From 6fd3357c646d5c752dc2e4fe34ba5007ed883dc7 Mon Sep 17 00:00:00 2001
From: seanlongcc <seanlongcc@gmail.com>
Date: Mon, 29 Apr 2024 15:48:43 -0400
Subject: [PATCH] update 181, update variable names, 157 testing

---
 .../roles/mongo-stig/defaults/main.yml        |  7 ++-
 spec/ansible/roles/mongo-stig/tasks/cat1.yml  | 62 +++++++++++++++++++
 spec/ansible/roles/mongo-stig/tasks/prep.yml  |  8 +--
 .../controls/SV-252140.rb                     |  4 +-
 .../controls/SV-252155.rb                     |  2 +-
 .../controls/SV-252157.rb                     |  2 +-
 .../controls/SV-252163.rb                     |  4 +-
 .../controls/SV-252174.rb                     |  4 +-
 .../controls/SV-252181.rb                     |  5 ++
 spec/mongo-inspec-profile/inputs_template.yml |  3 +
 spec/mongo-inspec-profile/inspec.yml          |  6 +-
 11 files changed, 91 insertions(+), 16 deletions(-)

diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml
index 8cdb9d7..fc8ca74 100644
--- a/spec/ansible/roles/mongo-stig/defaults/main.yml
+++ b/spec/ansible/roles/mongo-stig/defaults/main.yml
@@ -4,7 +4,7 @@ enterprise_edition: true
 fips_mode: true
 mongostig_cat1: true
 mongostig_cat2: true
-# If any data is PII, classified or is deemed by the organization the need to be encrypted at rest. For KMIP.
+# If any data is PII, classified or is deemed by the organization the need to be encrypted at rest. Set to true if using KMIP.
 encryption_at_rest: false
 
 mongo_owner: root
@@ -13,7 +13,12 @@ mongo_dba: admin
 mongo_dba_password: admin
 mongo_host: localhost
 mongo_port: 27017
+mongo_auth_source: admin
 mongo_permissions: 0600
+mongo_users:
+  - "admin.admin"
+  - "test.myTester"
+  - "products.myRoleTestUser"
 authentication_mechanism: 
   - SCRAM-SHA-256
 
diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml
index 4d2f473..043dcf4 100644
--- a/spec/ansible/roles/mongo-stig/tasks/cat1.yml
+++ b/spec/ansible/roles/mongo-stig/tasks/cat1.yml
@@ -1,4 +1,66 @@
 ---
+- name: "MEDIUM | SV-252157 | MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)."
+  block:
+    - name: "MEDIUM | SV-252157 | Enable authorization in MongoDB configuration"
+      yedit:
+        src: "{{ mongod_config_path }}"
+        key: security.authorization
+        value: enabled
+
+    - name: Extract _id fields from MongoDB user data
+      set_fact:
+        user_ids: "{{ user_ids | default([]) + [item._id] }}"
+      loop: "{{ user_list.stdout }}"
+
+    - name: Display all _id fields
+      debug:
+        var: user_ids
+
+    - name: Filter out users not in mongo_users
+      set_fact:
+        non_mongo_users: "{{ non_mongo_users | default([]) + [item] }}"
+      loop: "{{ user_ids }}"
+      when: item not in mongo_users
+
+    - name: Display all non_mongo_users fields
+      debug:
+        var: non_mongo_users
+
+
+  ignore_errors: false
+  tags:
+    - cat2
+    - medium
+    - SV-252157
+
+# - name: "MEDIUM | SV-252157 | MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users)."
+#   block:
+#     - name: "MEDIUM | SV-252157 | Enable authorization in MongoDB configuration"
+#       yedit:
+#         src: "{{ mongod_config_path }}"
+#         key: security.authorization
+#         value: enabled
+
+#     - name: Fetch list of databases
+#       community.mongodb.mongodb_shell:
+#         login_user: "{{ mongo_dba }}"
+#         login_password: "{{ mongo_dba_password }}"
+#         login_database: "{{ mongo_auth_source }}"
+#         login_host: "{{ mongo_host }}"
+#         login_port: "{{ mongo_port }}"
+#         eval: "db.adminCommand({ listDatabases: 1 })"
+#       register: db_list
+
+#     - name: Display the fetched databases
+#       debug:
+#         var: db_list.transformed_output.databases
+
+#   ignore_errors: true
+#   tags:
+#     - cat2
+#     - medium
+#     - SV-252157
+
 - name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords."
   yedit:
     src: "{{ mongod_config_path }}"
diff --git a/spec/ansible/roles/mongo-stig/tasks/prep.yml b/spec/ansible/roles/mongo-stig/tasks/prep.yml
index 3c74ea8..6d8f71e 100644
--- a/spec/ansible/roles/mongo-stig/tasks/prep.yml
+++ b/spec/ansible/roles/mongo-stig/tasks/prep.yml
@@ -40,12 +40,12 @@
 
 - name: Get all the users in a database
   ansible.builtin.command: |
-    mongosh "mongodb://localhost:27017/test" --quiet --eval "EJSON.stringify(db.getSiblingDB('admin').getUsers())"
-  register: users_list
+    mongosh "mongodb://localhost:27017/admin" --quiet --eval "EJSON.stringify(db.system.users.find().toArray())"
+  register: user_list
 
-- name: Display contents of users_list
+- name: Display contents of user_list
   debug:
-    msg: "{{ users_list.stdout }}"
+    msg: "{{ user_list.stdout }}"
 
