update 181, update variable names, 157 testing

mitre · Apr 29, 2024 · 6fd3357 · 6fd3357
1 parent b8dbad7
commit 6fd3357
Show file tree

Hide file tree

Showing 11 changed files with 91 additions and 16 deletions.
diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml
@@ -4,7 +4,7 @@ enterprise_edition: true
 fips_mode: true
 mongostig_cat1: true
 mongostig_cat2: true
-# If any data is PII, classified or is deemed by the organization the need to be encrypted at rest. For KMIP.
+# If any data is PII, classified or is deemed by the organization the need to be encrypted at rest. Set to true if using KMIP.
 encryption_at_rest: false
 
 mongo_owner: root
@@ -13,7 +13,12 @@ mongo_dba: admin
 mongo_dba_password: admin
 mongo_host: localhost
 mongo_port: 27017
+mongo_auth_source: admin
 mongo_permissions: 0600
+mongo_users:
+  - "admin.admin"
+  - "test.myTester"
+  - "products.myRoleTestUser"
 authentication_mechanism: 
   - SCRAM-SHA-256
 

diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml
@@ -1,4 +1,66 @@
 ---
+- name: "MEDIUM | SV-252157 | MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)."
+  block:
+    - name: "MEDIUM | SV-252157 | Enable authorization in MongoDB configuration"
+      yedit:
+        src: "{{ mongod_config_path }}"
+        key: security.authorization
+        value: enabled
+
+    - name: Extract _id fields from MongoDB user data
+      set_fact:
+        user_ids: "{{ user_ids | default([]) + [item._id] }}"
+      loop: "{{ user_list.stdout }}"
+
+    - name: Display all _id fields
+      debug:
+        var: user_ids
+
+    - name: Filter out users not in mongo_users
+      set_fact:
+        non_mongo_users: "{{ non_mongo_users | default([]) + [item] }}"
+      loop: "{{ user_ids }}"
+      when: item not in mongo_users
+
+    - name: Display all non_mongo_users fields
+      debug:
+        var: non_mongo_users
+
+
+  ignore_errors: false
+  tags:
+    - cat2
+    - medium
+    - SV-252157
+
+# - name: "MEDIUM | SV-252157 | MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)."
+#   block:
+#     - name: "MEDIUM | SV-252157 | Enable authorization in MongoDB configuration"
+#       yedit:
+#         src: "{{ mongod_config_path }}"
+#         key: security.authorization
+#         value: enabled
+
+#     - name: Fetch list of databases
+#       community.mongodb.mongodb_shell:
+#         login_user: "{{ mongo_dba }}"
+#         login_password: "{{ mongo_dba_password }}"
+#         login_database: "{{ mongo_auth_source }}"
+#         login_host: "{{ mongo_host }}"
+#         login_port: "{{ mongo_port }}"
+#         eval: "db.adminCommand({ listDatabases: 1 })"
+#       register: db_list
+
+#     - name: Display the fetched databases
+#       debug:
+#         var: db_list.transformed_output.databases
+
+#   ignore_errors: true
+#   tags:
+#     - cat2
+#     - medium
+#     - SV-252157
+
 - name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords."
   yedit:
     src: "{{ mongod_config_path }}"

diff --git a/spec/ansible/roles/mongo-stig/tasks/prep.yml b/spec/ansible/roles/mongo-stig/tasks/prep.yml
@@ -40,12 +40,12 @@
 
 - name: Get all the users in a database
   ansible.builtin.command: |
-    mongosh "mongodb://localhost:27017/test" --quiet --eval "EJSON.stringify(db.getSiblingDB('admin').getUsers())"
-  register: users_list
+    mongosh "mongodb://localhost:27017/admin" --quiet --eval "EJSON.stringify(db.system.users.find().toArray())"
+  register: user_list
 
-- name: Display contents of users_list
+- name: Display contents of user_list
   debug:
-    msg: "{{ users_list.stdout }}"
+    msg: "{{ user_list.stdout }}"
 
