Splunk documentation ("[Harden your KV store port][1]") states "we recommend that you secure your environment by restricting KV store access to your port" but there doesn't seem to be any documentation stating any of the following:
1. What is the risk of NOT hardening the port
2. What, if any, integral security is included with the KV store
3. What the appropriate methods would be to harden it
As to the first point, I presume the risks are potential exfiltration of data and/or alteration of the kvstore - but that goes to the second point: why isn't integral security adequate? Is MongoDB security broken? Are connections encrypted? how is a connection authenticated? [The KV store documents][2] don't mention any of this.
Based on the [MongoDB documentation][3] I presume the recommended hardening method is iptables, but Splunk docs don't mention this either.
In other words, what is the basis of this recommendation? More info/documentation is needed.
[1]: https://docs.splunk.com/Documentation/Splunk/latest/Security/HardenyourKVstoreport
[2]:http://docs.splunk.com/Documentation/Splunk/latest/Admin/TroubleshootKVstore
[3]: https://www.mkyong.com/mongodb/mongodb-allow-remote-access/
↧