Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running PR for Profile review and Fix #14

Open
wants to merge 34 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
c94d0ab
Injection changes to start a PR
rx294 May 14, 2021
283abbf
updating controls to fix broken logic, also adding missing inputs
HackerShark May 18, 2021
de54c31
cleaning up code to be a bit more efficient
HackerShark May 18, 2021
ebcf6ff
Adding additional fixes, removing unused inputs from inputs.yml and i…
HackerShark May 19, 2021
609d7b0
Updating control to fix problematic logic
HackerShark May 19, 2021
46268f0
V-81859 improved logic flow
HackerShark May 20, 2021
084b820
Fixing 81849 to incorporate missing check
HackerShark May 24, 2021
1bb651f
modified 81869 to better check against more conditions
HackerShark May 24, 2021
5af90d9
fixed 81875, 81887. Added mongodb resource
HackerShark Jun 8, 2021
174f447
SSL and other auth ehancments to mongo_command resource
rx294 Jun 9, 2021
b5ae664
SSL and other auth ehancments to mongo_command resource
rx294 Jun 9, 2021
e8e1217
fixed 81845, 81857, 81881, 81883, 81899, replaced classified descript…
HackerShark Jun 9, 2021
e88cee3
Add support to non standard mongodb port
rx294 Jun 9, 2021
d7df8c4
fixed 81863, 81877, 81881, 81883, 81893, 81901, 81903, 81905, 81907, …
HackerShark Jun 10, 2021
012a9c8
fixed 81917, added new input to inspec.yml and inputs.yml
HackerShark Jun 22, 2021
9b11453
fixed 81865
HackerShark Jun 22, 2021
0ffdb89
Resource update to handle UUID line that makes the JSON invalid
rx294 Jun 23, 2021
878d580
Merge branch 'review_fixes' of https://github.com/mitre/mongodb-enter…
rx294 Jun 23, 2021
be56919
Updates to manual controls to populate target info
rx294 Jun 23, 2021
ecddc81
updating inputs by removing unused ones
HackerShark Jun 23, 2021
e629cfe
Updated controls 81845 81857 81877 81909 81911 81925 to use inputs fo…
HackerShark Jun 23, 2021
e5279ea
Updated controls 81845 81857 81877 81909 81911 81925 to use hostname …
HackerShark Jun 23, 2021
9bdca6d
Updated controls 81845 81857 81877 81909 81911 81925 to use additiona…
HackerShark Jun 25, 2021
bab8d0f
Ran cookstyle autocorrect to fix chef linting issues
HackerShark Jun 25, 2021
5d66522
Updated inputs in inspec.yml and inputs.yml to accomodate null values…
HackerShark Jun 25, 2021
3a13b9b
removed `puts` command to fix broken ci/cd
aaronlippold Jun 25, 2021
06462b4
removed test.json file
aaronlippold Jun 25, 2021
1e90be6
- fixed the vanilla min threshold
aaronlippold Jun 25, 2021
be20660
- fixed rubocop file
aaronlippold Jun 25, 2021
44565fc
- added 'cookstyle' gem to the Gemfile
aaronlippold Jun 25, 2021
72700a4
Input value updates
rx294 Jun 27, 2021
5aea2b0
Input value updates
rx294 Jun 27, 2021
7f83275
Profile review updates
rx294 Jun 28, 2021
b049070
Profile metadata updates
rx294 Jun 28, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 3 additions & 5 deletions .rubocop.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
AllCops:
TargetRubyVersion: 2.3
TargetRubyVersion: 2.7
Exclude:
- Gemfile
- Rakefile
Expand All @@ -16,7 +16,7 @@ AllCops:
- 'vendor/**/*'
- 'lib/bundles/inspec-init/templates/**/*'
- 'www/demo/**/*'
AlignParameters:
Layout/ParameterAlignment:
Enabled: true
BlockDelimiters:
Enabled: false
Expand All @@ -30,7 +30,7 @@ HashSyntax:
Enabled: true
LineLength:
Enabled: false
Layout/AlignHash:
Layout/HashAlignment:
Enabled: false
Layout/EmptyLineAfterMagicComment:
Enabled: false
Expand All @@ -57,8 +57,6 @@ Security/YAMLLoad:
Enabled: false
Style/AndOr:
Enabled: false
Style/BracesAroundHashParameters:
Enabled: false
Style/ClassAndModuleChildren:
Enabled: false
Style/ConditionalAssignment:
Expand Down
3 changes: 2 additions & 1 deletion Gemfile
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,5 @@ gem 'inspec_tools'
gem 'kitchen-sync'
gem 'kitchen-vagrant'
gem 'kitchen-docker'
gem 'kitchen-ec2'
gem 'kitchen-ec2'
gem 'cookstyle'
168 changes: 103 additions & 65 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,71 +13,107 @@ Latest versions and installation options are available at the [InSpec](http://in
The following inputs must be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the [InSpec Profile Documentation](https://www.inspec.io/docs/reference/profiles/).

```yaml
# MongoDB configuration file
mongod_conf: ''

# MongoDB Home Directory'
mongo_data_dir: ''

# MongoDB Server PEM File'
mongod_pem: ''

# MongoDB CA File
mongod_cafile: ''

# MongoDB Client PEM File
mongod_client_pem: ''

# MongoDB Audit Log File
mongod_auditlog: ''

# MongoDB SASLAUTHD File
saslauthd: ''

# MongoDB is Running in Docker Environment - True/False
is_docker: ''

# MongoDB is Using PKI Authentication - True/False
mongo_use_pki: ''

# MongoDB is Using LDAP - True/False
mongo_use_ldap: ''

# MongoDB is Using SASLAUTHD - True/False
mongo_use_saslauthd: ''

# List of MongoDB Redhat Packages
mongodb_redhat_packages: []

# List of MongoDB Debian Packages
mongodb_debian_packages: []

# User to log into the mongo database
user: ''

# password to log into the mongo database
password: ''

# List of authorized users of the admn database
admin_db_users: []

# List of authorized users of the admn database
config_db_users: []

# List of authorized users of the admn database
myUserAdmin_allowed_role: []

# List of authorized users of the admn database
mongoadmin_allowed_role: []

# List of authorized users of the admn database
mongodb_admin_allowed_role: []

# List of authorized users of the admn database
appAdmin_allowed_role: []

# List of authorized users of the admn database
accountAdmin01_allowed_role: []
- name: username
description: 'User to log into the mongo database'
value: null
sensitive: true

- name: password
description: 'Password to log into the mongo database'
value: null
sensitive: true

- name: mongod_hostname
description: 'Hostname for mongodb database'
type: string
value: '127.0.0.1'

- name: mongod_port
description: 'Port number for the mongodb database'
type: string
value: '27017'

- name: ssl
description: 'Is ssl enabled'
type: boolean
value: false

- name: verify_ssl
description: 'Flag for sslAllowInvalidCertificates'
type: boolean
value: false

- name: mongod_client_pem
description: 'PEM file location on the scan target'
value: null

- name: mongod_cafile
description: 'CAFILE location on the scan target'
value: null

- name: authentication_database
description: 'Flag for authentication database'
value: null

- name: authentication_mechanism
description: 'Flag for authentication mechanism'
value: null

- name: mongod_conf
description: 'MongoDB configuration file'
type: string
value: '/etc/mongod.conf'
required: true

- name: mongo_data_dir
description: 'MongoDB Home Directory'
type: string
value: '/var/lib/mongo'
required: true

- name: mongo_use_ldap
description: 'MongoDB is Using LDAP - True/False'
type: boolean
value: false
required: true

- name: mongo_use_saslauthd
description: 'MongoDB is Using SASLAUTHD - True/False'
type: boolean
value: false
required: true

- name: approved_mongo_packages
description: 'List of MongoDB Packages'
type: array
value: [
'mongodb-enterprise',
'mongodb-enterprise-mongos',
'mongodb-enterprise-server',
'mongodb-enterprise-shell',
'mongodb-enterprise-tools'
]
required: true

- name: mongodb_service_account
description: 'Mongodb Service Account'
type: array
value: ["mongodb", "mongod"]

- name: mongodb_service_group
description: 'Mongodb Service Group'
type: array
value: ["mongodb", "mongod"]

- name: is_sensitive
description: 'Set to true if target is sensitive as described in control V-81875 and V-81919'
type: boolean
value: true

- name: certificate_key_file
description: 'Path to server certificate key file'
type: string
value: "/etc/ssl/mongodb.pem"
```

