Refactor Security Checklist

Author: npentrel

source/administration/security-checklist.txt

@@ -6,9 +6,9 @@ Security Checklist
 
 .. |arrow| unicode:: U+27A4
 
-*Last updated: 2020-03-25*
+*Last updated: 2021-09-29*
 
-This documents provides a list of security measures that you should
+This document provides a list of security measures that you should
 implement to protect your MongoDB installation. The list is not meant
 to be exhaustive.
 
@@ -20,46 +20,54 @@ Pre-production Checklist/Considerations
 |arrow| Enable Access Control and Enforce Authentication
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- Enable access control and specify the authentication mechanism.
-  You can use MongoDB's SCRAM or x.509 authentication mechanism or
-  integrate with your existing Kerberos/LDAP infrastructure. Authentication
-  requires that all clients and servers provide valid credentials
-  before they can connect to the system.
+- Enable access control and specify an authentication mechanism.
 
-  |
+  MongoDB Community supports a number of :ref:`authentication mechanisms
+  <security-authentication-mechanisms>` that clients can use to verify
+  their identity:
 
-  See also:
+  - :ref:`authentication-scram` (*Default*)
+  - :ref:`x.509 Certificate Authentication <security-auth-x509>`.
 
-  - :doc:`/core/authentication`
-  - :doc:`/tutorial/enable-authentication`
+  In addition to the preceding mechanisms, MongoDB Atlas and MongoDB
+  Enterprise support the following mechanisms:
+
+  - :ref:`LDAP proxy authentication <security-auth-ldap>`, and
+  - :ref:`Kerberos authentication <security-auth-kerberos>`.
+
+  These mechanisms allow MongoDB to integrate into your
+  existing authentication system.
+
+.. seealso::
+
+   - :doc:`/core/authentication`
+   - :doc:`/tutorial/enable-authentication`
 
 .. _security-checklist-role-based-access-control:
 
 |arrow| Configure Role-Based Access Control
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- Create a user administrator **first**, then create additional
-  users. Create a unique MongoDB user for each person/application
-  that accesses the system.
-       
+- Create a :ref:`user administrator <create-user-admin>` **first**, then
+  create additional users. Create a unique MongoDB user for each
+  person/application that accesses the system.
+
 - Follow the principle of least privilege. Create roles that define the
   exact access rights required by a set of users. Then create
   users and assign them only the roles they need to perform their
   operations. A user can be a person or a client application.
 
   .. note::
-  
+
      A user can have privileges across different databases. If a user
      requires privileges on multiple databases, create a single user
      with roles that grant applicable database privileges instead of
      creating the user multiple times in different databases.
 
-  |
-
-  See also:
+.. seealso::
 
-  - :doc:`/core/authorization`
-  - :doc:`/tutorial/manage-users-and-roles`
+   - :doc:`/core/authorization`
+   - :doc:`/tutorial/manage-users-and-roles`
 
 |arrow| Encrypt Communication (TLS/SSL)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -72,33 +80,29 @@ Pre-production Checklist/Considerations
 
   .. include:: /includes/fact-tls-libraries.rst
 
-  .. note::
-
-     .. include:: /includes/fact-tls-1.0.rst
+.. seealso::
 
-  |
-
-  See also: :doc:`/tutorial/configure-ssl`.
-
-.. |binary| replace:: MongoDB
+   :doc:`/tutorial/configure-ssl`.
 
 |arrow| Encrypt and Protect Data
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- Starting with MongoDB Enterprise 3.2, you can encrypt data in
-  the storage layer with the WiredTiger storage engine's native
-  :doc:`/core/security-encryption-at-rest`.
+- You can encrypt data in the storage layer with the WiredTiger storage
+  engine's native :doc:`/core/security-encryption-at-rest`.
 
 - If you are not using WiredTiger's encryption at rest, MongoDB
   data should be encrypted on each host using file-system, device,
-  or physical encryption (e.g. dm-crypt). Protect MongoDB data
-  using file-system permissions. MongoDB data includes data files,
-  configuration files, auditing logs, and key files.
-
-- Collect logs to a central log store. These logs contain DB
-  authentication attempts including source IP address.
-       
-       
+  or physical encryption (for example dm-crypt). You should also protect
+  MongoDB data using file-system permissions. MongoDB data includes data
+  files, configuration files, auditing logs, and key files.
+
+- You can use :doc:`/core/security-client-side-encryption` to encrypt
+  fields in documents application-side prior to transmitting data over
+  the wire to the server.
+
+- Collect logs to a central log store. These logs contain database
+  authentication attempts including source IP addresses.
+
 |arrow| Limit Network Exposure
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -111,47 +115,39 @@ Pre-production Checklist/Considerations
 - Allow only trusted clients to access the network interfaces and
   ports on which MongoDB instances are available.
 
