Running PR for Profile review and Fix

[rx294]

Signed-off-by: Rony Xavier [email protected]

[rx294]

Review comments from @HackerShark

V-81843 - WORKS
V-81845 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection
V-81847 - WORKS
V-81849 - The else statement can be removed, I don’t see the point of it. The check text only mentions mongodb audit log directory but for some reason in an else block we are also validating the /var/log directory
V-81851 - WORKS

[HackerShark]

V-81853 - WORKS
V-81855 - WORKS
V-81857 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection
V-81859 - WORKS
V-81861 - WORKS

[rx294]

Review comments from @HackerShark

V-81843 - WORKS

Agreed

V-81845 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection

Yes lets tackle every control that does database interface together by using the by working the local resource here https://github.com/adamleff/inspec-profile-mongodb-security/blob/master/libraries/resource_mongo_command.rb

V-81847 - WORKS

Agreed

V-81849 - The else statement can be removed, I don’t see the point of it. The check text only mentions mongodb audit log directory but for some reason in an else block we are also validating the /var/log directory

Agreed with above however there are more issues with this listed below:

mongodb_service_account and mongodb_service_group is not present in inspec.yml

Input value for mongod_auditlog not required. the path can be grabbed from conf file directly

the be_in matcher + input() seems to cause false passes

Lets place input value to var and use the var in describe block
please post an issue on InSpec re the same

V-81851 - WORKS

Same issue with be_in + input() combination above

[rx294]

@HackerShark plz see below my notes on ur review

V-81853 - WORKS

agreed

V-81855 - WORKS

Irrational design.
Lets just add a non applicability case if virtualization.system.eql?('docker'). with the right desc, caveat verbiage explaining why its non applicable in a container.

V-81857 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection

agreed

V-81859 - WORKS

packages(/mongodb/).names gets us the package names...and the resource handles distro adaptation.
This way input var dont have to be updated for ever version.
also same var can be used for debian and redhat packages...this we we can collapse mongodb_debian_packages and mongodb_redhat_packages to a single approved_mongo_packages

V-81861 - WORKS

agreed

[HackerShark]

V-81863 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection
V-81865 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection
V-81867 - WORKS
V-81869 - Should the locations for the pemkeyfile and cafile be parameterized for this check? Or is this a static location?
V-81871 - Similar fix to our previous controls, instead of having an input for the pem and cafile will pull those using yaml resource from the mongo conf file. Also doing same var fix for inputs using be_in matcher.

[rx294]

@HackerShark

V-81863 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection
V-81865 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection
V-81867 - WORKS

The check code seems to refer to authenticationMechanisms settings SCRAM and MONGODB-X509 which is not being checked in the control
https://docs.mongodb.com/manual/reference/parameters/#mongodb-parameter-param.authenticationMechanisms

V-81869 - Should the locations for the pemkeyfile and cafile be parameterized for this check? Or is this a static location?

The guidance just says they should be set... so test could be as simple as...it should not be nil
Please also add the describe.one condition where allowInvalidCertificates could be nil or false for a pass

V-81871 - Similar fix to our previous controls, instead of having an input for the pem and cafile will pull those using yaml resource from the mongo conf file. Also doing same var fix for inputs using be_in matcher.

Agreed..input values not required here... file locations can be parsed from the conf file.

[HackerShark]

V-81867 - Might need to switch this over to a Manual Review as we spoke about before.
V-81873 - WORKS
V-81875 - From the wording of the STIG this check applies if the MongoDB is deployed in a classified environment. As such we need to have a check (possibly using an input flag) that sees if we are in a classified environment then we will do the checks. On top of that the STIG currently only does the first check, we also need to Check the server log file for a message that FIPS is active. We would also need to Verify that FIPS has been enabled at the operating system.
V-81877 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection
V-81879 - WORKS
V-81881 - WORKS

[aaronlippold]

I think in the wings profiles we used. Is_sensitive for a sensitive env

On Mon, May 24, 2021 at 12:47 AM Mo Shark ***@***.***> wrote: V-81867 - Might need to switch this over to a Manual Review as we spoke about before. V-81873 - WORKS V-81875 - From the wording of the STIG this check applies if the MongoDB is deployed in a classified environment. As such we need to have a check (possibly using an input flag) that sees if we are in a classified environment then we will do the checks. On top of that the STIG currently only does the first check, we also need to Check the server log file for a message that FIPS is active. We would also need to Verify that FIPS has been enabled at the operating system. V-81877 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection V-81879 - WORKS V-81881 - WORKS — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#14 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALK42EK2HX373JTLPELQX3TPHK63ANCNFSM44437F7Q> .

-- -------- Aaron Lippold ***@***.*** 260-255-4779 twitter/aim/yahoo,etc. 'aaronlippold'

[aaronlippold]

Damn auto correct. I think in the windows profiles we used .... On Mon, May 24, 2021 at 5:47 AM Aaron Lippold ***@***.***> wrote:

I think in the wings profiles we used. Is_sensitive for a sensitive env On Mon, May 24, 2021 at 12:47 AM Mo Shark ***@***.***> wrote: > V-81867 - Might need to switch this over to a Manual Review as we spoke > about before. > V-81873 - WORKS > V-81875 - From the wording of the STIG this check applies if the MongoDB > is deployed in a classified environment. As such we need to have a check > (possibly using an input flag) that sees if we are in a classified > environment then we will do the checks. On top of that the STIG currently > only does the first check, we also need to Check the server log file for > a message that FIPS is active. We would also need to Verify that FIPS has > been enabled at the operating system. > V-81877 - Doesn’t seem to be connecting to database, need to further > evaluate after making proper connection > V-81879 - WORKS > V-81881 - WORKS > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > < #14 (comment) >, > or unsubscribe > < https://github.com/notifications/unsubscribe-auth/AALK42EK2HX373JTLPELQX3TPHK63ANCNFSM44437F7Q > > . > -- -------- Aaron Lippold ***@***.*** 260-255-4779 twitter/aim/yahoo,etc. 'aaronlippold' — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#14 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALK42D5ZB4DWPYAQ2DKWR3TPIOCNANCNFSM44437F7Q> .