# Running This Baseline Directly from Github
Expand Down Expand Up @@ -124,6 +160,8 @@ The JSON InSpec results file may also be loaded into a __[full heimdall server](

## Authors
* Alicia Sturtevant - [asturtevant](https://github.com/asturtevant)
* Mohamed El-Sharkawi - [HackerShark](https://github.com/HackerShark)
* Rony Xavier - [rx294](https://github.com/rx294)

## Special Thanks
* Mohamed El-Sharkawi - [HackerShark](https://github.com/HackerShark)
Expand Down
1 change: 1 addition & 0 deletions Review.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,5 @@

Another tip is to cat all the controls into a single file so you don't have to open every individaul file and try to keep track of where you are and which one is next.


*** A completion date is entered in a row when all non-enhancement issues are resolved for that review row.
27 changes: 13 additions & 14 deletions controls/V-81843.rb
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
control "V-81843" do
control 'V-81843' do
title "MongoDB must integrate with an organization-level
authentication/access mechanism providing account management and automation for
all users, groups, roles, and any other principals."
desc "MongoDB must integrate with an organization-level
authentication/access mechanism providing account management and automation for
all users, groups, roles, and any other principals."
desc "check", "Verify that the MongoDB configuration file (default location:

desc 'check', "Verify that the MongoDB configuration file (default location:
/etc/mongod.conf) contains the following:

security:
authorization: \"enabled\"

If this parameter is not present, this is a finding."
desc "fix", "Edit the MongoDB configuration file (default location:
desc 'fix', "Edit the MongoDB configuration file (default location:
/etc/mongod.conf) to include the following:

security:
Expand All @@ -35,19 +35,18 @@
6. Create additional users as needed for your deployment."

impact 0.5
tag "severity": "medium"
tag "gtitle": "SRG-APP-000023-DB-000001"
tag "gid": "V-81843"
tag "rid": "SV-96557r1_rule"
tag "stig_id": "MD3X-00-000010"
tag "fix_id": "F-88693r1_fix"
tag "cci": ["CCI-000015"]
tag "nist": ["AC-2 (1)"]
tag "severity": 'medium'
tag "gtitle": 'SRG-APP-000023-DB-000001'
tag "gid": 'V-81843'
tag "rid": 'SV-96557r1_rule'
tag "stig_id": 'MD3X-00-000010'
tag "fix_id": 'F-88693r1_fix'
tag "cci": ['CCI-000015']
tag "nist": ['AC-2 (1)']
tag "documentable": false
tag "severity_override_guidance": false

describe yaml(input('mongod_conf')) do
its(%w{security authorization}) { should cmp 'enabled' }
its(%w(security authorization)) { should cmp 'enabled' }
end

end
Loading