JSON array of regular expression / substitution
  pairs

• LDAP authorization is enabled
• MongoDB will be using Kerberos for authentication purposes
• The configured LDAP server is running on secured.mongodb.com
• MongoDB will be binding the operating system users for LDAP
  integration
• No transport security has been enabled between MongoDB and the
  authorization server

• Validate LDIF files
• LDAP server TLS configuration
• LDAP server user groups hierarchy
• Validate LDAP authorization individual configuration options
• LDAP authorization options given a MongoDB configuration file

• Allow the creation of more than one user
• Allow user defined roles to inherit built-in roles
• Extended the locahost host exception to allow the creation of a
  role
• Remove the locahost exception of MongoDB is configured for LDAP
  authorization

• Kerberos principals are case-sensitive.

• Kerberos and MongoDB have mutual trust through a shared key.

• Kerberos Authentication support is a MongoDB Enterprise only
  feature.

• MongoDB uses the GSSAPI authentication mechanism for – Kerberos
  authentication.

• X.509
• LDAP
• Kerberos
• Keyfile
• MONGODB-CR

• Updating drivers might be required.

• SCRAM-SHA-1 is more secure that MONGODB-CR.

• MONGODB-CR will be disabled after the migration.

• On 3.0 before importing 2.6 user data new users are created with
  SCRAM-SHA-1.

Authorization Model

Role based Access Control

Built in roles

User defined roles

Actions

Resources

Privileges

Create user with built in role

List user roles and privilege

Create user defined role

Grant new privileges to role

Revoke privilege from role

Encryption Intro

Transport encryption (TLS)

TLS connection modes

Enable TLS between client and mongod

Enable mixed TLS with encrypted nodes in replica set

Encrypted Storage Engine

KMIP Integration

• Accountability
• To investigate suspecious activity
• To increase database performance
• To monitor specific database activities

• local
• remote
• users
• result
• action
• timestamp
• arg
• privileges

• Schema (DDL)
• Authentication & Authorization
• CRUD Operations (DML)
• Replica Set and Sharded Cluster

• createIndex
• dropCollection
• shutdown
• createDocument
• createDatabase

• CRUD
• DML
• authCheck
• authenticate

• auditCRUDOperations
• auditDMLOperations
• auditAuthorizationSuccess
• auditAuthenticationSuccess

• Because system log data is not encrypted
• To enforce profiling data to be accessible to users
• To prevent sensitive data from being written to system logs
• To ensure that we filter unusable debugging information from the logs

• Users can bypass log redaction by emitting write concern flag {r:0} in their write operations

• Enable log redaction on all data holding members and mongos elements

• Running command db.adminCommand({setParameter:1, clientLogRedaction: 2}) forces all members of a cluster to redact their log client data.

• Setting the system flag security.redactClientLogData, in MongoDB configuration file, is the recommended setup guarantee that on reboot log redaction will be enabled.

• Limit Network Exposure
• Encrypt Communication
• Encrypt and Protect Data
• Run MongoDB with a Dedicated User
• Enable Access Control and Enforce Authentication

• Mail a letter to MongoDB’s Palo Alto Office
• Send an email to [email protected]
• Send a fax to MongoDB’s NYC HQ
• Submit a ticket in the SECURITY project on the MongoDB JIRA

MongoDB Security Final Exam Quiz Answer

• Authentication verifies the privileges of a user.

• It’s best practice to run mongod with sudo or as the root user on a
  system.

• Enabling auditing on MongoDB Enterprise will decrease database
  performance.

• MongoDB stores access control list data in the special system.acl
  collection on the admin database.

• MongoDB Enterprise’s encrypted storage engine is supported by both the
  MMAPv1 and WiredTiger storage engines.

• show dbs

• db.products.findOne({product: ‘Door Hinge’})

• db.products.insert({product: ‘Amplifier’})

• db.products.find({product: ‘Candle’})

• db.products.insertOne({product: ‘Basket’})

• kadmin exists solely to enable command line authentication to
  Kerberos.

• MongoDB drivers will send LDAP credentials to a connected mongod in
  plain text.

• You can use LDAP to enable internal authentication between the
  members of a replica set.

• It is a best practice to leave the HTTP status interface disabled
  in production.

• MONGODB-CR still exists in MongoDB only for backwards compatibility
  reasons.

• Audit logs can go to one of four locations: the system log, the
  console, to another MongoDB member, or to a file.

• The localhost exception applies to a replica set and sharded cluster
  environments.

• Internal authentication via X.509 certificates will enable MongoDB’s
  role-based access control authorization system.

• Encryption at rest is a four step process: generate a master key,
  generate keys for each database, encrypt each database with the database
  keys, and encrypt the database keys with the master key.

• When you enable encryption at rest, transport encryption between
  replicating members is automatically enabled.

• The subject of a client certificate acts as the “user” when
  authenticating with X.509 certificates.

• MongoDB stores user-defined role information in the system.roles
  collection in the admin database.

• When enabling internal authentication between the members of a replica
  set both certificate and key must be present in the CA, client, and
  server PEM files.

• The preferSSL SSL mode allows the server to accept both TLS and non-TLS
  connections between both clients and other members.

• When auditing is enabled on MongoDB Enterprise, the –auditFormat BSON
  option has much better performance than the –auditFormat JSON
  option.