trying mongoshell inspec checks

mitre · Feb 28, 2024 · 2278cc9 · 2278cc9
1 parent 15af546
commit 2278cc9
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 2 deletions.
diff --git a/spec/ansible/roles/mongo-stig/tasks/cat1.yml b/spec/ansible/roles/mongo-stig/tasks/cat1.yml
@@ -92,16 +92,18 @@
 #     - high
 #     - SV-252159
 
+##### CHANGES TO ENTERPRISE WITH GSSAPI AND PLAIN
 - name: "HIGH | SV-252159 | If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords."
   yedit:
       src: "{{ mongod_config_path }}"
       key: setParameter.authenticationMechanisms
-      value: SCRAM-SHA-256
+      value: SCRAM-SHA-256,SCRAM-SHA-1,MONGODB-X509,GSSAPI,PLAIN
   ignore_errors: true
   tags:
     - cat1
     - high
     - SV-252159
+    - enterprise
 
 ##### FILES DONT EXIST check text conflict with 252136? 
 # - name: "HIGH | SV-252160 | MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB."

diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml
@@ -364,6 +364,7 @@
 #     - cat2
 #     - medium
 #     - SV-252173
+#     - enterprise
 
 # - name: "MEDIUM | SV-252174 | MongoDB must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status."
 #   command: true

diff --git a/spec/mongo-inspec-profile/controls/SV-252154.rb b/spec/mongo-inspec-profile/controls/SV-252154.rb
@@ -31,4 +31,13 @@
   tag 'documentable'
   tag cci: ['CCI-001499']
   tag nist: ['CM-5 (6)']
-end
+
+  #the beginning of something great
+  db_name = 'database'
+  command_string = "mongosh #{db_name} --quiet --eval 'db.getUsers()'"
+
+  describe command(command_string) do
+    its('stdout') { should include 'dbOwner' }
+  end
+
+end
diff --git a/spec/mongo-inspec-profile/controls/SV-252175.rb b/spec/mongo-inspec-profile/controls/SV-252175.rb
@@ -74,4 +74,15 @@
   tag 'documentable'
   tag cci: ['CCI-001813']
   tag nist: ['CM-5 (1) (a)']
+
+  # Create user
+  describe command(inspec.profile.file('/scripts/SV-252175-1.sh')) do
+    its('stderr') { should eq '' }
+  end
+
+  # Write operation
+  describe command(inspec.profile.file('/scripts/SV-252175-2.sh')) do
+    its('stderr') { should eq '' }
+  end
+
 end
diff --git a/spec/mongo-inspec-profile/scripts/SV-252175-1.sh b/spec/mongo-inspec-profile/scripts/SV-252175-1.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Replace the placeholders with your actual MongoDB connection details and credentials
+MONGO_HOST="localhost"
+MONGO_PORT="27017"
+#need these for later?
+ADMIN_USER="admin"
+ADMIN_PWD="admin"
+
+# MongoDB command to create a read-only user
+CREATE_USER_COMMAND="db.createUser({user: 'myTester', pwd: 'password', roles: [{role: 'read', db: 'test'}]})"
+
+mongosh --host $MONGO_HOST --port $MONGO_PORT --eval "use test; $CREATE_USER_COMMAND"
+
+#mongosh --eval "use test; db.createUser({user: 'myTester', pwd: 'password', roles: [{role: 'read', db: 'test'}]})"
diff --git a/spec/mongo-inspec-profile/scripts/SV-252175-2.sh b/spec/mongo-inspec-profile/scripts/SV-252175-2.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Replace the placeholders with your actual MongoDB connection details
+MONGO_HOST="localhost"
+MONGO_PORT="27017"
+USER="myTester"
+PWD="password"
+
+# MongoDB command to attempt a write operation
+WRITE_COMMAND="db.testCollection.insert({x: 1})"
+
+# Attempt the write operation and capture the output
+mongosh --host $MONGO_HOST --port $MONGO_PORT -u $USER -p $PWD --eval "use test; $WRITE_COMMAND"
+
+#mongosh -u "myTester" -p "password" --authenticationMechanism SCRAM-SHA-256 --eval "use test; db.testCollection.insert({x: 1})"