 - name: Get MongoDB version
   ansible.builtin.command: |
diff --git a/spec/mongo-inspec-profile/controls/SV-252140.rb b/spec/mongo-inspec-profile/controls/SV-252140.rb
index fba9d0c..df3e70a 100644
--- a/spec/mongo-inspec-profile/controls/SV-252140.rb
+++ b/spec/mongo-inspec-profile/controls/SV-252140.rb
@@ -67,7 +67,7 @@
 
   get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
 
-  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
 
   system_users = json({command: run_get_system_users}).params
 
@@ -80,7 +80,7 @@
       db_roles = user_roles.map { |role| "#{db_name}.#{role}" }
 
       user_roles.each do |role|
-        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
+        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
 
         role_output = json({command: run_get_role}).params
 
diff --git a/spec/mongo-inspec-profile/controls/SV-252155.rb b/spec/mongo-inspec-profile/controls/SV-252155.rb
index 85be5f3..77540c9 100644
--- a/spec/mongo-inspec-profile/controls/SV-252155.rb
+++ b/spec/mongo-inspec-profile/controls/SV-252155.rb
@@ -46,7 +46,7 @@
 
   get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
 
-  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
 
   system_users = json({command: run_get_system_users}).params
 
diff --git a/spec/mongo-inspec-profile/controls/SV-252157.rb b/spec/mongo-inspec-profile/controls/SV-252157.rb
index b9c7074..220b58d 100644
--- a/spec/mongo-inspec-profile/controls/SV-252157.rb
+++ b/spec/mongo-inspec-profile/controls/SV-252157.rb
@@ -53,7 +53,7 @@
 
   get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
 
-  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
 
   system_users = json({command: run_get_system_users}).params
 
diff --git a/spec/mongo-inspec-profile/controls/SV-252163.rb b/spec/mongo-inspec-profile/controls/SV-252163.rb
index fe6ada8..6de6c1c 100644
--- a/spec/mongo-inspec-profile/controls/SV-252163.rb
+++ b/spec/mongo-inspec-profile/controls/SV-252163.rb
@@ -65,7 +65,7 @@
 
   get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
 
-  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
 
   system_users = json({command: run_get_system_users}).params
 
@@ -78,7 +78,7 @@
       db_roles = user_roles.map { |role| "#{db_name}.#{role}" }
 
       user_roles.each do |role|
-        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
+        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
 
         role_output = json({command: run_get_role}).params
 
diff --git a/spec/mongo-inspec-profile/controls/SV-252174.rb b/spec/mongo-inspec-profile/controls/SV-252174.rb
index 75c98c1..5d60185 100644
--- a/spec/mongo-inspec-profile/controls/SV-252174.rb
+++ b/spec/mongo-inspec-profile/controls/SV-252174.rb
@@ -66,7 +66,7 @@
 
   get_system_users = "EJSON.stringify(db.system.users.find().toArray())"
 
-  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
+  run_get_system_users = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/admin?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"#{get_system_users}\""
 
   system_users = json({command: run_get_system_users}).params
 
@@ -79,7 +79,7 @@
       db_roles = user_roles.map { |role| "#{db_name}.#{role}" }
 
       user_roles.each do |role|
-        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
+        run_get_role = "mongosh \"mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=#{input'mongo_auth_source'}&tls=true&tlsCAFile=#{input('ca_file')}&tlsCertificateKeyFile=#{input('certificate_key_file')}\" --quiet --eval \"EJSON.stringify(db.getRole('#{role}', {showPrivileges: true}))\""
 
         role_output = json({command: run_get_role}).params
 
diff --git a/spec/mongo-inspec-profile/controls/SV-252181.rb b/spec/mongo-inspec-profile/controls/SV-252181.rb
index da1c66c..fd76f81 100644
--- a/spec/mongo-inspec-profile/controls/SV-252181.rb
+++ b/spec/mongo-inspec-profile/controls/SV-252181.rb
@@ -61,4 +61,9 @@
   tag 'documentable'
   tag cci: ['CCI-002754']
   tag nist: ['SI-10 (3)']
+
+  describe 'When invalid inputs are received, MongoDB must behave in a predictable and documented manner that reflects organizational and system objectives.' do
+    skip 'For all collections information received, check if the options sub-document contains a validator. If the options sub-document does not contain a validator, this is a finding.'
+  end
+  
 end
diff --git a/spec/mongo-inspec-profile/inputs_template.yml b/spec/mongo-inspec-profile/inputs_template.yml
index 337ce62..fb29cd1 100644
--- a/spec/mongo-inspec-profile/inputs_template.yml
+++ b/spec/mongo-inspec-profile/inputs_template.yml
@@ -3,3 +3,6 @@ mongo_dba: "admin"
 mongo_dba_password: "admin"
 mongo_host: "localhost"
 mongo_port: "27017"
+mongo_auth_source: "admin"
+ca_file: "/etc/ssl/CA_bundle.pem"
+certificate_key_file: "/etc/ssl/mongodb.pem"
\ No newline at end of file
diff --git a/spec/mongo-inspec-profile/inspec.yml b/spec/mongo-inspec-profile/inspec.yml
index d420327..21e9fa6 100644
--- a/spec/mongo-inspec-profile/inspec.yml
+++ b/spec/mongo-inspec-profile/inspec.yml
@@ -66,7 +66,7 @@ inputs:
     sensitive: true
 
   # SV-252155, SV-252174
-  - name: auth_source
+  - name: mongo_auth_source
     description: "The database used to authorize users"
     type: string
     required: true
@@ -93,7 +93,7 @@ inputs:
     required: true
     sensitive: true
 
-  # SV-252154, SV-252155
+  # SV-252154, SV-252155, SV-252157
   - name: mongo_superusers
     description: "Authorized superuser accounts"
     type: array
@@ -102,7 +102,7 @@ inputs:
     required: true
     sensitive: true
 
-  # SV-252154, SV-252155
+  # SV-252154, SV-252155, SV-252157
   - name: mongo_users
     description: "Authorized user accounts in the format of database.user"
     type: array