fixed 154, almost complete 174

mitre · Apr 15, 2024 · b129c95 · b129c95
1 parent 701677a
commit b129c95
Show file tree

Hide file tree

Showing 7 changed files with 123 additions and 41 deletions.
diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml
@@ -1,6 +1,6 @@
 ---
 prep_conf: true
-fips_mode: true
+fips_mode: false
 mongostig_cat1: true
 mongostig_cat2: true
 mongostig_cat3: true 

diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml
@@ -1,24 +1,24 @@
 ---
-- name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords."
-  yedit:
-    src: "{{ mongod_config_path }}"
-    edits:
-    - key: net.tls.mode
-      value: requireTLS
-    - key: net.tls.certificateKeyFile
-      value: "{{ certificate_key_file_dest }}"
-    - key: net.tls.CAFile
-      value: "{{ ca_file_dest }}"
-    - key: net.tls.allowInvalidCertificates
-      value: false
-    - key: net.tls.allowConnectionsWithoutCertificates
-      value: false
-  ignore_errors: true
-  tags:
-    - cat1
-    - high
-    - SV-252139
-    - enterprise
+# - name: "HIGH | SV-252139 | If passwords are used for authentication, MongoDB must transmit only encrypted representations of passwords."
+#   yedit:
+#     src: "{{ mongod_config_path }}"
+#     edits:
+#     - key: net.tls.mode
+#       value: requireTLS
+#     - key: net.tls.certificateKeyFile
+#       value: "{{ certificate_key_file_dest }}"
+#     - key: net.tls.CAFile
+#       value: "{{ ca_file_dest }}"
+#     - key: net.tls.allowInvalidCertificates
+#       value: false
+#     - key: net.tls.allowConnectionsWithoutCertificates
+#       value: false
+#   ignore_errors: true
+#   tags:
+#     - cat1
+#     - high
+#     - SV-252139
+#     - enterprise
 
 # - name: "HIGH | SV-252146 | MongoDB must use NIST FIPS 140-2 or 140-3 validated cryptographic modules for cryptographic operations."
 #   yedit:

diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml
@@ -277,17 +277,17 @@
 #     - medium
 #     - SV-252163
 
-- name: "MEDIUM | SV-252164 | MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values."
-  yedit:
-    src: "{{ mongod_config_path }}"
-    key: net.tls.mode
-    value: requireTLS
-  ignore_errors: true
-  tags:
-    - cat2
-    - medium
-    - SV-252164
-    - enterprise
+# - name: "MEDIUM | SV-252164 | MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values."
+#   yedit:
+#     src: "{{ mongod_config_path }}"
+#     key: net.tls.mode
+#     value: requireTLS
+#   ignore_errors: true
+#   tags:
+#     - cat2
+#     - medium
+#     - SV-252164
+#     - enterprise
 
 ##### MANUAL
 # - name: "MEDIUM | SV-252166 | Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy."

diff --git a/spec/mongo-inspec-profile/controls/SV-252154.rb b/spec/mongo-inspec-profile/controls/SV-252154.rb
@@ -32,26 +32,33 @@
   tag cci: ['CCI-001499']
   tag nist: ['CM-5 (6)']
 
-  check_command = "EJSON.stringify(db.getUsers())"
+  get_users = "EJSON.stringify(db.getUsers())"
 
-  input('mongo_dbs').each do |db_name|
-    run_check_command = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=admin --quiet --eval \"#{check_command}\""
+  get_dbs = "EJSON.stringify(db.adminCommand('listDatabases'))"
+
+  run_get_dbs = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}?authSource=admin --quiet --eval \"#{get_dbs}\""
+
+  dbs_output = json({command: run_get_dbs}).params
+
+  # extract just the names of the databases
+  db_names = dbs_output["databases"].map { |db| db["name"] }
+
+  db_names.each do |db_name|
+    run_get_users = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=admin --quiet --eval \"#{get_users}\""
 
