From a2c3c0240ddb79a2c5e8260a7d8e25a6a2c344d2 Mon Sep 17 00:00:00 2001 From: seanlongcc Date: Thu, 22 Feb 2024 13:18:06 -0500 Subject: [PATCH] variable inspec paths --- .../roles/mongo-stig/defaults/main.yml | 2 +- spec/ansible/roles/mongo-stig/tasks/cat2.yml | 2 + .../controls/SV-252134.rb | 4 +- .../controls/SV-252139.rb | 6 +-- .../controls/SV-252141.rb | 2 +- .../controls/SV-252143.rb | 2 +- .../controls/SV-252144.rb | 9 ++-- .../controls/SV-252145.rb | 2 +- .../controls/SV-252146.rb | 2 +- .../controls/SV-252149.rb | 2 +- .../controls/SV-252150.rb | 4 +- .../controls/SV-252151.rb | 4 +- .../controls/SV-252158.rb | 6 +-- .../controls/SV-252159.rb | 2 +- .../controls/SV-252161.rb | 5 ++ .../controls/SV-252162.rb | 6 +-- .../controls/SV-252184.rb | 6 +-- spec/mongo-inspec-profile/inspec.yml | 51 +++++++++++++++++++ 18 files changed, 86 insertions(+), 31 deletions(-) diff --git a/spec/ansible/roles/mongo-stig/defaults/main.yml b/spec/ansible/roles/mongo-stig/defaults/main.yml index 6eadc9f..2fdd1b0 100644 --- a/spec/ansible/roles/mongo-stig/defaults/main.yml +++ b/spec/ansible/roles/mongo-stig/defaults/main.yml @@ -8,7 +8,7 @@ mongo_user: root mongo_group: root mongod_config_path: "/etc/mongod.conf" mongo_audit_directory_path: "/var/log/mongodb/audit" -mongo_audit_file_path: "/var/log/mongodb/audit/auditlog.bson" +mongo_audit_file_path: "/var/log/mongodb/audit/auditLog.bson" certificate_key_file_path: "/etc/ssl/mongodb.pem" ca_file_path: "/etc/ssl/caToValidateClientCertificates.pem" data_file_directory_path: "/var/lib/mongo" diff --git a/spec/ansible/roles/mongo-stig/tasks/cat2.yml b/spec/ansible/roles/mongo-stig/tasks/cat2.yml index 7909e4b..288a03f 100644 --- a/spec/ansible/roles/mongo-stig/tasks/cat2.yml +++ b/spec/ansible/roles/mongo-stig/tasks/cat2.yml @@ -226,6 +226,8 @@ # - medium # - SV-252157 + +##### manual??? this one is manual is postgres, but its also less specific # - name: "MEDIUM | SV-252161 | MongoDB must map the PKI-authenticated identity to an associated user account." # command: true # ignore_errors: true diff --git a/spec/mongo-inspec-profile/controls/SV-252134.rb b/spec/mongo-inspec-profile/controls/SV-252134.rb index a3372e3..3424d24 100644 --- a/spec/mongo-inspec-profile/controls/SV-252134.rb +++ b/spec/mongo-inspec-profile/controls/SV-252134.rb @@ -78,10 +78,10 @@ tag nist: ['AU-3 a', 'AU-3 b', 'AU-3 c', 'AU-3 d', 'AU-3 e', 'AU-3 (1)', 'AU-5 b', 'AU-10', 'AU-12 b', 'AU-12 c', 'AU-14 (1)', 'AU-3 f', 'CM-5 (1)', 'AU-3 (2)', 'AU-4 (1)', 'AU-5 (2)'] - describe yaml('/etc/mongod.conf') do + describe yaml(input('mongod_config_path')) do its(['auditLog','destination']){should eq "file"} its(['auditLog','format']){should eq "BSON"} - its(['auditLog','path']){should eq "/var/log/mongodb/audit/auditLog.bson"} + its(['auditLog','path']){should match input('mongo_audit_file_path')} end end diff --git a/spec/mongo-inspec-profile/controls/SV-252139.rb b/spec/mongo-inspec-profile/controls/SV-252139.rb index 82f49a2..3f91b18 100644 --- a/spec/mongo-inspec-profile/controls/SV-252139.rb +++ b/spec/mongo-inspec-profile/controls/SV-252139.rb @@ -56,10 +56,10 @@ tag cci: ['CCI-000197', 'CCI-000185'] tag nist: ['IA-5 (1) (c)', 'IA-5 (2) (b) (1)'] - describe yaml('/etc/mongod.conf') do + describe yaml(input('mongod_config_path')) do its(['net','tls','mode']){should eq "requireTLS"} - its(['net','tls','certificateKeyFile']){should eq "/etc/ssl/mongodb.pem"} - its(['net','tls','CAFile']){should eq "/etc/ssl/caToValidateClientCertificates.pem"} + its(['net','tls','certificateKeyFile']){should match input('certificate_key_file_path')} + its(['net','tls','CAFile']){should match input('ca_file_path')} its(['net','tls','allowInvalidCertificates']){should eq false} its(['net','tls','allowConnectionsWithoutCertificates']){should eq false} end diff --git a/spec/mongo-inspec-profile/controls/SV-252141.rb b/spec/mongo-inspec-profile/controls/SV-252141.rb index c3819aa..12eef25 100644 --- a/spec/mongo-inspec-profile/controls/SV-252141.rb +++ b/spec/mongo-inspec-profile/controls/SV-252141.rb @@ -47,7 +47,7 @@ tag cci: ['CCI-001190', 'CCI-001665'] tag nist: ['SC-24', 'SC-24'] - describe