MongoDB

M042 MongoDB Security | ALL Chapters Quiz & Answer

by

 

Chapter 1 – Authentication Quiz Answer

Welcome to MongoDB Security

Problem:
 
Which topic(s) are we going to cover in this course?
  • CRUD
  • Aggregation
  • Encryption
  • Auditing
  • Authorization
 

Authentication vs. Authorization

Problem:
 
Authentication is …
  • How we know who a user is on a system.
  • How we know what a user can do on a system.
 

Authentication Mechanisms Overview

Problem:
 
Which authentication mechanism(s) is/are supported by MongoDB?
  • LTPA
  • LDAP
  • Kerberos
  • RSA tokens
  • SCRAM-SHA-1
 

Authentication Mechanisms

Problem:
 
Which of the following statements is/are true in relation to
authentication?
  • MONGODB-CR is deprecated as of MongoDB 3.0.
  • Kerberos is an authentication and authorization protocol.
  • X.509 can be used to authenticate members of a sharded cluster.
  • SCRAM-SHA-1 is a certificate-based authentication mechanism.
  • A copy of a user’s LDAP credentials are stored in MongoDB.
 

The Localhost Exception

Problem:
 
Which of the following statements is/are false concerning the localhost
exception?
  • The localhost exception allows you to run show dbs.
  • The localhost exception allows you to create one user per
    database.
  • The localhost exception is only applicable when connected to MongoDB
    via the localhost network interface.
 

Authentication Methods

Problem:
 
Which of these authentication methods will fail if a server is started
with the following options?
 
$ mongod --auth
$ mongo
use admin
db.createUser({user: 'kirby', pwd: 'password', roles: ['root']})
 
 
$ mongo -u kirby -p password
 
$ mongo admin -u kirby -p password
 
$ mongo 
db.auth(‘kirby’, ‘password’) [X]
 
$ mongo
use admin
db.auth(‘kirby’, ‘password’)
 
 

Authentication on Sharded Clusters

Problem:
 
Authentication on a sharded cluster is achieved by…
  • passing a –auth option to mongos
  • passing a –auth option to each mongod and to mongos
  • passing a –auth option to each mongod
  • enabling internal authentication between members using keyfiles
  • enabling internal authentication between members using X.509
    certificates
 

Enabling SCRAM-SHA-1

Problem:
 
SCRAM-SHA-1 is the default password authentication mechanism on
MongoDB.
  • True
  • False
 

Enabling X.509

Problem:
 
How does the mongod know the identity of the client?
  • It obtains a certificate from the client when the TLS connection is
    established.
  • The subject of the certificate must match the name of the user in the
    $external database.
  • The certificate must be signed by the certificate authority file passed
    to the mongod.
 

Enabling LDAP

Problem:
 
Which of the following is/are true regarding LDAP authentication?
  • LDAP is more secure than Kerberos
  • PLAIN which sends the username/password in clear text.
  • LDAP Authentication support is a MongoDB Enterprise only
    feature.
  • saslauthd is a proxy service used by mongod to talk to a LDAP
    server
  • MongoDB drivers authenticating to MongoDB with LDAP send LDAP
    credentials using SASL 
 

LDAP Authorization Introduction

Problem:
 
With MongoDB 3.4 we are further strengthening the MongoDB security
features by enabling:
  • LDAP authorization
  • LDAP authentication
  • Kerberos authentication
  • X509 certificates authorization
 

LDAP Authorization Steps

Problem:
 
Which of the following is not an LDAP authorization step:
  • Transform user credentials
  • Provide user credentials to authorization server
  • Validate user credentials for authentication purposes
  • Query the LDAP server to validate user credentials
  • Validate the mongod for authorized hostname and port
 

LDAP Authorization User Transformations

Problem:
 
In order to match the credential formats between the authentication and
authorization mechanisms, the user credentials may require a
transformation step. This transformation is defined by the following
format:
  • One regular expression / substitution pair
  • String enclosing a regular expression and optional substitution
    string
  • JSON object defining an array of regular expressions / substitution
    pairs
  • String value defining a JSON array of regular expression / substitution
    pairs
 

LDAP Authorization Configuration Options

Problem:
 
Consider the following MongoDB configuration file snippet:
 