     # run the command and parse the output as json
-    users_output = json({command: run_check_command}).params
+    users_output = json({command: run_get_users}).params
 
     users_output['users'].each do |user|
       # check if user is not a superuser
       unless input('mongo_superusers').include?(user['user'])
         # check each users role
-        describe "User #{user['_id']} in database #{db_name}" do
-          #collect all roles for user
+        describe "User roles of #{user['_id']}" do
+          # collect all roles for user
           subject { user['roles'].map { |role| role['role'] } }
           it { should_not include 'dbOwner' }
         end
       end
     end
   end
-
-
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252155.rb b/spec/mongo-inspec-profile/controls/SV-252155.rb
@@ -43,4 +43,35 @@
   tag 'documentable'
   tag cci: ['CCI-001499']
   tag nist: ['CM-5 (6)']
+
+  get_roles = "EJSON.stringify(db.getRoles({rolesInfo: 1, showPrivileges:true, showBuiltinRoles: true}))"
+
+  get_dbs = "EJSON.stringify(db.adminCommand('listDatabases'))"
+
+  run_get_dbs = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}?authSource=admin --quiet --eval \"#{get_dbs}\""
+
+  dbs_output = json({command: run_get_dbs}).params
+
+  # extract just the names of the databases
+  db_names = dbs_output["databases"].map { |db| db["name"] }
+
+  db_names.each do |db_name|
+    run_get_roles = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=admin --quiet --eval \"#{get_roles}\""
+
+    # run the command and parse the output as json
+    roles_output = json({command: run_get_roles}).params
+
+    # run_get_roles['users'].each do |user|
+    #   # check if user is not a superuser
+    #   unless input('mongo_superusers').include?(user['user'])
+    #     # check each users role
+    #     describe "User #{user['_id']} in database #{db_name}" do
+    #       # collect all roles for user
+    #       subject { user['roles'].map { |role| role['role'] } }
+    #       it { should_not include 'dbOwner' }
+    #     end
+    #   end
+    # end
+  end
+
 end
diff --git a/spec/mongo-inspec-profile/controls/SV-252159.rb b/spec/mongo-inspec-profile/controls/SV-252159.rb
@@ -68,7 +68,7 @@
 
   describe "MongoDB authenticaion mechanisms" do
     subject {auth_mechanisms}
-    it {should be_in ['SCRAM-SHA-1', 'SCRAM-SHA-256', 'MONGODB-X509', 'GSSAPI', 'PLAIN','MONGODB-AWS',]}
+    it {should be_in ['SCRAM-SHA-1', 'SCRAM-SHA-256', 'MONGODB-X509', 'GSSAPI', 'PLAIN','MONGODB-AWS']}
   end
 
   check_command = "db.getSiblingDB('admin').system.version.find({ '_id' : 'authSchema'}, {_id: 0})"

diff --git a/spec/mongo-inspec-profile/controls/SV-252174.rb b/spec/mongo-inspec-profile/controls/SV-252174.rb
@@ -64,4 +64,48 @@
   tag cci: ['CCI-001812']
   tag nist: ['CM-11 (2)']
 
+  get_users = "EJSON.stringify(db.getUsers())"
+
+  get_dbs = "EJSON.stringify(db.adminCommand('listDatabases'))"
+
+  run_get_dbs = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}?authSource=admin --quiet --eval \"#{get_dbs}\""
+
+  dbs_output = json({command: run_get_dbs}).params
+
+  # extract just the names of the databases
+  db_names = dbs_output["databases"].map { |db| db["name"] }
+
+  db_names.each do |db_name|
+    run_get_users = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=admin --quiet --eval \"#{get_users}\""
+
+    # run the command and parse the output as json
+    users_output = json({command: run_get_users}).params
+
+    users_output['users'].each do |user|
+      # check if user is not a superuser
+      unless input('mongo_superusers').include?(user['user'])
+        # collect all roles for user and wrap in single quotes
+        user_roles = user['roles'].map { |role| "'#{role['role']}'" }
+
+        user_roles.each do |role|
+          run_get_role = "mongosh mongodb://#{input('mongo_dba')}:#{input('mongo_dba_password')}@#{input('mongo_host')}:#{input('mongo_port')}/#{db_name}?authSource=admin --quiet --eval \"EJSON.stringify(db.getRole(#{role}, {showPrivileges: true}))\""
+          role_output = json({command: run_get_role}).params
+          all_actions = role_output["privileges"].map { |privilege| privilege["actions"] } +
+              role_output["inheritedPrivileges"].map { |privilege| privilege["actions"] }
+          all_actions.flatten!
+
+          p "user", user
+          p "role", role
+          p all_actions
+          p '---------------------------------------------------------------------------------------------------'
+
+          describe "Role #{role} of user #{user['_id']} does not have privileges for 'createCollection' and 'changeStream', and" do
+            subject { all_actions }
+            it { should_not be_in ["createCollection", "changeStream"] }
+          end
+        end
+      end
+    end
+  end
+
 end