140, 149, 163 updated

spec/mongo-inspec-profile/controls/SV-252140.rb

@@ -64,4 +64,36 @@
   tag 'documentable'
   tag cci: ['CCI-001082']
   tag nist: ['SC-2']
+
+  get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
+
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
+
+  system_users = json({command: run_get_system_users}).params
+
+  system_users.each do |user|
+    user_id = user['_id']
+    unless input('mongo_superusers').include?(user_id)
+
+      db_name = user['db']
+      user_roles = user['roles'].map { |role| "#{role['role']}" }
+      db_roles = user_roles.map { |role| "#{db_name}.#{role}" }
+
+      user_roles.each do |role|
+        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
+
+        role_output = json({command: run_get_role}).params
+
+        all_actions = role_output["privileges"].map { |privilege| privilege["actions"] } +
+                role_output["inheritedPrivileges"].map { |privilege| privilege["actions"] }
+        all_actions.flatten!
+
+        describe "Role '#{role}' of user #{user['_id']} has the proper privileges" do
+          subject { all_actions }
+          it { should_not be_in input('inappropriate_mongo_privileges') }
+        end
+      end
+    end
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252147.rb

@@ -44,7 +44,7 @@
   tag nist: ['SC-28 (1)', 'SC-28 (1)']
 
   only_if 'Encryption at rest must be enabled' do
-    input('encryption_at_rest') == true
+    input('encryption_at_rest')
   end
 
   describe mongodb_conf(input('mongod_config_path')) do
@@ -55,6 +55,4 @@
     its(['kmip','clientCertificateFile']){should match input('KMIP_client_certificate_file')}
   end
 
-
-
 end

spec/mongo-inspec-profile/controls/SV-252149.rb

@@ -51,5 +51,11 @@
   describe mongodb_conf(input('mongod_config_path')) do
     its(['security','authorization']){should eq "enabled"}
   end
+
+  if input('ldap_enabled')
+    describe mongodb_conf(input('mongod_config_path')) do
+      its(['security', 'ldap', 'servers']) { should match /ldap/i }
+    end
+  end
 
 end

spec/mongo-inspec-profile/controls/SV-252163.rb

@@ -62,4 +62,36 @@
   tag 'documentable'
   tag cci: ['CCI-000804']
   tag nist: ['IA-8']
+
+  get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
+
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
+
+  system_users = json({command: run_get_system_users}).params
+
+  system_users.each do |user|
+    user_id = user['_id']
+    unless input('mongo_superusers').include?(user_id)
+
+      db_name = user['db']
+      user_roles = user['roles'].map { |role| "#{role['role']}" }
+      db_roles = user_roles.map { |role| "#{db_name}.#{role}" }
+
+      user_roles.each do |role|
+        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
+
+        role_output = json({command: run_get_role}).params
+
+        all_actions = role_output["privileges"].map { |privilege| privilege["actions"] } +
+                role_output["inheritedPrivileges"].map { |privilege| privilege["actions"] }
+        all_actions.flatten!
+
+        describe "Role '#{role}' of user #{user['_id']} has the proper privileges" do
+          subject { all_actions }
+          it { should_not be_in input('inappropriate_mongo_privileges') }
+        end
+      end
+    end
+  end
+
 end

spec/mongo-inspec-profile/controls/SV-252165.rb

@@ -45,7 +45,7 @@
   tag nist: ['SC-28']
 
   only_if 'Encryption at rest must be enabled' do
-    input('encryption_at_rest') == true
+    input('encryption_at_rest')
   end
 
   check_command="db.serverStatus().encryptionAtRest.encryptionEnabled"

spec/mongo-inspec-profile/controls/SV-252178.rb

@@ -27,7 +27,7 @@
   run_check_command = "openssl x509 -in /etc/ssl/CA_bundle.pem -text | grep -i issuer"
 
   describe command(run_check_command) do
-    its('stdout'){should match /Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA/i}
+    its('stdout'){should match /Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA/}
   end
 
 end

spec/mongo-inspec-profile/inspec.yml

@@ -115,6 +115,16 @@ inputs:
     required: true
     sensitive: true
 
+  # SV-252140, SV-252163
+  - name: inappropriate_mongo_privileges
+    description: "Inappropriate priveleges for all roles in MongoDB"
+    type: array
+    value:
+      - "changeStream"
+      - "createCollections"
+    required: true
+    sensitive: true
+
   # SV-252154
   - name: mongo_dbs
     description: "Authorized mongo databases"