-- -------- Aaron Lippold ***@***.*** 260-255-4779 twitter/aim/yahoo,etc. 'aaronlippold'

[HackerShark]

V-81883 - WORKS
V-81885 - WORKS
V-81887 - WORKS
V-81889 - WORKS
V-81891 - WORKS

V-81893 - WORKS
V-81895 - WORKS
V-81897 - WORKS
V-81899 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection
V-81901 - WORKS

[HackerShark]

V-81883 - WORKS
V-81885 - WORKS
V-81887 - WORKS
V-81889 - WORKS
V-81891 - WORKS

V-81893 - WORKS
V-81895 - WORKS
V-81897 - WORKS
V-81899 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection
V-81901 - WORKS

[rx294]

@HackerShark

V-81883 - WORKS

Looks like we are ignoring the process flags details

inspec> processes('mongod').commands.join
=> "mongod --auth --bind_ip_all"

The above can be used regex match the required params
Note that process flags seems to take precedence over config file settings
so we should wrap config file checking and process flag checking for enableEncryption in a describe.one
however there should be a stand alone check for process flag to ensure --enableEncryption false should not be set

V-81885 - WORKS

agreed

V-81887 - WORKS

we talked about the issue with be_in + input() issue already... this need to be fixed as in the earlier controls

V-81889 - WORKS

agreed

V-81891 - WORKS

V-81893 - WORKS
V-81895 - WORKS
V-81897 - WORKS
V-81899 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection
V-81901 - WORKS

[rx294]

@HackerShark
#14 (comment)

This is a repost from last one...please post the right list of reviewed controls

[HackerShark]

V-81903 - WORKS
V-81905 - WORKS
V-81907 - WORKS
V-81909 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection
V-81911 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection

V-81913 - WORKS
V-81915 - WORKS
V-81917 - WORKS
V-81919 - WORKS
V-81921 - WORKS

V-81923 - WORKS
V-81925 - WORKS
V-81927 - WORKS
V-81929 - WORKS

[rx294]

@HackerShark just pushed an enhanced mongo_command resource.
It allows of SSL and other auth enhancements.

resource should be called as below in the controls

    db_command = 'db.getUsers()'

    mongo_session = mongo_command(db_command, 
                      username: input('username'),
                      password: input('password'),
                      host: input('mongod_hostname'),
                      port: input('mongod_port'),
                      ssl: input('ssl'),
                      verify_ssl: input('verify_ssl'),
                      ssl_pem_key_file: input('mongod_client_pem'),
                      ssl_ca_file: input('mongod_cafile'),
                      authentication_database: input('authentication_database'),
                      authentication_mechanism: input('authentication_mechanism')
                      ) 

    describe mongo_session do
      its('params.length') { should be > 0 }
    end

the following input values should in the inspec.yml with the default value seen below

    input('username',value: nil)
    input('password',value: nil)
    input('mongod_hostname',value: '127.0.0.1')
    input('mongod_port',value: '27017')
    input('ssl',value: false)
    input('verify_ssl',value: false)
    input('mongod_client_pem',value: nil)
    input('mongod_cafile',value: nil)
    input('authentication_database',value: nil)
    input('authentication_mechanism',value: nil)

[rx294]

@HackerShark

V-81903 - WORKS

Needs update
1)plz check conf file as well as process flags (--auditDestination syslog) with describe.one condition
2)remove the dbPath check...its not required

V-81905 - WORKS

let add condition in the same describe block to add its(%w{auditLog destination}) { should_not be_nil } << this saves us in case auditLog.destination is not defined...this is a good general rule to follow incase of negative tests

V-81907 - WORKS

Same note as V-81905

V-81909 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection
V-81911 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection

V-81913 - WORKS
V-81915 - WORKS

additional guidance seems to have been appended to the stig guidance ....plz compare to stig check/fix text and remove the excess..
looks like all we need to do if input('mongo_use_saslauthd') == 'true' && input('mongo_use_ldap') == 'true'
check process flags to include -t

V-81917 - WORKS

cert path hardcoded which is no good...
1)plz parse from conf file or process flags
2)plz use x509_certificate resource...
3)you an input value to get authorized_certificate_authority

V-81919 - WORKS

need to support commandline as well as conf file options
could be worked with describe.one with yaml and processes resource
ps plz collapse all the existing describe blocks into a single one

V-81921 - WORKS

Line 65 ... update to just check if its not null... no need to check against a hardcoded path

V-81923 - WORKS

Same note as V-81921

V-81925 - WORKS
V-81927 - WORKS
V-81929 - WORKS

[rx294]

@HackerShark

V-81893 - WORKS

should be marked manual....redactClientLogData does not relate to check guidance

V-81895 - WORKS

agreed

V-81897 - WORKS

agreed

V-81899 - Doesn’t seem to be connecting to database, need to further evaluate after making proper connection

should stay manual

V-81901 - WORKS

should be marked manual

[rx294]

Why are we moving all these automated tests to manual?
hey @aaronlippold on review of V-81893 and V-81901 ...they automated tests coded are unrelated to check guidance...and are manual controls

[Amndeep7]

@aaronlippold @HackerShark how much work is left for this PR?