-  .. note::
-
-     .. include:: /includes/fact-default-bind-ip-change.rst
+.. seealso::
 
-  |
+   - :doc:`/core/security-hardening`
 
-  See also:
+   - the :setting:`net.bindIp` configuration setting
 
-  - :doc:`/core/security-hardening` 
+   - the :setting:`security.clusterIpSourceAllowlist` configuration
+     setting
 
-  - the :setting:`net.bindIp` configuration setting
-     
-  - the :setting:`security.clusterIpSourceAllowlist` configuration
-    setting
-
-  - the :ref:`authenticationRestrictions
-    <db-createUser-authenticationRestrictions>` field to the
-    :method:`db.createUser()` command to specify a per-user IP
-    allow list.
+   - the :ref:`authenticationRestrictions
+     <db-createUser-authenticationRestrictions>` field to the
+     :method:`db.createUser()` command to specify a per-user IP
+     allow list.
 
 
 |arrow| Audit System Activity
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 - Track access and changes to database configurations and data.
   `MongoDB Enterprise
-  <http://www.mongodb.com/products/mongodb-enterprise-advanced?tck=docs_server>`_ 
+  <http://www.mongodb.com/products/mongodb-enterprise-advanced?tck=docs_server>`_
   includes a system auditing facility that can record
-  system events (e.g. user operations, connection events) on a
+  system events (including user operations and connection events) on a
   MongoDB instance. These audit records permit forensic analysis
-  and allow administrators to verify proper controls. You can set
-  up filters to record specific events, such as authentication
+  and allow administrators to exercise proper controls. You can set
+  up filters to record only specific events, such as authentication
   events.
 
-  |
-
-  See also:
+.. seealso::
 
-  - :doc:`/core/auditing`
+   - :doc:`/core/auditing`
 
-  - :doc:`/tutorial/configure-auditing`
+   - :doc:`/tutorial/configure-auditing`
 
 |arrow| Run MongoDB with a Dedicated User
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -160,9 +156,9 @@ Pre-production Checklist/Considerations
   account. Ensure that the account has permissions to access data
   but no unnecessary permissions.
 
-  |
+.. seealso::
 
-  See also: :doc:`/installation`
+   :doc:`/installation`
 
 .. _security-checklist-javascript:
 
@@ -173,35 +169,32 @@ Pre-production Checklist/Considerations
   server-side operations: :dbcommand:`mapReduce`, :query:`$where`,
   :group:`$accumulator`, and :expression:`$function`. If you do
   not use these operations, disable server-side scripting by using
-  the :option:`--noscripting <mongod --noscripting>` option on the
-  command line.
+  the :option:`--noscripting <mongod --noscripting>` option.
 
 - Keep input validation enabled. MongoDB enables input validation
   by default through the :setting:`net.wireObjectCheck` setting.
   This ensures that all documents stored by the
   :binary:`~bin.mongod` instance are valid :term:`BSON`.
 
-  |
+.. seealso::
 
-  See also: :doc:`/core/security-hardening`
+   :doc:`/core/security-hardening`
 
 |arrow| Request a Security Technical Implementation Guide (where applicable)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 - The Security Technical Implementation Guide (STIG) contains
   security guidelines for deployments within the United States
   Department of Defense. MongoDB Inc. provides its STIG, upon
-  request, for situations where it is required. Please `request a
-  copy <http://www.mongodb.com/lp/contact/stig-requests>`_ for
-  more information.
+  `request <http://www.mongodb.com/lp/contact/stig-requests>`_.
 
 |arrow| Consider Security Standards Compliance
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 - For applications requiring HIPAA or PCI-DSS compliance, please
   refer to the `MongoDB Security Reference Architecture
   <https://www.mongodb.com/collateral/mongodb-security-architecture>`_
-  to learn more about how you can use the key security
+  to learn more about how you can use MongoDB's key security
   capabilities to build compliant application infrastructure.
 
 
@@ -213,15 +206,14 @@ Periodic/Ongoing Production Checks
 
 - Consult the `MongoDB end of life dates
   <https://www.mongodb.com/support-policy>`_ and upgrade your
-  MongoDB installation. In general, try to stay on the latest
+  MongoDB installation as needed. In general, try to stay on the latest
   version.
 
 - Ensure that your information security management system policies
   and procedures extend to your MongoDB installation, including
   performing the following:
 
-  - Periodically apply patches to your machine and review
-    guidelines.
+  - Periodically apply patches to your machine.
 
   - Review policy/procedure changes, especially changes to your
     network rules to prevent inadvertent MongoDB exposure to the

source/includes/fact-tls-libraries.rst

@@ -1,4 +1,4 @@
-Starting in version 4.0, MongoDB uses the native TLS/SSL OS libraries:
+MongoDB uses the native TLS/SSL OS libraries:
 
 .. list-table::
    :header-rows: 1