yaml('/etc/mongod.conf') do + describe yaml(input('mongod_config_path')) do its(['storage','journal','enabled']){should eq true} end diff --git a/spec/mongo-inspec-profile/controls/SV-252143.rb b/spec/mongo-inspec-profile/controls/SV-252143.rb index 49a90d7..8890c0f 100644 --- a/spec/mongo-inspec-profile/controls/SV-252143.rb +++ b/spec/mongo-inspec-profile/controls/SV-252143.rb @@ -33,7 +33,7 @@ tag cci: ['CCI-001310'] tag nist: ['SI-10'] - describe yaml('/etc/mongod.conf') do + describe yaml(input('mongod_config_path')) do its(['security','javascriptEnabled']){should eq false} end diff --git a/spec/mongo-inspec-profile/controls/SV-252144.rb b/spec/mongo-inspec-profile/controls/SV-252144.rb index 3d50a61..7e53cd6 100644 --- a/spec/mongo-inspec-profile/controls/SV-252144.rb +++ b/spec/mongo-inspec-profile/controls/SV-252144.rb @@ -125,10 +125,9 @@ #not sure what goes here for this one - describe 'Review the organizational or site-specific security labeling documentation to understand how documents in specific MongoDB collection(s) must be marked. - This marking process should be applied as data is entered into the database.' do - skip 'If security labeling is not required, this is not a finding. - If security labeling is required, then there must be organizational or site-specific documentation on what the security labeling policy is and guidance on how and where to apply it.' + describe 'Review the organizational or site-specific security labeling documentation to understand how documents in specific MongoDB collection(s) must be marked.This marking process should be applied as data is entered into the database.' do + skip 'If security labeling is not required, this is not a finding.' + skip 'If security labeling is required, then there must be organizational or site-specific documentation on what the security labeling policy is and guidance on how and where to apply it.' end -end +end diff --git a/spec/mongo-inspec-profile/controls/SV-252145.rb b/spec/mongo-inspec-profile/controls/SV-252145.rb index 908c260..54e3a4d 100644 --- a/spec/mongo-inspec-profile/controls/SV-252145.rb +++ b/spec/mongo-inspec-profile/controls/SV-252145.rb @@ -55,7 +55,7 @@ tag cci: ['CCI-002165', 'CCI-002235'] tag nist: ['AC-3 (4)', 'AC-6 (10)'] - describe yaml('/etc/mongod.conf') do + describe yaml(input('mongod_config_path')) do its(['security','authorization']){should eq "enabled"} end diff --git a/spec/mongo-inspec-profile/controls/SV-252146.rb b/spec/mongo-inspec-profile/controls/SV-252146.rb index 6172186..41bef4a 100644 --- a/spec/mongo-inspec-profile/controls/SV-252146.rb +++ b/spec/mongo-inspec-profile/controls/SV-252146.rb @@ -54,7 +54,7 @@ tag cci: ['CCI-002450', 'CCI-000803'] tag nist: ['SC-13 b', 'IA-7'] - describe yaml('/etc/mongod.conf') do + describe yaml(input('mongod_config_path')) do its(['net','tls','FIPSMode']){should eq true} end diff --git a/spec/mongo-inspec-profile/controls/SV-252149.rb b/spec/mongo-inspec-profile/controls/SV-252149.rb index eb96df8..d9f450a 100644 --- a/spec/mongo-inspec-profile/controls/SV-252149.rb +++ b/spec/mongo-inspec-profile/controls/SV-252149.rb @@ -48,7 +48,7 @@ tag cci: ['CCI-000015'] tag nist: ['AC-2 (1)'] - describe yaml('/etc/mongod.conf') do + describe yaml(input('mongod_config_path')) do its(['security','authorization']){should eq "enabled"} end diff --git a/spec/mongo-inspec-profile/controls/SV-252150.rb b/spec/mongo-inspec-profile/controls/SV-252150.rb index 9084472..fe8ab58 100644 --- a/spec/mongo-inspec-profile/controls/SV-252150.rb +++ b/spec/mongo-inspec-profile/controls/SV-252150.rb @@ -40,8 +40,8 @@ tag nist: ['AC-3'] describe 'The MongoDB administrator must ensure that additional application access control is enforced.' do - skip 'Review the system documentation to determine the required levels of protection for MongoDB server securables by type of login. - Review the permissions actually in place on the server. If the actual permissions do not match the documented requirements, this is a finding.' + skip 'Review the system documentation to determine the required levels of protection for MongoDB server securables by type of login.' + skip 