Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Running PR for Profile review and Fix #14

Open
wants to merge 34 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
c94d0ab
Injection changes to start a PR
rx294 May 14, 2021
283abbf
updating controls to fix broken logic, also adding missing inputs
HackerShark May 18, 2021
de54c31
cleaning up code to be a bit more efficient
HackerShark May 18, 2021
ebcf6ff
Adding additional fixes, removing unused inputs from inputs.yml and i…
HackerShark May 19, 2021
609d7b0
Updating control to fix problematic logic
HackerShark May 19, 2021
46268f0
V-81859 improved logic flow
HackerShark May 20, 2021
084b820
Fixing 81849 to incorporate missing check
HackerShark May 24, 2021
1bb651f
modified 81869 to better check against more conditions
HackerShark May 24, 2021
5af90d9
fixed 81875, 81887. Added mongodb resource
HackerShark Jun 8, 2021
174f447
SSL and other auth ehancments to mongo_command resource
rx294 Jun 9, 2021
b5ae664
SSL and other auth ehancments to mongo_command resource
rx294 Jun 9, 2021
e8e1217
fixed 81845, 81857, 81881, 81883, 81899, replaced classified descript…
HackerShark Jun 9, 2021
e88cee3
Add support to non standard mongodb port
rx294 Jun 9, 2021
d7df8c4
fixed 81863, 81877, 81881, 81883, 81893, 81901, 81903, 81905, 81907, …
HackerShark Jun 10, 2021
012a9c8
fixed 81917, added new input to inspec.yml and inputs.yml
HackerShark Jun 22, 2021
9b11453
fixed 81865
HackerShark Jun 22, 2021
0ffdb89
Resource update to handle UUID line that makes the JSON invalid
rx294 Jun 23, 2021
878d580
Merge branch 'review_fixes' of https://github.com/mitre/mongodb-enter…
rx294 Jun 23, 2021
be56919
Updates to manual controls to populate target info
rx294 Jun 23, 2021
ecddc81
updating inputs by removing unused ones
HackerShark Jun 23, 2021
e629cfe
Updated controls 81845 81857 81877 81909 81911 81925 to use inputs fo…
HackerShark Jun 23, 2021
e5279ea
Updated controls 81845 81857 81877 81909 81911 81925 to use hostname …
HackerShark Jun 23, 2021
9bdca6d
Updated controls 81845 81857 81877 81909 81911 81925 to use additiona…
HackerShark Jun 25, 2021
bab8d0f
Ran cookstyle autocorrect to fix chef linting issues
HackerShark Jun 25, 2021
5d66522
Updated inputs in inspec.yml and inputs.yml to accomodate null values…
HackerShark Jun 25, 2021
3a13b9b
removed `puts` command to fix broken ci/cd
aaronlippold Jun 25, 2021
06462b4
removed test.json file
aaronlippold Jun 25, 2021
1e90be6
- fixed the vanilla min threshold
aaronlippold Jun 25, 2021
be20660
- fixed rubocop file
aaronlippold Jun 25, 2021
44565fc
- added 'cookstyle' gem to the Gemfile
aaronlippold Jun 25, 2021
72700a4
Input value updates
rx294 Jun 27, 2021
5aea2b0
Input value updates
rx294 Jun 27, 2021
7f83275
Profile review updates
rx294 Jun 28, 2021
b049070
Profile metadata updates
rx294 Jun 28, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Review.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,5 @@

Another tip is to cat all the controls into a single file so you don't have to open every individaul file and try to keep track of where you are and which one is next.