 - name: Get MongoDB version
   ansible.builtin.command: |

diff --git a/spec/mongo-inspec-profile/controls/SV-252140.rb b/spec/mongo-inspec-profile/controls/SV-252140.rb
@@ -67,7 +67,7 @@
 
   get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
 
-  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
 
   system_users = json({command: run_get_system_users}).params
 
@@ -80,7 +80,7 @@
       db_roles = user_roles.map { |role| "#{db_name}.#{role}" }
 
       user_roles.each do |role|
-        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
+        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
 
         role_output = json({command: run_get_role}).params
 

diff --git a/spec/mongo-inspec-profile/controls/SV-252155.rb b/spec/mongo-inspec-profile/controls/SV-252155.rb
@@ -46,7 +46,7 @@
 
   get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
 
-  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
 
   system_users = json({command: run_get_system_users}).params
 

diff --git a/spec/mongo-inspec-profile/controls/SV-252157.rb b/spec/mongo-inspec-profile/controls/SV-252157.rb
@@ -53,7 +53,7 @@
 
   get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
 
-  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
 
   system_users = json({command: run_get_system_users}).params
 

diff --git a/spec/mongo-inspec-profile/controls/SV-252163.rb b/spec/mongo-inspec-profile/controls/SV-252163.rb
@@ -65,7 +65,7 @@
 
   get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
 
-  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
 
   system_users = json({command: run_get_system_users}).params
 
@@ -78,7 +78,7 @@
       db_roles = user_roles.map { |role| "#{db_name}.#{role}" }
 
       user_roles.each do |role|
-        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
+        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
 
         role_output = json({command: run_get_role}).params
 

diff --git a/spec/mongo-inspec-profile/controls/SV-252174.rb b/spec/mongo-inspec-profile/controls/SV-252174.rb
@@ -66,7 +66,7 @@
 
   get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
 
-  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
 
   system_users = json({command: run_get_system_users}).params
 
@@ -79,7 +79,7 @@
       db_roles = user_roles.map { |role| "#{db_name}.#{role}" }
 
       user_roles.each do |role|
-        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
+        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
 
         role_output = json({command: run_get_role}).params
 

diff --git a/spec/mongo-inspec-profile/controls/SV-252181.rb b/spec/mongo-inspec-profile/controls/SV-252181.rb
@@ -61,4 +61,9 @@
   tag 'documentable'
   tag cci: ['CCI-002754']
   tag nist: ['SI-10 (3)']
+
+  describe 'When invalid inputs are received, MongoDB must behave in a predictable and documented manner that reflects organizational and system objectives.' do
+    skip 'For all collections information received, check if the options sub-document contains a validator. If the options sub-document does not contain a validator, this is a finding.'
+  end
+
 end
diff --git a/spec/mongo-inspec-profile/inputs_template.yml b/spec/mongo-inspec-profile/inputs_template.yml
@@ -3,3 +3,6 @@ mongo_dba: "admin"
 mongo_dba_password: "admin"
 mongo_host: "localhost"
 mongo_port: "27017"
+mongo_auth_source: "admin"
+ca_file: "/etc/ssl/CA_bundle.pem"
+certificate_key_file: "/etc/ssl/mongodb.pem"
diff --git a/spec/mongo-inspec-profile/inspec.yml b/spec/mongo-inspec-profile/inspec.yml
@@ -66,7 +66,7 @@ inputs:
     sensitive: true
 
   # SV-252155, SV-252174
-  - name: auth_source
+  - name: mongo_auth_source
     description: "The database used to authorize users"
     type: string
     required: true
@@ -93,7 +93,7 @@ inputs:
     required: true
     sensitive: true
 
-  # SV-252154, SV-252155
+  # SV-252154, SV-252155, SV-252157
   - name: mongo_superusers
     description: "Authorized superuser accounts"
     type: array
@@ -102,7 +102,7 @@ inputs:
     required: true
     sensitive: true
 
-  # SV-252154, SV-252155
+  # SV-252154, SV-252155, SV-252157
   - name: mongo_users
     description: "Authorized user accounts in the format of database.user"
     type: array