Skip to content

Commit

Permalink
fixed 81863, 81877, 81881, 81883, 81893, 81901, 81903, 81905, 81907, …
Browse files Browse the repository at this point in the history
…81909, 81915, 81919, 81921, 81923

Signed-off-by: HackerShark <[email protected]>
  • Loading branch information
HackerShark committed Jun 10, 2021
1 parent e88cee3 commit d7df8c4
Show file tree
Hide file tree
Showing 14 changed files with 54 additions and 292 deletions.
64 changes: 3 additions & 61 deletions controls/V-81863.rb
Original file line number Diff line number Diff line change
Expand Up @@ -69,67 +69,9 @@
tag "documentable": false
tag "severity_override_guidance": false

a = []
dbnames = []

if input('mongo_use_pki') == 'true'
get_databases = command("sudo mongo --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'JSON.stringify(db.adminCommand( { listDatabases: 1, nameOnly: true}))'").stdout.strip.split('"name":"')
else
get_databases = command("mongo -u '#{input('user')}' -p '#{input('password')}' \
--quiet --eval 'JSON.stringify(db.adminCommand( { listDatabases: 1, nameOnly: true}))'").stdout.strip.split('"name":"')
end

if get_databases.grep(/error/).empty? == false
describe 'Verify the correct credentials or a valid client certificate is used to execute the query.' do
skip 'Verify the correct credentials or a valid client certificate is used to execute the query.'
end
else
get_databases.each do |db|
if db.include? 'databases'

a.push(db)
get_databases.delete(db)
end

end

get_databases.each do |db|

loc_colon = db.index('"')
names = db[0, loc_colon]
dbnames.push(names)
end

dbnames.each do |dbs|

if input('mongo_use_pki') == 'true'
users = command("sudo mongo admin --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\"}, {user: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
else
users = command("mongo admin -u '#{input('user')}' -p '#{input('password')}' \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\"}, {user: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
end

users.each do |t|

loc_colon = t.index(':')

user = t[loc_colon+3..-1]

loc_quote = user.index('"')

username = user[0, loc_quote]
allowed_db = dbs
describe "Database users of database: #{dbs}" do
subject { username }
it { should be_in input("#{allowed_db}_db_users") }
end
end
end
end
describe 'A manual review is required to determine if a user is found not be a memer or an appropriate organization that can access the database.' do
skip 'A manual review is required to determine if a user is found not be a memer or an appropriate organization that can access the database.'
end

describe yaml(input('mongod_conf')) do
its(%w{security authorization}) { should cmp 'enabled' }
Expand Down
84 changes: 2 additions & 82 deletions controls/V-81877.rb
Original file line number Diff line number Diff line change
Expand Up @@ -86,87 +86,7 @@
tag "documentable": false
tag "severity_override_guidance": false

a = []
dbnames = []

if input('mongo_use_pki') == 'true'
get_databases = command("sudo mongo --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'JSON.stringify(db.adminCommand( { listDatabases: 1, nameOnly: true}))'").stdout.strip.split('"name":"')
else
get_databases = command("mongo -u '#{input('user')}' -p '#{input('password')}' \
--quiet --eval 'JSON.stringify(db.adminCommand( { listDatabases: 1, nameOnly: true}))'").stdout.strip.split('"name":"')
end

if get_databases.grep(/error/).empty? == false
describe 'Verify the correct credentials or a valid client certificate is used to execute the query.' do
skip 'Verify the correct credentials or a valid client certificate is used to execute the query.'
end
else
get_databases.each do |db|
if db.include? 'databases'

a.push(db)
get_databases.delete(db)
end
end

get_databases.each do |db|

loc_colon = db.index('"')
names = db[0, loc_colon]
dbnames.push(names)
end

if dbnames.empty?
describe 'There are no mongo databases, therefore for this control is NA' do
skip 'There are no mongo databases, therefore for this control is NA'
end
end

if !dbnames.empty?