//…
security:
  ldap:
    servers: ‘ldap.mongodb.university’
    authz:
      queryTemplate: ‘{USER}?memberOf?base’
    transportSecurity: ‘tls’
    bind:
      method: ‘simple’
    userToDNMapping: ‘[{match: “(.+)”, substitution:
“uid={0},ou=Users,dc=mongodb,dc=com”}]’
  authenticationMechanisms: ‘GSSAPI’
  //…
 
Check all statements that are valid, given the above configuration:
  • LDAP authorization is enabled
  • MongoDB will be using Kerberos for authentication purposes
  • The configured LDAP server is running on secured.mongodb.com
  • MongoDB will be binding the operating system users for LDAP
    integration
  • No transport security has been enabled between MongoDB and the
    authorization server
 
 

MongoLDAP

Problem:
 
mongoldap enables us to validate:
  • Validate LDIF files
  • LDAP server TLS configuration
  • LDAP server user groups hierarchy
  • Validate LDAP authorization individual configuration options
  • LDAP authorization options given a MongoDB configuration file
 

LDAP Authorization Setup

Problem:
 
To enable the integration of LDAP for authorization purposes in MongoDB,
we had to modify the localhost exception.
In what does this modification consists off?
  • Allow the creation of more than one user
  • Allow user defined roles to inherit built-in roles
  • Extended the locahost host exception to allow the creation of a
    role
  • Remove the locahost exception of MongoDB is configured for LDAP
    authorization
 

Enabling Kerberos

Problem:
 
Which of the following statements is/are true?
  • Kerberos principals are case-sensitive.
  • Kerberos and MongoDB have mutual trust through a shared key.
  • Kerberos Authentication support is a MongoDB Enterprise only
    feature.
  • MongoDB uses the GSSAPI authentication mechanism for – Kerberos
    authentication.
 
 

Enabling Internal Authentication

Problem:
 
Which of the following security mechanisms is/are supported by internal
authentication with MongoDB?
  • X.509
  • LDAP
  • Kerberos
  • Keyfile
  • MONGODB-CR
 

Enabling Internal X.509 Authentication

Problem:
 
What is the option passed to mongod (including argument) to specify that
X.509 certificates will be used for internal cluster authentication?
 
–clusterAuthMode x509
 
 

Migrating MONGODB-CR to SCRAM-SHA-1

Problem:
 
Which of the following statements are true with respect to changing
authentication mechanisms from MONGODB-CR to SCRAM-SHA-1?
  • Updating drivers might be required.
  • SCRAM-SHA-1 is more secure that MONGODB-CR.
  • MONGODB-CR will be disabled after the migration.
  • On 3.0 before importing 2.6 user data new users are created with
    SCRAM-SHA-1.

Chapter 2 – Authorization and Encryption Quiz Answer

 
 

Authorization Model

Problem:
Which of the following defines MongoDB’s authorization model?
  • Rule-Based Access Control
  • Role-Based Access Control
  • Rule-Based Authorization Control
  • Role-Based Authorization Control

Role based Access Control

Problem:
Why does MongoDB use role-based access control for its authorization
model?
  • Because it is a widely used authorization model
  • Because it allows users to grant specific actions over specific
    resources
  • So applications can act within tightly defined, tailored roles in
    MongoDB that match the needs of their end-users
  • To provide administrators a high level of responsibility isolation
    for users’ operational tasks
 

Built in roles

Problem:
Which of the following are built-in roles in MongoDB?
  • clusterMonitor
  • dbAdmin
  • userOwner
  • userAdminAnyDatabase
 
 

User defined roles

Problem:
Which of the following is/are properties of MongoDB’s authorization
model?
  • Role Inheritance
  • Roles are groups of privileged individuals
  • Actions on resources define privileges
  • Roles are granted to users with a per-database granularity
 

Actions

Problem:
Which of the following is/are valid privilege actions?
  • find
  • recover
  • unlock
  • killProc
  • viewUser
 

Resources

Problem:
Which of the following is/are valid resource documents?
 