*** A completion date is entered in a row when all non-enhancement issues are resolved for that review row.
83 changes: 2 additions & 81 deletions controls/V-81845.rb
Original file line number Diff line number Diff line change
Expand Up @@ -39,86 +39,7 @@
tag "documentable": false
tag "severity_override_guidance": false

a = []
dbnames = []

if input('mongo_use_pki') == 'true'
get_databases = command("sudo mongo --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'JSON.stringify(db.adminCommand( { listDatabases: 1, nameOnly: true}))'").stdout.strip.split('"name":"')
else
get_databases = command("mongo -u '#{input('user')}' -p '#{input('password')}' --quiet --eval \
'JSON.stringify(db.adminCommand( { listDatabases: 1, nameOnly: true}))'").stdout.strip.split('"name":"')
describe 'A manual review is required to determine the required levels of protection for DBMS server securables by type of login.' do
skip 'A manual review is required to determine the required levels of protection for DBMS server securables by type of login.'
end

if get_databases.grep(/error/).empty? == false
describe 'Verify the correct credentials or a valid client certificate is used to execute the query.' do
skip 'Verify the correct credentials or a valid client certificate is used to execute the query.'
end
else
get_databases.each do |db|
if db.include? 'databases'

a.push(db)
get_databases.delete(db)
end
end

get_databases.each do |db|

loc_colon = db.index('"')
names = db[0, loc_colon]
dbnames.push(names)
end

if dbnames.empty?
describe 'There are no mongo databases, therefore for this control is NA' do
skip 'There are no mongo databases, therefore for this control is NA'
end
end

if !dbnames.empty?
dbnames.each do |dbs|
if input('mongo_use_pki') == 'true'
users = command("sudo mongo admin --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\"}, {user: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
else
users = command("mongo admin -u '#{input('user')}' -p '#{input('password')}' --quiet --eval \
'db.system.users.find({db: \"#{dbs}\"}, {user: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
end

users.each do |t|

loc_colon = t.index(':')

user = t[loc_colon+3..-1]

loc_quote = user.index('"')

username = user[0, loc_quote]

if input('mongo_use_pki') == 'true'
getdb_roles = command("sudo mongo admin --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\", user: \"#{username}\"}, {roles: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
else
getdb_roles = command("mongo admin -u '#{input('user')}' -p '#{input('password')}' --quiet --eval \
'db.system.users.find({db: \"#{dbs}\", user: \"#{username}\"}, {roles: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
end

getdb_roles.each do |r|
remove_role = r.index('[')
rr = r[remove_role..-1]

allowed_role = username
describe "The database role for user: #{username}" do
subject { rr }
it { should be_in input("#{allowed_role}_allowed_role") }
end
end
end
end
end
end
end
30 changes: 17 additions & 13 deletions controls/V-81849.rb
Original file line number Diff line number Diff line change
Expand Up @@ -101,18 +101,22 @@
tag "documentable": false
tag "severity_override_guidance": false

if file(input('mongod_auditlog')).exist?
mongodb_auditlog_dir = command("dirname #{input('mongod_auditlog')}").stdout.strip
describe file(mongodb_auditlog_dir) do
it { should_not be_more_permissive_than('0700') }
its('owner') { should be_in input('mongodb_service_account') }
its('group') { should be_in input('mongodb_service_group') }
end
else
describe file('/var/log') do
it { should_not be_more_permissive_than('0755') }
its('owner') { should eq 'root' }
its('group') { should eq 'root' }
end
mongodb_auditlog_dir = yaml(input('mongod_conf'))['auditLog', 'path']
HackerShark marked this conversation as resolved.
Show resolved Hide resolved
mongodb_service_account = input('mongodb_service_account')
mongodb_service_group = input('mongodb_service_group')

HackerShark marked this conversation as resolved.
Show resolved Hide resolved
describe file(mongodb_auditlog_dir) do
it { should exist }
end

describe file(mongodb_auditlog_dir) do
it { should_not be_more_permissive_than('0700') }
its('owner') { should be_in mongodb_service_account }
its('group') { should be_in mongodb_service_group }
end

describe command("dirname #{mongodb_auditlog_dir}") do
it { should cmp '/var/lib/mongo'}
end

end
7 changes: 5 additions & 2 deletions controls/V-81851.rb
Original file line number Diff line number Diff line change
Expand Up @@ -67,10 +67,13 @@
tag "nist": ["AU-9"]
tag "documentable": false
tag "severity_override_guidance": false