dbnames.each do |dbs|

if input('mongo_use_pki') == 'true'
users = command("sudo mongo admin --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\"}, {user: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
else
users = command("mongo admin -u '#{input('user')}' -p '#{input('password')}' \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\"}, {user: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
end
users.each do |t|

loc_colon = t.index(':')

user = t[loc_colon+3..-1]

loc_quote = user.index('"')

username = user[0, loc_quote]

if input('mongo_use_pki') == 'true'
getdb_roles = command("sudo mongo admin --ssl --sslPEMKeyFile #{input('mongod_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\", user: \"#{username}\"}, {roles: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
else
getdb_roles = command("mongo admin -u '#{input('user')}' -p '#{input('password')}' \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\", user: \"#{username}\"}, {roles: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
end

getdb_roles.each do |r|
remove_role = r.index('[')
rr = r[remove_role..-1]

allowed_role = username
describe "The database role for user: #{username}" do
subject { rr }
it { should be_in input("#{allowed_role}_allowed_role") }
end
end
end
end
end
describe 'A manual review is required to determine if a user has a role with innapropriate privileges as well as if those roles have the proper privileges & inherited privileges' do
skip 'A manual review is required to determine if a user has a role with innapropriate privileges as well as if those roles have the proper privileges & inherited privileges'
end
end
13 changes: 6 additions & 7 deletions controls/V-81881.rb
Original file line number Diff line number Diff line change
Expand Up @@ -69,13 +69,12 @@
tag "documentable": false
tag "severity_override_guidance": false

describe.one do
describe yaml(input('mongod_conf')) do
its(%w{storage journal enabled}) { should cmp 'true' }
end
describe processes('mongod') do
its('commands.join') { should_not match /--nojournal/}
end
describe yaml(input('mongod_conf')) do
its(%w{storage journal enabled}) { should cmp 'true' }
end

describe processes('mongod') do
its('commands.join') { should_not match /--nojournal/}
end

end
6 changes: 5 additions & 1 deletion controls/V-81883.rb
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,12 @@
its(%w{security enableEncryption}) { should cmp 'true' }
end
describe processes('mongod') do
its('commands.join') { should_not match /--enableEncryption false/}
its('commands.join') { should match /--enableEncryption true/}
end
end

describe processes('mongod') do
its('commands.join') { should_not match /--enableEncryption false/}
end

end
7 changes: 2 additions & 5 deletions controls/V-81893.rb
Original file line number Diff line number Diff line change
Expand Up @@ -55,10 +55,7 @@
tag "documentable": false
tag "severity_override_guidance": false

describe yaml(input('mongod_conf')) do
its(%w{security authorization}) { should cmp 'enabled' }
end
describe yaml(input('mongod_conf')) do
its(%w{security redactClientLogData}) { should cmp 'true' }
describe 'A manual review is required to check custom database code to verfiy that error messages do not contain information beyond what is needed for troubleshooting the issue.' do
skip 'A manual review is required to check custom database code to verfiy that error messages do not contain information beyond what is needed for troubleshooting the issue.'
end
end
7 changes: 2 additions & 5 deletions controls/V-81901.rb
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,7 @@
tag "documentable": false
tag "severity_override_guidance": false

describe yaml(input('mongod_conf')) do
its(%w{auditLog destination}) { should cmp 'syslog' }
end
describe yaml(input('mongod_conf')) do
its(%w{auditLog filter}) { should be_nil }
describe 'A manual review is required to check if replica sets or the rolling maintenance approach is not used for changes to the audit events & filters' do
skip 'A manual review is required to check if replica sets or the rolling maintenance approach is not used for changes to the audit events & filters'
end
end
12 changes: 7 additions & 5 deletions controls/V-81903.rb
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,12 @@
tag "documentable": false
tag "severity_override_guidance": false

describe yaml(input('mongod_conf')) do
its(%w{storage dbPath}) { should cmp '/data/db' }
end
describe yaml(input('mongod_conf')) do
its(%w{auditLog destination}) { should cmp 'syslog' }
describe.one do
describe yaml(input('mongod_conf')) do
its(%w{auditLog destination}) { should cmp 'syslog' }
end
describe processes('mongod') do
its('commands.join') { should match /--auditDestination syslog/}
end
end
end
1 change: 1 addition & 0 deletions controls/V-81905.rb
Original file line number Diff line number Diff line change
Expand Up @@ -62,5 +62,6 @@

describe yaml(input('mongod_conf')) do
its(%w{auditLog destination}) { should_not cmp 'file' }
its(%w{auditLog destination}) { should_not be_nil }
end
end
1 change: 1 addition & 0 deletions controls/V-81907.rb
Original file line number Diff line number Diff line change
Expand Up @@ -51,5 +51,6 @@

describe yaml(input('mongod_conf')) do
its(%w{auditLog destination}) { should_not cmp 'file' }
its(%w{auditLog destination}) { should_not be_nil }
end
end
83 changes: 2 additions & 81 deletions controls/V-81909.rb
Original file line number Diff line number Diff line change
Expand Up @@ -60,86 +60,7 @@
tag "documentable": false
tag "severity_override_guidance": false