'Review the permissions actually in place on the server. If the actual permissions do not match the documented requirements, this is a finding.' end end diff --git a/spec/mongo-inspec-profile/controls/SV-252151.rb b/spec/mongo-inspec-profile/controls/SV-252151.rb index 5e70202..2786f06 100644 --- a/spec/mongo-inspec-profile/controls/SV-252151.rb +++ b/spec/mongo-inspec-profile/controls/SV-252151.rb @@ -29,8 +29,8 @@ tag nist: ['CM-5 (6)'] describe 'Review monitoring procedures and implementation evidence to verify monitoring of changes to database software libraries, related applications, and configuration files occurs.' do - skip 'Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files. - If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement.' + skip 'Implement procedures to monitor for unauthorized changes to DBMS software libraries, related software application libraries, and configuration files.' + skip 'If a third-party automated tool is not employed, an automated job that reports file information on the directories and files of interest and compares them to the baseline report for the same will meet the requirement.' end end diff --git a/spec/mongo-inspec-profile/controls/SV-252158.rb b/spec/mongo-inspec-profile/controls/SV-252158.rb index c791fc1..702d0e0 100644 --- a/spec/mongo-inspec-profile/controls/SV-252158.rb +++ b/spec/mongo-inspec-profile/controls/SV-252158.rb @@ -35,9 +35,9 @@ tag nist: ['IA-5 (1) (a)'] describe 'Password complexity and lifetime must be enforced by an external authentication source such as LDAP, Active Directory, or Kerberos.' do - skip 'If MongoDB is using Native LDAP authentication where the LDAP server is configured to enforce password complexity and lifetime, this is not a finding. - If MongoDB is using Kerberos authentication where Kerberos is configured to enforce password complexity and lifetime, this is not a finding. - If MongoDB is not configured for SCRAM-SHA1, MONGODB-CR, or LDAP authentication, this is a finding.' + skip 'If MongoDB is using Native LDAP authentication where the LDAP server is configured to enforce password complexity and lifetime, this is not a finding.' + skip 'If MongoDB is using Kerberos authentication where Kerberos is configured to enforce password complexity and lifetime, this is not a finding.' + skip 'If MongoDB is not configured for SCRAM-SHA1, MONGODB-CR, or LDAP authentication, this is a finding.' end end diff --git a/spec/mongo-inspec-profile/controls/SV-252159.rb b/spec/mongo-inspec-profile/controls/SV-252159.rb index 791b683..7f9f97a 100644 --- a/spec/mongo-inspec-profile/controls/SV-252159.rb +++ b/spec/mongo-inspec-profile/controls/SV-252159.rb @@ -64,7 +64,7 @@ tag nist: ['IA-5 (1) (c)'] #authSchemaUpgrade command doesn't exist anymore since version 4, so part 2 is not doable - describe yaml('/etc/mongod.conf') do + describe yaml(input('mongod_config_path')) do its(['setParameter','authenticationMechanisms']){should be_in ['SCRAM-SHA-1', 'SCRAM-SHA-256', 'MONGODB-X509', 'GSSAPI', 'PLAIN']} end diff --git a/spec/mongo-inspec-profile/controls/SV-252161.rb b/spec/mongo-inspec-profile/controls/SV-252161.rb index 1794b9b..399356a 100644 --- a/spec/mongo-inspec-profile/controls/SV-252161.rb +++ b/spec/mongo-inspec-profile/controls/SV-252161.rb @@ -86,4 +86,9 @@ tag 'documentable' tag cci: ['CCI-000187'] tag nist: ['IA-5 (2) (a) (2)'] + + describe 'Each unique x.509 client certificate corresponds to a single MongoDB user; meaning it cannot use a single-client certificate to authenticate more than one MongoDB user.' do + skip 'If using LDAP for authentication, this is not applicable.' + skip 'If the authenticated MongoDB user displayed does not have a user value equal to the x.509 certs Subject Name, this is a finding.' + end end diff --git a/spec/mongo-inspec-profile/controls/SV-252162.rb b/spec/mongo-inspec-profile/controls/SV-252162.rb index 4375068..d2eb2f2 100644 --- a/spec/mongo-inspec-profile/controls/SV-252162.rb +++ b/spec/mongo-inspec-profile/controls/SV-252162.rb @@ -39,10 +39,8 @@ tag nist: ['IA-6'] describe 'To prevent the compromise of authentication information such as passwords