{ collection: ‘orders’ }
 
{ db: ‘twitter’ }
 
{ cluster: true }
 
{ db: ‘amazon’, collection: ‘users’ }
 
 
 

Privileges

Problem:
The read role gives a user access to which of the following actions?
  • find
  • killCursors
  • collStats
  • showCursors
 

Create user with built in role

Problem:
Which of the following is/are valid built-in roles?
  • root
  • restore
  • adminUserAnyDatabase
  • readWriteAllDatabases
 

List user roles and privilege

Problem:
Which of the following is not a collection that the userAdminAnyDatabase
role has privileges on?
  • system.users
  • system.version
  • system.namespaces
  • system.backup_users

Create user defined role

Problem:
Which of the following is/are configuration options for user-defined
roles?
  • Roles
  • Role name
  • Replica set name
  • Username
  • Privileges

Grant new privileges to role

Problem:
Which of the following methods can update the privileges of a role?
  • db.updateRole()
  • db.createRole()
  • db.grantRolesToRole()
  • db.grantPrivilegesToRole()

Revoke privilege from role

Problem:
Which of the following is the correct function to revoke a privilege from
a role?
  • db.revokePrivilegeFromRole
  • db.revokePrivilegesFromRole
  • db.removePrivilegeFromRole
  • db.removePrivilegesFromRole
 

Encryption Intro

Problem:
Which of the following is/are supported encryption methods for
MongoDB?
  • Encryption at rest
  • TLS connection encryption
 

Transport encryption (TLS)

Problem:
TLS encryption works through the use of…
  • SSL certificates
  • GPG encryption
  • PGP encryption
  • Public/Private key encryption
 

TLS connection modes

Problem:
Which of the following are valid TLS connection modes?
  • disabled
  • allowSSL
  • requireSSL
  • preferSSL

Enable TLS between client and mongod

Problem:
What is the purpose of the –sslCAFile option when passed to mongod?
  • To verify the identity of the client
  • To provide the certificate authority’s public key to the client
  • To provide the certificate authority’s private key to the
    client
  • To provide the certificate authority’s SSL certificate to the
    client

Enable mixed TLS with encrypted nodes in replica set

Problem:
Which of the following arguments can be passed to the –sslMode option to
require TLS connections between the members of a replica set, but not
require them for connections via clients?
  • disabled
  • requireSSL
  • preferSSL
  • allowSSL
 

Encrypted Storage Engine

Problem:
Which of the following facts about MongoDB’s encrypted storage engine are
true?
  • The master key is stored in MongoDB
  • An encryption key is generated for each database
  • It’s supported by both MMAPv1 and WiredTiger
  • It’s supported by the Community Edition of MongoDB
 

KMIP Integration

Problem:
What does KMIP stand for?
  • Key Management Interchange Protocol
  • Key Management Interchange Procedure
  • Key Management Interoperability Protocol
  • Key Management Interoperability Procedure

Chapter 3 – Auditing and Best Practices Quiz Answer

 

Describe auditing capabilities

Problem:
Which of the following are common reasons organizations enable auditing on MongoDB?
  • Accountability
  • To investigate suspecious activity
  • To increase database performance
  • To monitor specific database activities
 

Auditing output format

Problem:
Which of the following is/are valid MongoDB audit log top-level fields?
  • local
  • remote
  • users
  • result
  • action
  • timestamp
  • arg
  • privileges
 

Configuring audit from command line

Problem:
Which of the following is a valid mongod command line configuration with auditing enabled?
 
mongod –dbpath /data/db –auditDestination syslog
 
mongod –dbpath /data/db –auditDestination file
–auditFormat JSON –auditPath /data/db/auditLog.json
 
mongod –dbpath /data/db –auditDestination stdout
 
mongod –dbpath /data/db –auditDestination file
–auditFormat BSON –auditPath /data/db/auditLog.bson
 
 

Definition of filters

Problem:
Which of the following are categories of operations that MongoDB’s auditing system will record by default?
  • Schema (DDL)
  • Authentication & Authorization
  • CRUD Operations (DML)
  • Replica Set and Sharded Cluster
 

DDL operations definition

Problem:
Which of the following are DDL action types supported by MongoDB’s auditing system?
  • createIndex
  • dropCollection
  • shutdown
  • createDocument
  • createDatabase
 

Example of DDL audit filter

Problem:
Which of the following audit filters will allow us to monitor the creation of collections on databases that begin with “university”?
 