mongodb_service_account = input('mongodb_service_account')
mongodb_service_group = input('mongodb_service_group')

describe file(input('mongod_conf')) do
it { should_not be_more_permissive_than('0700') }
its('owner') { should be_in input('mongodb_service_account') }
its('group') { should be_in input('mongodb_service_group') }
its('owner') { should be_in mongodb_service_account }
its('group') { should be_in mongodb_service_group }
end
end
9 changes: 3 additions & 6 deletions controls/V-81855.rb
Original file line number Diff line number Diff line change
Expand Up @@ -47,12 +47,9 @@
tag "documentable": false
tag "severity_override_guidance": false

if input('is_docker') == 'true'
describe "The MongoDB is installed within a Docker container so it is
separate from the host OS, therefore this is not a finding." do
subject { virtualization.system }
it {should cmp 'docker'}
end
if virtualization.system.eql?('docker')
impact 0.0
desc 'caveat', 'This is Not Applicable since the MongoDB is installed within a Docker container so it is separate from the host OS'
else
describe "This test requires a Manual Review: Ensure all database software,
including DBMS configuration files, is stored in dedicated directories, or
Expand Down
84 changes: 2 additions & 82 deletions controls/V-81857.rb
Original file line number Diff line number Diff line change
Expand Up @@ -58,87 +58,7 @@
tag "documentable": false
tag "severity_override_guidance": false

a = []
dbnames = []

if input('mongo_use_pki') == 'true'
get_databases = command("sudo mongo --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'JSON.stringify(db.adminCommand( { listDatabases: 1, nameOnly: true}))'").stdout.strip.split('"name":"')
else
get_databases = command("mongo -u '#{input('user')}' -p '#{input('password')}' \
--quiet --eval 'JSON.stringify(db.adminCommand( { listDatabases: 1, nameOnly: true}))'").stdout.strip.split('"name":"')
end

if get_databases.grep(/error/).empty? == false
describe 'Verify the correct credentials or a valid client certificate is used to execute the query.' do
skip 'Verify the correct credentials or a valid client certificate is used to execute the query.'
end
else
get_databases.each do |db|
if db.include? 'databases'

a.push(db)
get_databases.delete(db)
end
end

get_databases.each do |db|

loc_colon = db.index('"')
names = db[0, loc_colon]
dbnames.push(names)
end

if dbnames.empty?
describe 'There are no mongo databases, therefore for this control is NA' do
skip 'There are no mongo databases, therefore for this control is NA'
end
end

if !dbnames.empty?
dbnames.each do |dbs|

if input('mongo_use_pki') == 'true'
users = command("sudo mongo admin --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\"}, {user: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
else
users = command("mongo admin -u '#{input('user')}' -p '#{input('password')}' \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\"}, {user: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
end

users.each do |t|

loc_colon = t.index(':')

user = t[loc_colon+3..-1]

loc_quote = user.index('"')

username = user[0, loc_quote]

if input('mongo_use_pki') == 'true'
getdb_roles = command("sudo mongo admin --ssl --sslPEMKeyFile #{input('mongod_client_pem')} --sslCAFile #{input('mongod_cafile')} \
--authenticationDatabase '$external' --authenticationMechanism MONGODB-X509 --host #{input('mongod_hostname')} \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\", user: \"#{username}\"}, {roles: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
else
getdb_roles = command("mongo admin -u '#{input('user')}' -p '#{input('password')}' \
--quiet --eval 'db.system.users.find({db: \"#{dbs}\", user: \"#{username}\"}, {roles: 1, _id: false, distinct: 1})'").stdout.strip.split("\n")
end

getdb_roles.each do |r|
remove_role = r.index('[')
rr = r[remove_role..-1]