and PINs during the authentication process, the feedback from the system must not provide any information that would allow an unauthorized user to compromise the authentication mechanism.' do - skip 'For the MongoDB command-line tools mongo shell, mongodump, mongorestore, mongoimport, mongoexport, which cannot be configured not to obfuscate a plain-text password, and any other essential tool with the same limitation; verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations and that AO approval has been obtained. - If it is not documented, this is a finding. - Request evidence that all users of MongoDB command-line tools are trained in the use of the -p option/plain-text password option and how to keep the password protected from unauthorized viewing/capture, and that they adhere to this practice. - If evidence of training does not exist, this is a finding.' + skip 'For the MongoDB command-line tools mongo shell, mongodump, mongorestore, mongoimport, mongoexport, which cannot be configured not to obfuscate a plain-text password, and any other essential tool with the same limitation; verify that the system documentation explains the need for the tool, who uses it, and any relevant mitigations and that AO approval has been obtained. If it is not documented, this is a finding.' + skip 'Request evidence that all users of MongoDB command-line tools are trained in the use of the -p option/plain-text password option and how to keep the password protected from unauthorized viewing/capture, and that they adhere to this practice. If evidence of training does not exist, this is a finding.' end end diff --git a/spec/mongo-inspec-profile/controls/SV-252184.rb b/spec/mongo-inspec-profile/controls/SV-252184.rb index 58d5244..ba360b7 100644 --- a/spec/mongo-inspec-profile/controls/SV-252184.rb +++ b/spec/mongo-inspec-profile/controls/SV-252184.rb @@ -34,9 +34,9 @@ describe 'Review the system documentation and interview the database administrator. Identify all database software components. Review the version and release information.' do - skip 'If the DBMS or any of the software components are not supported by MongoDB, this is a finding. - Remove or decommission all unsupported software products. - Upgrade unsupported DBMS or unsupported components to a supported version of the product.' + skip 'If the DBMS or any of the software components are not supported by MongoDB, this is a finding.' + skip 'Remove or decommission all unsupported software products.' + skip 'Upgrade unsupported DBMS or unsupported components to a supported version of the product.' end end diff --git a/spec/mongo-inspec-profile/inspec.yml b/spec/mongo-inspec-profile/inspec.yml index 9d30d5b..51c01e2 100644 --- a/spec/mongo-inspec-profile/inspec.yml +++ b/spec/mongo-inspec-profile/inspec.yml @@ -10,3 +10,54 @@ version: 1.0.0 supports: [] depends: [] inspec_version: null + +inputs: + - name: mongo_user + description: "The system user of the mongod process" + type: string + value: "root" + required: true + sensitive: true + + - name: mongo_group + description: "The system group of the mongod process" + type: string + value: "root" + required: true + sensitive: true + + - name: mongod_config_path + description: "The path to the mongod configuration file" + type: string + value: "/etc/mongod.conf" + required: true + + - name: mongo_audit_directory_path + description: "The path to the mongo audit directory" + type: string + value: "/var/log/mongodb/audit" + required: true + + - name: mongo_audit_file_path + description: "The path to the mongo audit file" + type: string + value: "/var/log/mongodb/audit/auditLog.bson" + required: true + + - name: certificate_key_file_path + description: "The path to the mongo certificate key" + type: string + value: "/etc/ssl/mongodb.pem" + required: true + + - name: ca_file_path + description: "The path to the mongo CA file" + type: string + value: "/etc/ssl/caToValidateClientCertificates.pem" + required: true + + - name: data_file_directory_path + description: "The path to the mongo data file directory" + type: string + value: "/var/lib/mongo" + required: true \ No newline at end of file