diff --git a/spec/mongo-inspec-profile/controls/SV-252140.rb b/spec/mongo-inspec-profile/controls/SV-252140.rb index 65d73d8..fba9d0c 100644 --- a/spec/mongo-inspec-profile/controls/SV-252140.rb +++ b/spec/mongo-inspec-profile/controls/SV-252140.rb @@ -64,4 +64,36 @@ tag 'documentable' tag cci: ['CCI-001082'] tag nist: ['SC-2'] + + get_system_users = "EJSON.stringify(db.system.users.find().toArray())" + + run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\"" + + system_users = json({command: run_get_system_users}).params + + system_users.each do |user| + user_id = user['_id'] + unless input('mongo_superusers').include?(user_id) + + db_name = user['db'] + user_roles = user['roles'].map { |role| "#{role['role']}" } + db_roles = user_roles.map { |role| "#{db_name}.#{role}" } + + user_roles.each do |role| + run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\"" + + role_output = json({command: run_get_role}).params + + all_actions = role_output["privileges"].map { |privilege| privilege["actions"] } + + role_output["inheritedPrivileges"].map { |privilege| privilege["actions"] } + all_actions.flatten! + + describe "Role '#{role}' of user #{user['_id']} has the proper privileges" do + subject { all_actions } + it { should_not be_in input('inappropriate_mongo_privileges') } + end + end + end + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252147.rb b/spec/mongo-inspec-profile/controls/SV-252147.rb index a846068..2bb17cb 100644 --- a/spec/mongo-inspec-profile/controls/SV-252147.rb +++ b/spec/mongo-inspec-profile/controls/SV-252147.rb @@ -44,7 +44,7 @@ tag nist: ['SC-28 (1)', 'SC-28 (1)'] only_if 'Encryption at rest must be enabled' do - input('encryption_at_rest') == true + input('encryption_at_rest') end describe mongodb_conf(input('mongod_config_path')) do @@ -55,6 +55,4 @@ its(['kmip','clientCertificateFile']){should match input('KMIP_client_certificate_file')} end - - end diff --git a/spec/mongo-inspec-profile/controls/SV-252149.rb b/spec/mongo-inspec-profile/controls/SV-252149.rb index 75aa18a..7260d6a 100644 --- a/spec/mongo-inspec-profile/controls/SV-252149.rb +++ b/spec/mongo-inspec-profile/controls/SV-252149.rb @@ -51,5 +51,11 @@ describe mongodb_conf(input('mongod_config_path')) do its(['security','authorization']){should eq "enabled"} end + + if input('ldap_enabled') + describe mongodb_conf(input('mongod_config_path')) do + its(['security', 'ldap', 'servers']) { should match /ldap/i } + end + end end diff --git a/spec/mongo-inspec-profile/controls/SV-252163.rb b/spec/mongo-inspec-profile/controls/SV-252163.rb index ec6de3d..fe6ada8 100644 --- a/spec/mongo-inspec-profile/controls/SV-252163.rb +++ b/spec/mongo-inspec-profile/controls/SV-252163.rb @@ -62,4 +62,36 @@ tag 'documentable' tag cci: ['CCI-000804'] tag nist: ['IA-8'] + + get_system_users = "EJSON.stringify(db.system.users.find().toArray())" + + run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\"" + + system_users = json({command: run_get_system_users}).params + + system_users.each do |user| + user_id = user['_id'] + unless input('mongo_superusers').include?(user_id) + + db_name = user['db'] + user_roles = user['roles'].map { |role| "#{role['role']}" } + db_roles = user_roles.map { |role| "#{db_name}.#{role}" } + + user_roles.each do |role| + run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\"" + + role_output = json({command: run_get_role}).params + + all_actions = role_output["privileges"].map { |privilege| privilege["actions"] } + + role_output["inheritedPrivileges"].map { |privilege| privilege["actions"] } + all_actions.flatten! + + describe "Role '#{role}' of user #{user['_id']} has the proper privileges" do + subject { all_actions } + it { should_not be_in input('inappropriate_mongo_privileges') } + end + end + end + end + end diff --git a/spec/mongo-inspec-profile/controls/SV-252165.rb b/spec/mongo-inspec-profile/controls/SV-252165.rb index 5dc756c..97f84b8 100644 --- a/spec/mongo-inspec-profile/controls/SV-252165.rb +++ b/spec/mongo-inspec-profile/controls/SV-252165.rb @@ -45,7 +45,7 @@ tag nist: ['SC-28'] only_if 'Encryption at rest must be enabled' do - input('encryption_at_rest') == true + input('encryption_at_rest') end check_command="db.serverStatus().encryptionAtRest.encryptionEnabled" diff --git a/spec/mongo-inspec-profile/controls/SV-252178.rb b/spec/mongo-inspec-profile/controls/SV-252178.rb index cc29dc4..4ee2fa4 100644 --- a/spec/mongo-inspec-profile/controls/SV-252178.rb +++ b/spec/mongo-inspec-profile/controls/SV-252178.rb @@ -27,7 +27,7 @@ run_check_command = "openssl x509 -in /etc/ssl/CA_bundle.pem -text | grep -i issuer" describe command(run_check_command) do - its('stdout'){should match /Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA/i} + its('stdout'){should match /Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA/} end end diff --git a/spec/mongo-inspec-profile/inspec.yml b/spec/mongo-inspec-profile/inspec.yml index b21d79b..669ba04 100644 --- a/spec/mongo-inspec-profile/inspec.yml +++ b/spec/mongo-inspec-profile/inspec.yml @@ -115,6 +115,16 @@ inputs: required: true sensitive: true + # SV-252140, SV-252163 + - name: inappropriate_mongo_privileges + description: "Inappropriate priveleges for all roles in MongoDB" + type: array + value: + - "changeStream" + - "createCollections" + required: true + sensitive: true + # SV-252154 - name: mongo_dbs description: "Authorized mongo databases"