{ atype: “createCollection”, “param.ns”: /university.*/ }
 
{ atype: “createCollection”, “param.ns”: /university/ }
 
{ atype: “createCollection”, “param.ns”: /^university.*/ }
 
{ atype: “createCollection”, “param.ns”: /^university/ }
 
 

DML operations definition

Problem:
Which action type is used by CRUD operations in MongoDB?
  • CRUD
  • DML
  • authCheck
  • authenticate

Enabling auditAuthorizationSuccess

Problem:
What server parameter is used to enable the auditing of CRUD operations?
  • auditCRUDOperations
  • auditDMLOperations
  • auditAuthorizationSuccess
  • auditAuthenticationSuccess
 

Log Redaction Introduction

Problem:
Why do we need to redact client data in the MongoDB log files?
  • Because system log data is not encrypted
  • To enforce profiling data to be accessible to users
  • To prevent sensitive data from being written to system logs
  • To ensure that we filter unusable debugging information from the logs
 

Log Redaction Setup

Problem:
In the case of a replica set or shard cluster we need to:
  • Users can bypass log redaction by emitting write concern flag {r:0} in their write operations
  • Enable log redaction on all data holding members and mongos elements
  • Running command db.adminCommand({setParameter:1, clientLogRedaction: 2}) forces all members of a cluster to redact their log client data.
  • Setting the system flag security.redactClientLogData, in MongoDB configuration file, is the recommended setup guarantee that on reboot log redaction will be enabled.
 

Security Checklists

Problem:
Which of the following are security checklist topics outlined in the lesson video?
  • Limit Network Exposure
  • Encrypt Communication
  • Encrypt and Protect Data
  • Run MongoDB with a Dedicated User
  • Enable Access Control and Enforce Authentication
 

Security Reports

Problem:
What is the recommended communication method to report a vulnerability to MongoDB?
  • Mail a letter to MongoDB’s Palo Alto Office
  • Send an email to [email protected]
  • Send a fax to MongoDB’s NYC HQ
  • Submit a ticket in the SECURITY project on the MongoDB JIRA

 

MongoDB Security Final Exam Quiz Answer

 

 

Question 1)
Which of these statements is/are true?
  • Authentication verifies the privileges of a user.
  • It’s best practice to run mongod with sudo or as the root user on a
    system.
  • Enabling auditing on MongoDB Enterprise will decrease database
    performance.
  • MongoDB stores access control list data in the special system.acl
    collection on the admin database.
  • MongoDB Enterprise’s encrypted storage engine is supported by both the
    MMAPv1 and WiredTiger storage engines.
 
 
Question 2
For this final exam question you’ll need to download the certificates
that we’ve been using throughout the course.
 
There is a command-line tool that we’ve used during this course. Use that
tool to extract the entire certificate from client.pem.
 
Once you’ve got the certificate copy and paste it into the text area
below.
 
Note: Make sure you use the name option “RFC2253” and run the command from
inside the database VM to prevent false negatives. Also, make sure to copy
the entire certificate. Don’t just copy the part in between “BEGIN
CERTIFICATE” and “END CERTIFICATE”. The first three lines should say:
 
Certificate:
    Data:
        Version: 3 (0x2)
Answer

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 266611 (0x41173)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US,ST=New York,L=New York
City,O=MongoDB,OU=University,CN=localhost
        Validity
            Not Before: Nov  7
20:03:00 2016 GMT
            Not After : Nov  7
20:03:00 2036 GMT
        Subject: C=US,ST=New York,L=New York
City,O=MongoDB,OU=University2,CN=M310 Client
        Subject Public Key Info:
            Public Key Algorithm:
rsaEncryption
                Public-Key: (2048
bit)
                Modulus:

00:94:45:9e:e1:54:26:69:2c:d7:c5:a4:f8:f5:17:

52:07:80:77:23:a0:7a:10:3e:ae:11:54:5d:3e:05:

96:f4:4e:44:22:89:9a:cc:ae:ef:ba:a3:92:e6:b7:

f7:13:3b:b6:95:8e:f0:7f:04:75:b1:c8:65:e3:d2:

04:22:76:99:2c:d6:5d:54:83:4a:83:43:b5:25:99:

df:d2:fd:51:64:d0:b9:d9:66:0a:8f:65:c7:69:70:

6f:13:9c:71:f4:08:06:b5:da:40:66:3d:a9:9d:ed:

a8:c7:81:df:3d:3a:b6:47:21:39:de:a5:83:f1:c2:

15:07:86:0e:74:26:ee:0e:67:07:6b:c0:9f:aa:91:

ee:14:77:28:67:e0:ae:95:29:c8:91:dc:55:a9:4f:

cc:98:b8:34:fe:87:c7:f5:c4:84:4c:d4:2e:d6:e5:

45:55:f6:0e:dd:16:fb:bb:d1:3c:e0:d8:fc:0b:d6:

8f:79:19:42:56:38:35:27:c6:3e:6f:85:e9:39:3e:

4a:e8:26:f5:e3:36:c5:15:0d:5c:6e:bf:df:21:31:

e9:f9:d1:69:00:ba:ae:ab:73:90:c3:96:02:3d:b3:

6d:c6:58:14:35:f9:1f:79:88:03:71:83:67:62:d1:

a1:e4:4e:4d:3f:f2:c2:09:fd:00:af:dc:b6:0a:2c:

a0:ed
                Exponent: 65537
(0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative
Name: 
                DNS:localhost, IP
Address:127.0.0.1, DNS:database.m310.mongodb.university,
DNS:infrastructure.m310.mongodb.university
    Signature Algorithm: sha1WithRSAEncryption

01:90:dc:e0:2b:04:5d:9e:f0:ba:66:ee:cf:db:63:ee:dc:96:

ba:6e:3c:d3:e6:74:1b:17:11:1c:98:a0:1b:97:d1:54:a4:3d:

a9:99:14:5c:b2:22:97:56:5b:aa:d2:83:5a:37:c4:7d:73:73:

8a:dd:7b:21:b9:9f:a4:dc:f2:b4:5e:42:39:ad:20:98:51:b9:

d9:aa:e9:1f:3d:ac:5a:55:df:01:2b:93:45:ac:c3:43:c3:5e:

58:5c:98:fa:e7:07:8c:c6:f7:3d:f4:44:32:28:d5:e7:7b:ae:

f0:9f:46:fb:b4:17:92:55:c2:fa:b9:ac:65:89:ae:55:0b:ee:

6c:25:05:3c:4b:87:1b:4e:d2:72:9d:c0:07:76:30:5f:e2:ed:

aa:f5:61:af:92:20:5e:ff:71:c5:5d:51:54:2c:92:4e:0e:70:

5b:c4:00:81:5f:9b:07:3d:98:7a:b5:2f:c3:fd:a3:3b:14:c8:

a6:7c:ff:b7:dd:c6:c3:f3:17:aa:d5:c6:88:22:d7:ee:c2:25:

cf:9f:80:96:cf:c6:a2:86:65:4c:69:21:9b:06:a8:ab:6a:da:

bf:a6:6f:9c:3a:f5:d6:18:62:32:89:29:bb:f3:3b:84:f0:a3:

18:4d:a5:16:8c:04:c8:34:68:f7:09:f0:e9:0d:67:8d:9b:a2:
         e3:37:b4:9a
—–BEGIN CERTIFICATE—–
MIIDzjCCAragAwIBAgIDBBFzMA0GCSqGSIb3DQEBBQUAMHMxEjAQBgNVBAMTCWxv
Y2FsaG9zdDETMBEGA1UECxMKVW5pdmVyc2l0eTEQMA4GA1UEChMHTW9uZ29EQjEW
MBQGA1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsxCzAJBgNV
BAYTAlVTMB4XDTE2MTEwNzIwMDMwMFoXDTM2MTEwNzIwMDMwMFowdjEUMBIGA1UE
AxMLTTMxMCBDbGllbnQxFDASBgNVBAsTC1VuaXZlcnNpdHkyMRAwDgYDVQQKEwdN
b25nb0RCMRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9y
azELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCU
RZ7hVCZpLNfFpPj1F1IHgHcjoHoQPq4RVF0+BZb0TkQiiZrMru+6o5Lmt/cTO7aV
jvB/BHWxyGXj0gQidpks1l1Ug0qDQ7Ulmd/S/VFk0LnZZgqPZcdpcG8TnHH0CAa1
2kBmPamd7ajHgd89OrZHITnepYPxwhUHhg50Ju4OZwdrwJ+qke4Udyhn4K6VKciR
3FWpT8yYuDT+h8f1xIRM1C7W5UVV9g7dFvu70Tzg2PwL1o95GUJWODUnxj5vhek5
PkroJvXjNsUVDVxuv98hMen50WkAuq6rc5DDlgI9s23GWBQ1+R95iANxg2di0aHk
Tk0/8sIJ/QCv3LYKLKDtAgMBAAGjaDBmMGQGA1UdEQRdMFuCCWxvY2FsaG9zdIcE
fwAAAYIgZGF0YWJhc2UubTMxMC5tb25nb2RiLnVuaXZlcnNpdHmCJmluZnJhc3Ry
dWN0dXJlLm0zMTAubW9uZ29kYi51bml2ZXJzaXR5MA0GCSqGSIb3DQEBBQUAA4IB
AQABkNzgKwRdnvC6Zu7P22Pu3Ja6bjzT5nQbFxEcmKAbl9FUpD2pmRRcsiKXVluq
0oNaN8R9c3OK3XshuZ+k3PK0XkI5rSCYUbnZqukfPaxaVd8BK5NFrMNDw15YXJj6
5weMxvc99EQyKNXne67wn0b7tBeSVcL6uaxlia5VC+5sJQU8S4cbTtJyncAHdjBf
4u2q9WGvkiBe/3HFXVFULJJODnBbxACBX5sHPZh6tS/D/aM7FMimfP+33cbD8xeq
1caIItfuwiXPn4CWz8aihmVMaSGbBqiratq/pm+cOvXWGGIyiSm78zuE8KMYTaUW
jATINGj3CfDpDWeNm6LjN7Sa
—–END CERTIFICATE—–
 