allowed_role = username
describe "The database role for user: #{username}" do
subject { rr }
it { should be_in input("#{allowed_role}_allowed_role") }
end
end
end
end
end
describe 'A manual review is required to determine if any roles or users have unauthorized access' do
skip 'A manual review is required to determine if any roles or users have unauthorized access'
end
end
43 changes: 14 additions & 29 deletions controls/V-81859.rb
Original file line number Diff line number Diff line change
Expand Up @@ -46,36 +46,21 @@
tag "nist": ["CM-7 a"]
tag "documentable": false
tag "severity_override_guidance": false

if os.debian?
dpkg_packages = command("dpkg --get-selections | grep mongodb").stdout.split("\n")
if dpkg_packages.empty?
describe 'There are no mongo database packages installed, therefore for this control is NA' do
skip 'There are no mongo database packages installed, therefore for this control is NA'
end
else
dpkg_packages.each do |package|
package = command("echo #{package} | sed 's/ hold$//'").stdout.split
describe "The installed mongodb package: #{package}" do
subject { package }
it { should be_in input('mongodb_debian_packages') }
end
end


approved_mongo_packages = input('approved_mongo_packages')

dpkg_packages = packages(/mongodb/).names
if dpkg_packages.empty?
describe 'There are no mongo database packages installed, therefore for this control is NA' do
skip 'There are no mongo database packages installed, therefore for this control is NA'
end
elsif os.redhat?
rpm_packages = command("rpm -qa | grep mongodb").stdout.split("\n")
if rpm_packages.empty?
describe 'There are no mongo database packages installed, therefore for this control is NA' do
skip 'There are no mongo database packages installed, therefore for this control is NA'
end
else
rpm_packages.each do |package|
package = command("echo #{package} | sed 's/.x86.*//'").stdout.split
describe "The installed mongodb package: #{package}" do
subject { package }
it { should be_in input('mongodb_redhat_packages') }
end
else
dpkg_packages.each do |package|
describe "The installed mongodb package: #{package}" do
subject { package }
it { should be_in approved_mongo_packages }
end
end
end
end
end
14 changes: 7 additions & 7 deletions controls/V-81861.rb
Original file line number Diff line number Diff line change
Expand Up @@ -57,30 +57,30 @@
tag "documentable": false
tag "severity_override_guidance": false

mongo_conf_file = input('mongod_conf')
mongo_conf_file = input('mongod_conf').to_s
describe.one do
describe yaml(mongo_conf_file.to_s) do
describe yaml(mongo_conf_file) do
its(%w{net http enabled}) { should cmp 'false' }
end
describe yaml(mongo_conf_file.to_s) do
describe yaml(mongo_conf_file) do
its(%w{net http enabled}) { should be_nil }
end
end

describe.one do
describe yaml(mongo_conf_file.to_s) do
describe yaml(mongo_conf_file) do
its(%w{net http JSONPEnabled}) { should cmp 'false' }
end
describe yaml(mongo_conf_file.to_s) do
describe yaml(mongo_conf_file) do
its(%w{net http JSONPEnabled}) { should be_nil }
end
end

describe.one do
describe yaml(mongo_conf_file.to_s) do
describe yaml(mongo_conf_file) do
its(%w{net http RESTInterfaceEnabled}) { should cmp 'false' }
end
describe yaml(mongo_conf_file.to_s) do
describe yaml(mongo_conf_file) do
its(%w{net http RESTInterfaceEnabled}) { should be_nil }
end
end
Expand Down
9 changes: 7 additions & 2 deletions controls/V-81869.rb
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,13 @@
tag "documentable": false
tag "severity_override_guidance": false

describe yaml(input('mongod_conf')) do
its(%w{net ssl allowInvalidCertificates}) { should be nil }
describe.one do
describe yaml(input('mongod_conf')) do
its(%w{net ssl allowInvalidCertificates}) { should be nil }
end
describe yaml(input('mongod_conf')) do
its(%w{net ssl allowInvalidCertificates}) { should be false }
end
end
describe yaml(input('mongod_conf')) do
its(%w{net ssl mode}) { should cmp 'requireSSL' }
Expand Down
Loading