a = []
dbnames = []

if input('mongo_use_pki') == 'true'
get_databases = command("sudo mongo --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'JSON.stringify(db.adminCommand( { listDatabases: 1, nameOnly: true}))'").stdout.strip.split('"name":"')
else
get_databases = command("mongo -u '#{input('user')}' -p '#{input('password')}' \
--quiet --eval 'JSON.stringify(db.adminCommand( { listDatabases: 1, nameOnly: true}))'").stdout.strip.split('"name":"')
end

if get_databases.grep(/error/).empty? == false
describe 'Verify the correct credentials or a valid client certificate is used to execute the query.' do
skip 'Verify the correct credentials or a valid client certificate is used to execute the query.'
end
else
get_databases.each do |db|
if db.include? 'databases'

a.push(db)
get_databases.delete(db)
end
end

get_databases.each do |db|

loc_colon = db.index('"')
names = db[0, loc_colon]
dbnames.push(names)
end

if dbnames.empty?
describe 'There are no mongo databases, therefore for this control is NA' do
skip 'There are no mongo databases, therefore for this control is NA'
end
end

if !dbnames.empty?
dbnames.each do |dbs|

if input('mongo_use_pki') == 'true'
users = command("sudo mongo admin --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\"}, {user: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
else
users = command("mongo admin -u '#{input('user')}' -p '#{input('password')}' \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\"}, {user: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
end
users.each do |t|

loc_colon = t.index(':')

user = t[loc_colon+3..-1]

loc_quote = user.index('"')

username = user[0, loc_quote]

if input('mongo_use_pki') == 'true'
getdb_roles = command("mongo admin --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\", user: \"#{username}\"}, {roles: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
else
getdb_roles = command("mongo admin -u '#{input('user')}' -p '#{input('password')}' \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\", user: \"#{username}\"}, {roles: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
end

getdb_roles.each do |r|
remove_role = r.index('[')
rr = r[remove_role..-1]

allowed_role = username
describe "The database role for user: #{username}" do
subject { rr }
it { should be_in input("#{allowed_role}_allowed_role") }
end
end
end
end
end
describe 'A manual review is required to determine if any permissions exist that are not documented and approved' do
skip 'A manual review is required to determine if any permissions exist that are not documented and approved'
end
end
30 changes: 4 additions & 26 deletions controls/V-81915.rb
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,7 @@
If any mongos process is running (a MongoDB shared cluster) the
\"userCacheInvalidationIntervalSecs\" option can be used to specify the cache
timeout.
The default is \"30\" seconds and the minimum is \"1\" second.
In the saslauthd file, if MECH is not equal to ldap, this is a finding.
The default is \"30\" seconds and the minimum is \"1\" second.
"
desc "fix", "If MongoDB is configured to authenticate using SASL and
LDAP/Active Directory modify and restart the saslauthd command line options in
Expand All @@ -30,17 +27,7 @@
can be changed from the default \"30\" seconds.
This is accomplished by modifying the mongos configuration file (default
location: /etc/mongod.conf) and then restarting mongos.
In the mongod.conf, set timeoutMS to 1000.
security:
ldap:
timeoutMS: 1000
In the saslauthd file ( default location: /etc/sysconfig/saslauthd ), set FLAGS to -t 900
FLAGS= -t 900
Also, in the saslauthd file, set MECH to ldap
MECH=ldap "
"

impact 0.5
tag "severity": "medium"
Expand All @@ -55,18 +42,9 @@
tag "severity_override_guidance": false

if input('mongo_use_saslauthd') == 'true' && input('mongo_use_ldap') == 'true'
describe ini(input('saslauthd')) do
its(%w{MECH}) {should cmp 'ldap'}
end
describe ini(input('saslauthd')) do
its('FLAGS') {should eq '-t 900'}
describe processes('saslauthd') do
its('commands.join') { should match /-t\s/}
end
describe yaml(input('mongod_conf')) do
its(%w{security authorization}) { should cmp 'enabled'}
end
describe yaml(input('mongod_conf')) do
its(%w{security ldap timeoutMS}) { should cmp '10000' }
end
else
impact 0.0
describe 'This control is Not Applicable because MongoDB is not configured to authenticate using SASL and LDAP.' do
Expand Down
Loading

1 comment on commit d7df8c4

@aaronlippold
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we moving all these automated tests to manual?

Please sign in to comment.