 
 
 
Question 3)
Given the following audit filter:
 
{
  “$or”: [
    {
      “atype”: “authCheck”,
      “param.command”: {
        “$in”: [
          “find”,
          “insert”,
          “delete”,
          “update”,
          “findandmodify”
        ]
      }
    },
    {
      “atype”: {
        “$in”: [
          “createCollection”,
          “dropCollection”
        ]
      }
    }
  ]
}
 
Which of the following commands would be logged by this audit filter?
 
Note: You can assume that auditAuthorizationSuccess is set to true.
  • show dbs
  • db.products.findOne({product: ‘Door Hinge’})
  • db.products.insert({product: ‘Amplifier’})
  • db.products.find({product: ‘Candle’})
  • db.products.insertOne({product: ‘Basket’})
 
 
Question 4)
Which of the following createRole parameters are valid when executed on
the production database?
 
{
  role: “intern”,
  privileges: [{
    resource: { db: “staging”, collection: “products” },
    actions: [ “insert” ]
  }],
  roles:[]
}
 
{
  role: “junior-engineer”,
  privileges: [{
    resource: { db: “production” },
    actions: [ “insert” ]
  }],
  roles:[]
}
 
{ role: “senior-engineer”, privileges: [], roles: [ “dbAdmin” ] }
 
{ role: “team-lead”, privileges: [{ resource: { replicaSet: true },
actions: [ “createUser” ] }], roles:[{ role: “root”, db: “production” }]
}
 
 
Question 5)
Which of the following statements is/are true?
  • kadmin exists solely to enable command line authentication to
    Kerberos.
  • MongoDB drivers will send LDAP credentials to a connected mongod in
    plain text.
  • You can use LDAP to enable internal authentication between the
    members of a replica set.
  • It is a best practice to leave the HTTP status interface disabled
    in production.
  • MONGODB-CR still exists in MongoDB only for backwards compatibility
    reasons.
 
 
Question 6)
Which of the following statements is/are true?
  • Audit logs can go to one of four locations: the system log, the
    console, to another MongoDB member, or to a file.
  • The localhost exception applies to a replica set and sharded cluster
    environments.
  • Internal authentication via X.509 certificates will enable MongoDB’s
    role-based access control authorization system.
  • Encryption at rest is a four step process: generate a master key,
    generate keys for each database, encrypt each database with the database
    keys, and encrypt the database keys with the master key.
  • When you enable encryption at rest, transport encryption between
    replicating members is automatically enabled.
 
 
Question 7)
Which of the following statements is/are true?
  • The subject of a client certificate acts as the “user” when
    authenticating with X.509 certificates.
  • MongoDB stores user-defined role information in the system.roles
    collection in the admin database.
  • When enabling internal authentication between the members of a replica
    set both certificate and key must be present in the CA, client, and
    server PEM files.
  • The preferSSL SSL mode allows the server to accept both TLS and non-TLS
    connections between both clients and other members.
  • When auditing is enabled on MongoDB Enterprise, the –auditFormat BSON
    option has much better performance than the –auditFormat JSON
    option.

Leave a Comment